Skip to main content

Frequently asked questions 2021

Frequently asked questions are answered on this page. If a question is missing or has not been answered sufficiently, please contact our CyberRisk Service Team by email at

Why do i get a request for a cyberrisk rating?

Cyber risks such as IT security, data protection and business continuity are becoming increasingly significant due to digitalisation.
With the CyberRisk Rating, KSV1870 offers a transparent, time-saving process to evaluate companies in these dimensions.
This assessment is often required due to the DSGVO or the NIS law.
As a rated company, you bear no costs and receive an objective picture of your own cyber risk.

How does the cyberrisk rating process work?

The rating consists of an assessment based on 25 requirements of the publicly available KSÖ Cyber Risk Scheme. You can find information on the KSÖ Cyber Risk Scheme at
After finishing the assessment, the positively answered requirements are verified by an independent expert. This expert does not know which company is being assessed.

Is there a time limit by which an assessment must be submitted?

Yes, after the invitation you have to complete the assessment within 14 days.
If you need more time to answer the questions, please contact the cyberrisk service team by

Is it possible for more than one person to work on the assessment?

Anyone who has a user account with rights to the CyberRisk portal under the company account is able to complete the assessment.
However, only the first person to start filling out the assessment is considered the contact person for the assessment.

Do you have to complete the assessment all at once?

No. It is important to be prepared for the answers to the requirements, or to be able to consider them well.
This also facilitates and speeds up the verification process. The more precisely a fulfilled requirement is described, the fewer questions the assessor will have to ask.
The requirements and questions for the assessment are published by the Kuratorium Sicheres Österreich (KSÖ) and can be downloaded/viewed there: 

Will I receive my answers including a valuation later?

Yes. After completing the assessment, you must download and keep a package consisting of the details of the assessment. The package will contain the following information:
- CyberRisk Rating Certificate + Signature
- CyberRisk Rating Assessment Details complete, including examiner responses + signature.
- CyberRisk Rating Assessment Details without assessor answers + signature

Who else gets the answers?

The rating itself can be purchased by all clients. Only the rating score is shown. However, the customer can request the details of the rating. Here you can decide individually whether the requested data is released or not. 

Do the answers have to be provided for each client?

No. You only have to complete the assessment for the first enquiry of a customer and max. once a year.

Are the answers saved temporarily?

You can take the time you need to answer the assessment. Click on "Save and continue" to save the answer temporarily. You can then close the browser window or log out and continue at a later time. 

How is the confidentiality of my own information guaranteed?

Confidentiality is ensured by the fact that Nimbusec never passes on your details to third parties. Within the rating process, all commissioned data processors are obliged to maintain confidentiality. In contrast to common questionnaires, Nimbusec clients only receive the CyberRisk rating without further details. In the event of an external audit or a request from our client, you decide whether you wish to pass on your details to the auditor or to our client. If yes, the CyberRisk Rating provides you with a standardised, machine-readable data package that can be processed efficiently.  If not, you can refer to the validated CyberRisk Rating.