Iceland cybersecurity — a handbook for sysadmins

~15 min read · reviewed by a working Icelandic sysadmin · drafted with AI assistance

A handbook for the people who run computer systems in Iceland: which laws apply, who shows up when something goes wrong, and what you can do to be ready.

Unfamiliar with the security jargon? First-mention terms link out to the glossary. All cross-page anchors land directly on the defining entry.

1. Why is Iceland a special case in cybersecurity?

Three conditions shape the working life of an Icelandic defender more sharply than in most places:

A small country. 389,444 people on 1 January 2025 (Statistics Iceland). That means a small domestic market, few departments per organisation, and one sysadmin often doing both ops and security. The profession is small enough that everyone knows everyone — which is good when you need to call someone on a Sunday morning.

The pipe to the outside world is narrow. Iceland has four subsea cables:

• FARICE-1 (to Scotland, in service 2004) — upgrade capacity around 11 Tbps
• DANICE (to Denmark, 2009) — up to 40 Tbps
• IRIS (to Ireland, 2023) — 132 Tbps (6 × 22 Tbps fibre pairs)
• Greenland Connect (via Greenland to Canada) — the only non-Farice cable

Roughly 208 Tbps of international submarine bandwidth in total (Wikipedia: Internet in Iceland). Sounds redundant — until you notice that three of the four cables are operated by the same company, Farice ehf (fully state-owned). If Farice goes through a major physical incident (volcanic eruption, cable-landing damage, severe storm hitting multiple landings), Iceland is left on a single Greenland-routed link. There's redundancy in cables, but not in operators.

The hosting ecosystem is larger than the domestic market. Iceland has unusually cheap and clean electricity (geothermal + hydro), which has attracted both data centres and privacy-focused hosting LIRs. 1984 ehf, FlokiNET, and Advania host many more customers abroad than at home. The IP ranges count as Icelandic by every measurable definition (RIPE allocation, geo-IP, often .is domains), but the owners, the criminals, and the victims usually sit outside Iceland.

The net effect for you, running Icelandic services: the Icelandic attack surface is larger than the country's domestic market — most of the genuinely malicious IPs in Icelandic hosting have nothing to do with Icelandic organisations. That complicates two things at once: reading threat-intel feeds (what's actually Icelandic versus just hosted in Iceland?), and responding (call the LIR or hunt the operator?).

A practical heuristic: if the IP's PTR-hostname points to the LIR's own brand (1984.is, cprapid.com, iceservers.net), the IP is just hosted on an Icelandic LIR — the actor is elsewhere. If the PTR points to an actual Icelandic organisation's domain (hi.is, or.is, isb.is), you're looking at an Icelandic tenant.

2. Who hosts what in Iceland

ISNIC (isnic.is) is Internet á Íslandi hf. — the company the state designated in 1995 to manage Iceland's ccTLD (.is). They also run RIX (below). All formal IP allocations to Icelandic entities go through RIPE NCC, where each LIR member (1984 ehf, Advania, ISNIC itself, etc.) is the applicant.

RIX — Reykjavík Internet Exchange (rix.is) is Iceland's only neutral-policy IXP, founded in 1999, operated by ISNIC. 28 ASes are connected (PeeringDB), 26 peers, 668 Gbps total bandwidth, 91% IPv6 support. RIX sits in three locations: RIX-TG (Tæknigarður, on the University of Iceland campus), RIX-KT (Katrínartún), and RIX-MH (Múlastöð on Ármúli 25). RIX is a member of Euro-IX.

So almost all Icelandic-to-Icelandic internet traffic flows through three rooms in Reykjavík. If any of them goes down, the traffic loops out through Scotland and back. Higher latency, sometimes broken.

The hosting and telecom companies that matter today (see the live overview on the dashboard):

• 1984 ehf (AS44925) — privacy-focused hosting; has historically hosted Tor relays; mostly foreign customers
• Advania Ísland ehf (AS50613, AS44515) — large Icelandic LIR, includes OrangeWebsite and IceNetworks
• FlokiNET ehf (AS200651) — privacy hosting, IP space frequently announced via Netherlands/Romania but RIPE-allocated to Iceland
• Hringdu (Hringiðan ehf) — the IS-HESTALEIT-* blocks
• Míla hf, Síminn, Nova hf, Sýn (Vodafone Iceland) — telcos with consumer broadband and enterprise hosting
• Origo, Sensa, Opin Kerfi — IT-services companies running customer infrastructure
• Hýsing ehf, atNorth (formerly Verne Global) — specialist data centres

The key habit: when you see an IP flagged in Icelandic space, start by knowing who owns the block. That's not the same thing as who is using the IP that day.

3. Who defends Iceland — and when to call whom

Five places handle most cybersecurity questions:

CERT-IS — the Icelandic computer emergency response team

CERT-IS (cert.is) was founded in 2013 and is Iceland's national CSIRT — the team the international community calls when Iceland needs to respond to something.

Recent change (28 February 2025): CERT-IS moved from Fjarskiptastofa to the Ministry for Foreign Affairs, physically relocating from Suðurlandsbraut to Austurhöfn (Government of Iceland press release, 28 Feb 2025). The idea is for CERT-IS to work more closely with the ministry's Directorate for Defence and to deepen NATO cooperation. In practice this means:

• The operational side (incident response, threat-intel sharing, NATO Locked Shields and similar exercises) now lives at the Ministry for Foreign Affairs.
• The regulatory side (oversight of Act 78/2019, future NIS-2 enforcement) stays at Fjarskiptastofa.

This is recent — many older texts online still describe CERT-IS as part of Fjarskiptastofa. If you're reading public documents from 2024 or earlier, keep that in mind.

When do you call CERT-IS?

• When you've been breached and it has effects beyond your own operation (e.g. ransomware that spreads into customer networks).
• When you see active attacks coming from or aimed at Icelandic infrastructure.
• When you need to coordinate with foreign CSIRTs — CERT-IS speaks their language.

They also publish advisories (CVE warnings and sectoral alerts) and coordinate national-scale incidents. They are not a law-enforcement body — technical response, not prosecution.

Persónuvernd — the data protection authority

Persónuvernd is Iceland's data protection authority. They handle anything that goes wrong with personal data — not only digital (manual processing is in scope too) — and they have authority to fine and to issue administrative orders.

The single most important clock in Icelandic cybersecurity is Persónuvernd's 72-hour rule: if a personal-data breach occurs, you must notify without undue delay and, if possible, no later than 72 hours after becoming aware of the breach (Act 90/2018, Article 33; more in section 4 below). The clock starts when you became aware, not when the breach happened. That can be months apart.

Fjarskiptastofa — telecom and cybersecurity regulator

Fjarskiptastofa (the Electronic Communications Office of Iceland) regulates both telecom-network operation and the cybersecurity of critical infrastructure. They own Act 78/2019 (Iceland's NIS-1 implementation; see section 4) and will own NIS-2 once it's transposed. CERT-IS used to sit inside Fjarskiptastofa; since February 2025 it sits at the Ministry for Foreign Affairs, but Fjarskiptastofa's regulatory role is unchanged.

Defend Iceland — Coordinated Vulnerability Disclosure platform

Defend Iceland (short form: ICEDEF) is Iceland's bug-bounty / CVD platform. Founded in 2023 by Theódór Ragnar Gíslason (CTO of Syndis) as Defend Iceland ehf (kt. 520623-1910). It is NOT part of Syndis — it's a separate company, though originally spun out of Syndis and led by Syndis's CTO. The University of Iceland and Reykjavik University are partners.

Defend Iceland received a €2.53 million grant from the EU Digital Europe Programme (2 Oct 2023 – 21 Oct 2026, NorthStack). The goal: make a CVD platform accessible to Icelandic SMEs and government bodies with no upfront cost, including automated attack-surface mapping. Landsbankinn became a formal partner in June 2024.

As a sysadmin: you can register your organisation with Defend Iceland to get vetted ethical hackers pointing out problems for you — without having to run your own bug-bounty programme with VPN-access headaches and payout uncertainty.

Eyvör — the National Cybersecurity Coordination Centre (NCC-IS)

Eyvör is Iceland's national point of contact for the European Cybersecurity Competence Centre (ECCC), established under EU Regulation 2021/887. It is NOT an incident-response body — it's a coordination and funding entity, shared between the Ministry of Higher Education, Rannís, Fjarskiptastofa, CERT-IS, the two universities, and Auðna Tæknitorg, that disseminates EU research findings and supports Icelandic projects through grants.

Think about Eyvör when you're applying for a grant for a security project (research, awareness training, tool development) — they administer grants (cybersecurity-centre.europa.eu — NCC-IS) that can cover upgrading tooling or developing new approaches. Don't call them during an incident — that's CERT-IS.

Who to call, by incident type

4. The laws that govern this

Three legal texts underpin every cybersecurity programme in Iceland:

Act 90/2018 — On the protection of personal data and the processing of personal data

Iceland's implementation of the GDPR (Alþingi). Key requirements for sysadmins:

• 72-hour notification duty (Article 33): on a personal-data breach you must notify Persónuvernd "without undue delay and, if possible, no later than 72 hours after the data controller becomes aware of the breach". Late notifications must be accompanied by written reasons for the delay.
• Exemption: if the breach is unlikely to result in a risk to individuals' rights and freedoms, notification isn't required. You make that call at your own risk — Persónuvernd may later conclude differently.
• Notification to data subjects (Article 34): if the breach is likely to result in high risk you must also notify the affected individuals without undue delay. Common question: "is a kennitala (national ID) high-risk data?" — Persónuvernd has taken the position yes.
• Event logging and monitoring (Article 32): you must be able to demonstrate you could trace what happened. The 2021 Strætó case (see section 5) turned on this point: not on whether the breach occurred, but on the fact that neither Strætó nor Advania (the data processor) had enough logs to tell Persónuvernd exactly what happened.

Practical reading: LOGOS — Security breaches and notification duty gives a legal-practice overview of the 72-hour rule with Icelandic case examples.

Act 78/2019 — On the security of network and information systems of critical infrastructure

Iceland's implementation of the EU NIS-1 directive (Alþingi). In force from 1 September 2020. Defines what counts as "critical infrastructure" and imposes minimum security requirements on that set:

• Article 7: documented policies and processes for risk assessment, risk management, and risk mitigation.
• A duty to notify CERT-IS of serious cybersecurity incidents.
• Fjarskiptastofa has oversight authority and the power to fine.

The list of what counts as "critical infrastructure" is in Regulation 866/2020. Broadly: utilities, water, financial services, healthcare, telecom, digital public infrastructure. If you find your own operation on that list, you have duties the corner shop doesn't.

NIS-2 — which is not yet in force in Iceland

This is important to know: Iceland is the last EEA country yet to publish a draft or begin formal public consultation on NIS-2 implementation (Copla — NIS2 in Iceland, July 2025). The implementation timeline is still unclear and "transposition unlikely before 2026". The EEA Joint Committee is expected to incorporate NIS-2 into Annex XI of the EEA Agreement in autumn 2025.

Iceland's plan is not to write new legislation but to amend Act 78/2019 to cover the new obligations. State of play as of May 2026:

• No draft has yet appeared on Iceland's public consultation portal (samráðsgátt). Industry expectation is now late-2026 or early-2027 for transposition.
• October 2028 EU compliance deadline remains unchanged.

The biggest change to plan for: scope expansion. Today about 350 critical infrastructure entities fall under the act. NIS-2 is estimated to expand that to 3,000–4,000 entities (Copla estimate) — including medium-sized manufacturers and municipalities with populations ≥ 50,000. If you're a sysadmin in one of those, expect the regulator to reach you by 2028, even if nobody's said so yet.

Act 78/2025 — DORA, digital operational resilience for financial entities

Already in force. Iceland's lög 78/2025 ("Stafrænn viðnámsþróttur fjármálamarkaðar"), passed by Alþingi on 24 November 2025, implements the EU DORA regulation (2022/2554). It took effect in early 2026 and applies now, while NIS-2 is still pending.

DORA covers the financial sector specifically: banks, insurers, payment institutions, asset managers, fintech — and their ICT third-party service providers. The reach is wider than it looks: if your customer is an Icelandic financial entity, DORA's third-party requirements pull through your contract.

The parts a sysadmin notices:

• Tighter incident-reporting clock than NIS-2 or GDPR — initial classification within hours, intermediate reports during the incident, root-cause analysis after.
• Mandatory contractual provisions for ICT services to financial entities — incident-notification obligations, sub-processor disclosure, exit plans, cooperation with the customer's regulator.
• Threat-led penetration testing (TLPT) for major financial entities, on a regular cadence — and the providers they rely on have to cooperate.
• Concentration-risk reporting — the Icelandic financial sector now has to map which ICT providers it cumulatively depends on; if you're one, expect to be named.

Supervising authority in Iceland is the Central Bank (Seðlabanki Íslands) financial-supervision arm. If you run IT for any Icelandic financial entity or you're a downstream service provider to one, read the lög 78/2025 text or talk to your customer's compliance team — DORA is the regulation that has already changed your obligations, regardless of where NIS-2 lands.

5. Iceland's cybersecurity case history

Three cases every Icelandic sysadmin should be able to cite.

Strætó 2021 — what happens when you don't log enough

On 27 December 2021 a cyber-attack on Strætó bs. was disclosed; 10,000–15,000 people were affected (health data, kennitölur, financial information). The intrusions themselves happened between 11–15 November and 20–21 December 2021. The attackers identified themselves as Karakurt, a Conti-affiliated data-extortion crew, and emailed a ransom demand on Christmas Eve. Strætó consulted CERT-IS and refused to pay.

The intrusion vector that gave them administrator access on the operations side was a domain-administrator password that had not been changed since 2006 (DV, 19 Dec 2023). Fifteen years.

The decisive point in Persónuvernd ruling 2021122453 (28 November 2023) wasn't the break-in mechanic, though — it was why it couldn't be traced precisely. Both Strætó and Advania Ísland ehf (acting as data processor) breached Article 32 of Act 90/2018 through insufficient event logging and monitoring. Advania held ISO 27001 certification but their logs were operational, not security-grade.

No fine — Persónuvernd took into account that both Strætó and Advania had cooperated, notified in time, and remediated promptly. But the ruling sets a precedent: you cannot investigate what you did not log, and your processor's certification is not the same as your own security programme.

Source: full ruling at island.is/persónuvernd.

Farmers Association of Iceland — "too small to be a target" is a myth (2026)

On 6 May 2026 the ransomware group TheGentlemen posted Bændasamtök Íslands (the Farmers Association of Iceland) on its leak site, listing the bondi.is domain and the sector "Agriculture and Food Production". The story is still unfolding — follow it on this site's ransomware tracker.

The lesson: a farmers' interest association is not a stereotypical high-value target. But the ransomware-as-a-service business model thrives on someone paying, and small-but-undefended organisations often pay faster than large well-defended ones. If you think you're "too small to be a target", you're reading the economics from the wrong side.

The CERT-IS numbers

From the CERT-IS 2025 annual report (Utanríkisráðuneyti, 13 April 2026):

• 5,240 notifications received in 2025 (+26% year-over-year)
• 2,312 cases requiring response — the actionable subset (+43%)
• 1,304 phishing cases specifically (+47%) — single largest category
• Top spoofed brands: Pósturinn, Microsoft, Skatturinn, Veitur, Ísland.is
• +388% year-over-year in detected breaches / break-in attempts — driven by adversary-in-the-middle phishing that captures session tokens (see §7a)
• 257 malware incidents
• CERT-IS's official position remains: don't pay ransoms

In a country of 389,444 people, 2,312 actionable cases per year is a substantial per capita rate — comparable to neighbouring Nordics on per-capita basis. The +43% YoY jump in the actionable subset is the part that's actually new.

6. Domain takedowns in Iceland — why they take time

Many sysadmins assume "file an abuse report → domain gets pulled" the way it works in many other countries. In Iceland it works differently — and that's a policy choice, not a malfunction.

Per ISNIC's domain rules:

Closing a .is domain based on domain's usage (...) can be requested by a formal court order from an Icelandic court, or a request from relevant Icelandic authorities. ISNIC must close a domain if it is illegal according to a court decision or a final ruling of a competent body, or based on a request from the police following a court ruling.

And more pointedly:

ISNIC, Iceland's main domain registrar, rarely closes domains based on a site's content. ISNIC does not permanently remove domains that violate rules. ISNIC does not block re-registration, even in cases involving harmful or illegal content.

The practical effects:

• What works: a court order from an Icelandic court, or a police request based on a court order. After such an order ISNIC IS obliged to close.
• What does NOT work: a plain abuse report claiming "this domain is being used for phishing" — without a court order, ISNIC will usually do nothing.
• What keeps working after takedown: re-registration of the same domain. No blocklist.

Iceland has chosen to put the rights of the domain holder above fast takedowns. That's a free-speech protection (see Freedom House — Iceland), and it's also abused by those who need domains that aren't easy to take down.

The practical consequence for you as a sysadmin: if your problem involves a .is domain — start a legal process immediately, don't just open an abuse ticket. The time from first indication to court order is measured in months, not days. During those months you need to close from your own side — DNS filtering, IP blocking, email filtering — rather than wait for the registrar.

7. Cloud security and authentication — the part Act 78/2019 missed

Up to here this handbook has been written as if your systems live on-premise: a web server in a rack, a mail server in the basement, a few SaaS services on the edge. That worldview is out of date for Icelandic SMEs and government bodies in 2026.

Two shifts dominate the picture now:

• Office work has moved to Microsoft 365 (M365) + Entra ID (formerly Azure AD) at almost every Icelandic organisation with 10+ employees.
• Public-service authentication for individuals runs on rafræn skilríki / Auðkenni — the SIM-based or app-based electronic ID issued by Auðkenni ehf, used to log into Skatturinn (the tax office), island.is, the banks, and most public services.

Act 78/2019 (see section 4 above) addresses essentially none of this — it focused on on-premise critical infrastructure. NIS-2 will cover more of it, but until then: two attack patterns drive most new breaches at small-to-medium Icelandic organisations, and neither is stopped by "we have MFA".

7a. Token theft (M365 / Entra ID) and BEC

The typical attack CERT-IS catalogues under "deception aimed at a person" (see section 5) looks like this in 2026:

1. Phishing into the finance team — "invoice renewal from Origo", "departmental notice from Skatturinn", often replying inside an existing invoice thread to look legitimate.
2. The link goes to an Adversary-in-the-Middle (AitM) proxy (Evilginx, Tycoon, and others) that mirrors the real M365 sign-in page in real time. The user enters the password, approves the MFA prompt — and the session token (refresh-token cookie) is captured by the attacker.
3. MFA does not stop this. Once MFA is satisfied, the token lives in the attacker's cookie jar for as long as it does in yours (typically 7–30 days for the refresh token).
4. Within the next hour the attacker creates mailbox rules: anything containing "invoice", "wire", "reikningur" is routed to a hidden folder and forwarded to a gmail address. The user sees nothing.
5. BEC (Business Email Compromise): the attacker replies inside an ongoing invoice thread, changes the bank details, and requests a wire to a new account. That economics drives a substantial share of CERT-IS's annual case load (see §5 for the 2025 numbers — the +388% YoY breach-attempt spike is largely this attack pattern).

What works:

• Conditional Access in Entra ID blocking legacy auth (POP3, IMAP, SMTP basic-auth). Adversary-in-the-Middle attackers often try those endpoints first; ordinary users don't need them.
• Phishing-resistant MFA on admin / privileged accounts: FIDO2 security keys (YubiKey etc.) or Windows Hello for Business. This tier is immune to the AitM-proxy attack — the password and the key are bound to the real domain, not the mirrored one.
• Alerts on Entra sign-in logs: impossible travel (Reykjavík + Vladivostok within ten minutes), new OAuth-app consents, mailbox-rule changes on VIP mailboxes, unusual device registrations.
• Monthly review of OAuth-app consents. Users routinely approve "Adobe Sign Pro" which turns out to be a consent-phishing app with a wide scope. Filter on user-granted (not admin-consented) apps with broad permissions — Mail.Read, Mail.Send, Files.ReadWrite, User.Read.All. These are the consent-phishing payloads. In Entra: Identity → Enterprise apps → User settings → consider setting Users can consent to apps = No and requiring admin approval for anything touching mailbox or files. This is its own attack chain (no password, no token-theft, just a user approving "Sign in with Microsoft" on an attacker app) and is rising fast in 2025–26.
• DMARC quarantine or reject on every domain you own — not just the primary one. BEC actors use lookalikes (origo-finance.com vs origo.is); DMARC stops spoofing of your domains, though it cannot help with third-party lookalikes.

What does not work:

• SMS-based MFA — phishable, and defeated by SIM-swap.
• Microsoft Authenticator push without number-matching — push-bombing wears down a tired user (see 7b).

7b. Auðkenni / rafræn skilríki — MFA fatigue and social engineering

Iceland's electronic ID is technically strong authentication — PKI certificates on a SIM card or in the Auðkenni mobile app, issued by Auðkenni ehf. But the endpoint is a human with a phone, and that's where the failures occur. Three common attack patterns:

Push-bombing (MFA fatigue). An attacker holding a stolen kennitala (national ID number) + password sends repeated sign-in requests to the user's Auðkenni app. 50–100 pushes per hour. Eventually the user approves out of fatigue — especially when the push arrives at 3 AM and the user assumes the phone is malfunctioning.

Auðkenni has partly mitigated this with number-matching (audkenni.is): you have to read the number on the screen requesting authentication and type it on the phone. That defeats blind push spam — but not the vishing combo.

Vishing + push (concurrent). The attacker calls: "Hi, I'm Sigurður from IT, we're updating your Entra account, you'll get an Auðkenni prompt now — please enter the number 47 you see on the screen." The user genuinely sees 47 on her own screen (because the attacker is logging in at that very second), types 47 on the phone, and the attacker is in. Number-matching only works if the user recognises that she didn't initiate the sign-in.

SIM-swap → re-enrollment. Less common in Iceland — the carriers Nova, Síminn, and Sýn know their customers reasonably well — but social engineering of a support agent through a ticket still occasionally works. The attacker has the user's number ported to a new SIM and re-enrolls the electronic ID onto the new card.

What works:

• FIDO2 for admin and critical accounts. Rafræn skilríki is sufficient for 99% of users, but privileged accounts (domain admin, finance admin, HR master) should require FIDO2 in addition — or instead-of, if that's more practical.
• Write the rule "we will NEVER call you and ask you to approve a push" into onboarding and into the incident playbook. When a user simultaneously gets a phone call and sees a push, the standard reaction must be hang up, call back on a known internal number from the corporate directory.
• Port-out PIN at the carrier — Nova, Síminn, and Sýn all offer PIN protection against SIM-swap. Provide it to senior staff (CEO, CFO, directors) as part of onboarding.
• Alert on re-enrollment events — if a user's electronic ID is re-issued on a new SIM or new phone, surface that to IT, particularly for privileged accounts.

General principle: rafræn skilríki + Auðkenni are strong defences against a remote attacker who tries to use a stolen password directly. They are weaker defences against an attacker who manages to social-engineer the user into approving a legitimate-looking authentication request. One side is technical; the other is social.

8. A practical checklist — 15 things every Icelandic sysadmin should do

Listed without priority order. Some are paperwork; others save you in the first hour — you'll know which is which after your first incident. All of it is before the incident, not during:

1. Publish security.txt on every public-facing site (RFC 9116, under /.well-known/security.txt). It's a single-line ticket booth for hackers wanting to report something — without it, they're either tweeting at you or saying nothing.
2. Put the CERT-IS contact in your phone — both email and your email-on-mobile sign-in. When you need to call on a Sunday morning, you don't want to be googling "CERT-IS contact".
3. Subscribe to CERT-IS advisories — cert.is has RSS and email. You move onto the priority list for vendor vulnerabilities relevant to Icelandic operators.
4. Check whether your operation counts as "critical infrastructure" — see Regulation 866/2020. If yes: you have duties you might not know about.
5. Written incident-response plan + annual exercise — a plan in Confluence isn't enough. Run a realistic scenario once a year, and find out who actually picks up the on-call phone. The first-hour cheat sheet is what you should actually be testing against.
6. Documented 72-hour notification workflow — who answers the call, who assesses risk, who phones Persónuvernd, who talks to legal, who writes the notification text. All of this needs to be worked out in advance, not while the clock is ticking.
7. Know who your DPO is — required under Act 90/2018 for certain types of processing (Article 37). If you need a DPO and don't have one, you're already in breach.
8. Check your own attack surface regularly — Shodan banner scans, banner-version analysis, open ports. A live overview of the Icelandic landscape lives at /attack-surface on this site.
9. Understand the ISNIC takedown process (see section 6) — both to set realistic expectations when you're the victim and to use it when someone abuses your own domain.
10. Register with Defend Iceland — the CVD platform (defendiceland.is). No upfront cost, automated attack-surface mapping, and you get pre-vetted hackers pointing at problems before they become incidents.
11. Phone list for a breach — who's CFO today (they may have moved since you last looked)? Who's general counsel? Who speaks to the press? Write down kennitölur and personal mobile numbers in a locked document before anything happens. Slack and Teams don't work when the internet's down.
12. Test restores quarterly + follow 3-2-1. A backup script that runs is not the same as a backup you can use. One restore per quarter is the minimum; ideally on randomly-chosen dates. Follow 3-2-1: three copies, two different media types, at least one offsite. Modern ransomware crews target backup infrastructure first, so at least one copy must be immutable (S3 Object Lock, immutable Veeam/Synology snapshots, vendor-locked retention) or air-gapped (offline tapes, removable drives that aren't connected when the attack lands). Karakurt sat in Strætó's systems for two months — anything "online but on a separate server" would have been reachable.
13. Audit your service-provider access regularly. Origo, Advania, Sensa, Opin Kerfi and others need least-privilege access to your systems — not "domain admin across all their customers". Ask explicitly: what access does my MSP have to my Entra / AD / M365 / SaaS, and log their use of it like any other sign-in. The Strætó case (section 5) is the practical example — a processor that fails drags the controller down with it. See the vendor questionnaire for the eight questions to ask before signing.
14. Incident-response retainer + cyber insurance, both pre-arranged. For 5–200 person IT teams without their own SOC: pre-arrange a retainer with a firm like Syndis, or a foreign IR shop (Mandiant, CrowdStrike Falcon Complete, Kroll, etc.). They show up the moment you call — not two weeks later, after procurement, while your systems sit encrypted. A minimal retainer is typically "X hours per year for Y" — you may never use it, but it locks in the SLA when you need it. Cyber insurance is the parallel: Sjóvá, VÍS and TM all offer cover. Read the policy before you need it — some forbid ransom payment outright, most require specific controls (MFA, EDR, patch cadence) as a precondition, and all have their own 24–48 hour notification clock that runs alongside Persónuvernd's 72-hour clock.
15. Segment networks where it matters most. Flat networks make lateral movement trivial — once an attacker has a foothold anywhere, they can reach everything. A 30-minute-effort minimum: separate the office user LAN from the server VLAN, separate Wi-Fi guests from corporate, isolate finance and payroll on their own VLAN with explicit allow-lists instead of "internal IPs can talk to internal IPs". For server-side: domain controllers, hypervisor management, and backup infrastructure on their own segments, with no inbound paths from the user LAN. The cheap version (VLAN + firewall ACL) is 10× better than "everyone can ping everyone".

This list is aimed at small and medium organisations (5–200 person IT teams). If you're at Landsvirkjun, Síminn IT, or another critical-infrastructure operator, you need much more than this. Talk to CERT-IS.

9. Where to look — the contact list

Websites and basic credentials:

And if you want the technical grounding in CVE / CVSS / KEV / ATT&CK before going deeper into this — see /learn/intro on this site.

What comes next

Topics that could become their own chapter if this grows into a directory:

• Vendor questionnaire — eight questions to ask a SaaS or hosting vendor before signing.
• First-hour cheat sheet — what to do (and what not to do) in the first sixty minutes of a suspected breach.
• Printable one-page reference — the 15-item checklist as something you can keep next to the keyboard.
• Casebook — more Icelandic cases broken down (as CERT-IS publishes more post-mortems).
• Insider risk — most handbooks skip it; it deserves its own page.

Questions and corrections to news.1881.is — Sveinn reads these and updates.