eu-regulations

{ "id": "DORA_ITS_INCIDENT_FORMS", "full_name": "Commission Implementing Regulation (EU) 2025/302 - Standard Forms and Templates for Incident Reporting", "celex_id": "32025R0302", "eur_lex_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32025R0302", "articles": [ { "number": "1", "title": "Template for reporting ICT-related major incidents", "text": "1.   Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows:\n\n(a)\n\nfinancial entities that submit an initial notification shall complete the data fields of the template which correspond to the information to be provided in accordance with Article 2 of Commission Delegated Regulation (EU) 2025/301 (7), and may, where they already have that information, complete those data fields the completion of which is not required for an initial notification but is required for an intermediate or final report;\n\n(b)\n\nfinancial entities that submit an intermediate report shall complete the data fields of the template which correspond to the information to be provided in accordance with Article 3 of Delegated Regulation (EU) 2025/301 and may, where they already have the relevant information, complete data fields the completion of which is not required for the intermediate report, but is required for the final report.\n\n(c)\n\nfinancial entities that submit a final report shall complete the data fields of the template which correspond to the information to be provided in accordance with Article 4 of Delegated Regulation (EU) 2025/301.\n\n2.   Financial entities shall ensure that the information contained in the initial notification, and in the intermediate and final report, is complete and accurate.\n\n3.   Financial entities shall provide estimated values based on other available data and information, to the extent possible, where accurate data are not available at the time of reporting for the initial notification or the intermediate report.\n\n4.   When submitting an intermediate or final report, financial entities shall use the template laid down in Annex I to submit all required information and update, where applicable, the information that was previously provided in the initial notification or in the intermediate report.\n\n5.   Financial entities shall follow the data glossary and instructions set out in Annex II when completing the template laid down in Annex I." }, { "number": "2", "title": "Joint submission of initial notification, intermediate and final reports", "text": "Financial entities may combine the submission of the initial notification, the intermediate report, and the final report to provide two or all of those at the same time, where regular activities have recovered or the root cause analysis has been completed and provided that the time limits set out in Article 5 of Delegated Regulation (EU) 2025/301 are met." }, { "number": "3", "title": "Recurring ICT-related incidents", "text": "Financial entities that provide information on non-major recurring ICT-related incidents that cumulatively meet the conditions for one major ICT-related incident as set out in Article 8(2) of Delegated Regulation (EU) 2024/1772, shall provide that information in an aggregated form." }, { "number": "4", "title": "Use of secure electronic channels", "text": "1.   Financial entities shall use secure electronic channels as made available by their competent authority to submit the initial notification and the intermediate and final reports.\n\n2.   Financial entities that are unable to use the secure electronic channels as made available by their competent authority shall inform their competent authority about a major ICT-related incident through other secure means in agreement with the competent authority. If required by the competent authority, financial entities shall resubmit the initial notification, or intermediate or final report, through the secure electronic channel as made available by their competent authority once they are able to do so." }, { "number": "5", "title": "Reclassification of major ICT-related incidents", "text": "Where after further assessment, the financial entity concludes that the ICT-related incident previously reported as major, at no time fulfilled the classification criteria and thresholds set out in Article 8 of Delegated Regulation (EU) 2024/1772, the financial entity shall notify to the competent authority that it has reclassified the ICT-related incident from major to non-major by providing the information about that reclassification in the template laid down in Annex II to this Regulation in relation to the fields ‘type of report’ and ‘other information’." }, { "number": "6", "title": "Notification of outsourcing of the reporting obligations", "text": "1.   Financial entities that have outsourced the obligation to report major ICT-related incidents in accordance with Article 19(5) of Regulation (EU) 2022/2554 shall inform their competent authority of that outsourcing arrangement as soon as the outsourcing arrangement has been concluded and at the latest prior to the first notification or reporting.\n\n2.   Financial entities shall provide the competent authority with the name, contact details, and identification code of the third-party that will submit the major ICT-related incident notifications or reports for them.\n\n3.   Financial entities shall inform their competent authority as soon as they no longer outsource their reporting obligations as referred to in Article 19(5) of Regulation (EU) 2022/2554." }, { "number": "7", "title": "Aggregated reporting", "text": "1.   A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met:\n\n(a)\n\nthe major ICT-related incident to be reported originates from or is being caused by a third-party ICT service provider;\n\n(b)\n\nthat third-party service provider provides the relevant ICT service to more than one financial entity, or to a group;\n\n(c)\n\nthe ICT-related incident is classified as major by each financial entity covered in the aggregated notification or report;\n\n(d)\n\nthe major ICT-related incident affects financial entities within a single Member State and the aggregated report relates to financial entities which are supervised by the same competent authority;\n\n(e)\n\ncompetent authorities have explicitly permitted this type of financial entities to aggregate their reporting.\n\n2.   Paragraph 1 shall not apply to credit institutions that are considered to be of significant relevance as referred to in Article 2 point (16) of Regulation (EU) No 468/2014 of the European Central Bank (8), operators of trading venues, and central counterparties, which shall only use the template in Annex I to submit major ICT-related incident notifications or reports individually to their competent authority.\n\n3.   Where competent authorities require information on the individual impact of the major ICT-related incident on a single financial entity, upon request of the competent authority, the financial entity shall submit an individual notification or a report on the major ICT-related incident." }, { "number": "8", "title": "Notification of significant cyber threats", "text": "1.   Financial entities that notify significant cyber threats to competent authorities in accordance with Article 19(2) of Regulation (EU) 2022/2554 shall use the template laid down in Annex III to this Regulation and follow the data glossary and instructions set out Annex IV to this Regulation.\n\n2.   Financial entities shall ensure that the information contained in the notification of significant cyber threats is complete and accurate." }, { "number": "9", "title": "Entry into force", "text": "This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.\n\nThis Regulation shall be binding in its entirety and directly applicable in all Member States.\n\nDone at Brussels, 23 October 2024.\n\nFor the Commission\n\nThe President\n\nUrsula VON DER LEYEN\n\n(1)\n\nOJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj.\n\n(2)  Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (OJ L, 2024/1772, 25.6.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1772/oj).\n\n(3)  Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj).\n\n(4)  Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj).\n\n(5)  Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj).\n\n(6)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).\n\n(7)  Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats. (OJ L, 2025/301, 20.2.2025, ELI: http://data.europa.eu/eli/reg_del/2025/301/oj).\n\n(8)  Regulation (EU) No 468/2014 of the European Central Bank of 16 April 2014 establishing the framework for cooperation within the Single Supervisory Mechanism between the European Central Bank and national competent authorities and with national designated authorities (SSM Framework Regulation) (ECB/2014/17) (OJ L 141, 14.5.2014, p. 1, ELI: http://data.europa.eu/eli/reg/2014/468/oj).\n\nANNEX I\n\nTEMPLATES FOR THE REPORTING OF MAJOR INCIDENTS\n\nNumber of field\n\nData field\n\nGeneral information about the financial entity\n\n1.1\n\nType of submission\n\n1.2\n\nName of the entity submitting the report\n\n1.3\n\nIdentification code of the entity submitting the report\n\n1.4\n\nType of financial entity affected\n\n1.5\n\nName of the financial entity affected\n\n1.6\n\nLEI code of the financial entity affected\n\n1.7\n\nPrimary contact person name\n\n1.8\n\nPrimary contact person email\n\n1.9\n\nPrimary contact person telephone\n\n1.10\n\nSecond contact person name\n\n1.11\n\nSecond contact person email\n\n1.12\n\nSecond contact person telephone\n\n1.13\n\nName of the ultimate parent undertaking\n\n1.14\n\nLEI code of the ultimate parent undertaking\n\n1.15\n\nReporting currency\n\nContent of the initial notification\n\n2.1\n\nIncident reference code assigned by the financial entity\n\n2.2\n\nDate and time of detection of the major ICT-related incident\n\n2.3\n\nDate and time of classification of the ICT-related incident as major\n\n2.4\n\nDescription of the major ICT-related incident\n\n2.5\n\nClassification criteria that triggered the incident report\n\n2.6\n\nMateriality thresholds for the classification criterion ‘Geographical spread’\n\n2.7\n\nDiscovery of the major ICT-related incident\n\n2.8\n\nIndication whether the major ICT-related incident originates from a third-party provider or another financial entity\n\n2.9\n\nActivation of business continuity plan, if activated\n\n2.10\n\nOther relevant information\n\nContent of the intermediate report\n\n3.1\n\nIncident reference code provided by the competent authority\n\n3.2\n\nDate and time of occurrence of the major ICT-related incident\n\n3.3\n\nDate and time when services, activities or operations have been recovered\n\n3.4\n\nNumber of clients affected\n\n3.5\n\nPercentage of clients affected\n\n3.6\n\nNumber of financial counterparts affected\n\n3.7\n\nPercentage of financial counterparts affected\n\n3.8\n\nImpact on relevant clients or financial counterparts\n\n3.9\n\nNumber of affected transactions\n\n3.10\n\nPercentage of affected transactions\n\n3.11\n\nValue of affected transactions\n\n3.12\n\nInformation on whether the numbers are actual or estimates, or whether there has not been any impact\n\n3.13\n\nReputational impact\n\n3.14\n\nContextual information about the reputational impact\n\n3.15\n\nDuration of the major ICT-related incident\n\n3.16\n\nService downtime\n\n3.17\n\nInformation on whether the numbers for duration and service downtime are actual or estimates.\n\n3.18\n\nTypes of impact in the Member States\n\n3.19\n\nDescription of how the major ICT-related incident has an impact in other Member States\n\n3.20\n\nMateriality thresholds for the classification criterion ‘Data losses’\n\n3.21\n\nDescription of the data losses\n\n3.22\n\nClassification criterion ‘Critical services affected’\n\n3.23\n\nType of the major ICT-related incident\n\n3.24\n\nOther types of incidents\n\n3.25\n\nThreats and techniques used by the threat actor\n\n3.26\n\nOther types of techniques\n\n3.27\n\nInformation about affected functional areas and business processes\n\n3.28\n\nAffected infrastructure components supporting business processes\n\n3.29\n\nInformation about affected infrastructure components supporting business processes\n\n3.30\n\nImpact on the financial interest of clients\n\n3.31\n\nReporting to other authorities\n\n3.32\n\nSpecification of ‘other’ authorities\n\n3.33\n\nTemporary actions/measures taken or planned to be taken to recover from the incident\n\n3.34\n\nDescription of any temporary actions and measures taken or planned to be taken to recover from the incident\n\n3.35\n\nIndicators of compromise\n\nContent of the final report\n\n4.1\n\nHigh-level classification of root causes of the incident\n\n4.2\n\nDetailed classification of root causes of the incident\n\n4.3\n\nAdditional classification of root causes of the incident\n\n4.4\n\nOther types of root cause types\n\n4.5\n\nInformation about the root causes of the incident\n\n4.6\n\nIncident resolution summary\n\n4.7\n\nDate and time when the incident root cause was addressed\n\n4.8\n\nDate and time when the incident was resolved\n\n4.9\n\nInformation if the permanent resolution date of the incident differs from the initially planned implementation date\n\n4.10\n\nAssessment of risk to critical functions for resolution purposes\n\n4.11\n\nInformation relevant for resolution authorities\n\n4.12\n\nMateriality threshold for the classification criterion ‘Economic impact’\n\n4.13\n\nAmount of gross direct and indirect costs and losses\n\n4.14\n\nAmount of financial recoveries\n\n4.15\n\nInformation on whether the non-major incidents have been recurring\n\n4.16\n\nDate and time of occurrence of recurring incidents\n\nANNEX II\n\nDATA GLOSSARY AND INSTRUCTIONS FOR THE REPORTING OF MAJOR INCIDENTS\n\nData field\n\nDescription\n\nMandatory for initial notification\n\nMandatory for intermediate report\n\nMandatory for final report\n\nField type\n\nGeneral information about the financial entity\n\n1.1.\n\nType of submission\n\nIndicate the type of incident notification or report being submitted to the competent authority.\n\nYes\n\nYes\n\nYes\n\nChoice:\n\n—\n\ninitial notification;\n\n—\n\nintermediate report;\n\n—\n\nfinal report;\n\n—\n\nmajor incident reclassified as non-major.\n\n1.2.\n\nName of the entity submitting the report\n\nFull legal name of the entity submitting the report.\n\nYes\n\nYes\n\nYes\n\nAlphanumeric\n\n1.3.\n\nIdentification code of the entity submitting the report\n\nIdentification code of the entity submitting the report.\n\nWhere financial entities submit the notification/report, the identification code shall be a Legal Entity Identifier (LEI), which is a unique 20 alphanumeric character code, based on ISO 17442-1:2020.\n\nA third-party provider that submits a report for a financial entity can use an identification code as specified in the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554.\n\nYes\n\nYes\n\nYes\n\nAlphanumeric\n\n1.4.\n\nType of the affected financial entity\n\nType of the entity as referred to in Article 2(1), points (a) to (t), of Regulation (EU) 2022/2554 for whom the report is submitted.\n\nIn case of aggregated reporting as referred to in Article 7 of this Regulation, the different types of financial entities covered in the aggregated report to be selected.\n\nYes\n\nYes\n\nYes\n\nChoice (multiselect):\n\n—\n\ncredit institution;\n\n—\n\npayment institution;\n\n—\n\nexempted payment institution;\n\n—\n\naccount information service provider;\n\n—\n\nelectronic money institution;\n\n—\n\nexempted electronic money institution;\n\n—\n\ninvestment firm;\n\n—\n\ncrypto-asset service provider;\n\n—\n\nissuer of asset-referenced tokens;\n\n—\n\ncentral securities depository;\n\n—\n\ncentral counterparty;\n\n—\n\ntrading venue;\n\n—\n\ntrade repository;\n\n—\n\nmanager of alternative investment fund;\n\n—\n\nmanagement company;\n\n—\n\ndata reporting service provider;\n\n—\n\ninsurance and reinsurance undertaking;\n\n—\n\ninsurance intermediary, reinsurance intermediary and ancillary insurance intermediary;\n\n—\n\ninstitution for occupational retirement provision;\n\n—\n\ncredit rating agency;\n\n—\n\nadministrator of critical benchmarks;\n\n—\n\ncrowdfunding service provider;\n\n—\n\nsecuritisation repository.\n\n1.5.\n\nName of the financial entity affected\n\nFull legal name of the financial entity affected by the major ICT-related incident and required to report the major incident to its competent authority under Article 19 of Regulation (EU) 2022/2554.\n\nIn case of aggregated reporting:\n\n(a)\n\nlist of all names of the financial entities affected by the major ICT-related incident, separated by a semicolon;\n\n(b)\n\nthe third-party provider submitting a major incident notification or report in an aggregated manner as referred to in Article 7 of this Regulation, to list the names of all financial entities impacted by the incident, separated by a semicolon.\n\nYes, if the financial entity affected by the incident is different from the entity submitting the report and in case of aggregated reporting\n\nYes, if the financial entity affected by the incident is different from the entity submitting the report and in case of aggregated reporting\n\nYes, if the financial entity affected by the incident is different from the entity submitting the report and in case of aggregated reporting\n\nAlphanumeric\n\n1.6.\n\nLEI code of the financial entity affected\n\nLegal Entity Identifier (LEI) of the financial entity affected by the major ICT-related incident assigned in accordance with the International Organisation for Standardisation.\n\nIn case of aggregated reporting:\n\n(a)\n\na list of all LEI codes of the financial entities affected by the major ICT-related incident, separated by a semicolon.\n\n(b)\n\nthe third-party provider submitting a major incident notification or report in an aggregated manner as referred to in Article 7 of this Regulation to list the LEI codes of all financial entities impacted by the incident, separated by a semicolon.\n\nThe order of appearance of LEI codes and financial entities names shall be identical.\n\nYes, if the financial entity affected by the major ICT-related incident is different from the entity submitting the report and in case of aggregated reporting\n\nYes, if the financial entity affected by the major ICT-related incident is different from the entity submitting the report and in case of aggregated reporting\n\nYes, if the financial entity affected by the major ICT-related incident is different from the entity submitting the report and in case of aggregated reporting\n\nUnique 20 alphanumeric character code, based on ISO 17442-1:2020\n\n1.7.\n\nPrimary contact person name\n\nName and surname of the primary contact person of the financial entity.\n\nIn case of aggregated reporting as referred to in Article 7 of this Regulation, the name of the primary contact person in the entity submitting the aggregated report.\n\nYes\n\nYes\n\nYes\n\nAlphanumeric\n\n1.8.\n\nPrimary contact person email\n\nEmail address of the primary contact person that can be used by the competent authority for follow-up communication.\n\nIn case of aggregated reporting as referred to in Article 7 of this Regulation, the email of the primary contact person in the entity submitting the aggregated report.\n\nYes\n\nYes\n\nYes\n\nAlphanumeric\n\n1.9.\n\nPrimary contact person telephone\n\nThe telephone number of the primary contact person that can be used by the competent authority for follow-up communication.\n\nIn case of aggregated reporting as referred to in Article 7 of this Regulation, the telephone number of the primary contact person in the entity submitting the aggregated report.\n\nThe telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX)\n\nYes\n\nYes\n\nYes\n\nAlphanumeric\n\n1.10.\n\nSecond contact person name\n\nName and surname of the second contact person or the name of the responsible team of the financial entity or an entity submitting the report on behalf of the financial entity\n\nYes\n\nYes\n\nYes\n\nAlphanumeric\n\n1.11.\n\nSecond contact person email\n\nEmail address of the second contact person or a functional email address of the team that can be used by the competent authority for follow-up communication.\n\nYes\n\nYes\n\nYes\n\nAlphanumeric\n\n1.12.\n\nSecond contact person telephone\n\nThe telephone number of the second contact person, or of a team, that can be used by the competent authority for follow-up communication.\n\nThe telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX)\n\nYes\n\nYes\n\nYes\n\nAlphanumeric\n\n1.13.\n\nName of the ultimate parent undertaking\n\nName of the ultimate parent undertaking of the group to which the affected financial entity belongs, where applicable.\n\nYes, if the FE belongs to a group\n\nYes, if the FE belongs to a group\n\nYes, if the FE belongs to a group\n\nAlphanumeric\n\n1.14.\n\nLEI code of the ultimate parent undertaking\n\nLEI of the ultimate parent undertaking of the group to which the affected financial entity belongs, where applicable. Assigned in accordance with the International Organisation for Standardisation.\n\nYes, if the FE belongs to a group\n\nYes, if the FE belongs to a group\n\nYes, if the FE belongs to a group\n\nUnique 20 alphanumeric character code, based on ISO 17442-1:2020\n\n1.15.\n\nReporting currency\n\nCurrency used for the incident reporting\n\nYes\n\nYes\n\nYes\n\nChoice populated by using ISO 4217 currency codes\n\nContent of the initial notification\n\n2.1.\n\nIncident reference code assigned by the financial entity\n\nUnique reference code issued by the financial entity unequivocally identifying the major ICT-related incident.\n\nIn case of aggregated reporting as referred to in Article 7 of this Regulation, the incident reference code assigned by the third-party provider.\n\nYes\n\nYes\n\nYes\n\nAlphanumeric\n\n2.2.\n\nDate and time of detection of the ICT-related incident\n\nDate and time at which the financial entity has become aware of the ICT-related incident.\n\nFor recurring incidents, the date and the time at which the last ICT-related incident was detected.\n\nYes\n\nYes\n\nYes\n\nISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)\n\n2.3.\n\nDate and time of classification of the incident as major\n\nDate and time when the ICT-related incident was classified as major according to the classification criteria established in Delegated Regulation (EU) 2024/1772\n\nYes\n\nYes\n\nYes\n\nISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)\n\n2.4.\n\nDescription of the ICT-related incident\n\nDescription of the most relevant aspects of the major ICT-related incident.\n\nFinancial entities shall provide a high-level overview of the following information such as possible causes, immediate impacts, systems affected, and others. Financial entities, shall include, where known or reasonably expected, whether the incident impacts third-party providers or other financial entities, the type of provider or financial entity, their name, their respective identification codes and type of the identification code (e.g. LEI or EUID).\n\nIn subsequent reports, the field content can evolve over time to reflect the ongoing understanding of the ICT-related incident and describe any other relevant information about the ICT-related incident not captured by the data fields, including the internal severity assessment by the financial entity (e.g. very low, low, medium, high, very high) and an indication of the level and name of most senior decision structures that has been involved in response to the ICT-related incident.\n\nYes\n\nYes\n\nYes\n\nAlphanumeric\n\n2.5.\n\nClassification criteria that triggered the incident report\n\nClassification criteria under Delegated Regulation (EU) 2024/1772 that have triggered determination of the ICT-related incident as major and subsequent notification and reporting.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, the classification criteria that have triggered determination of the ICT-related incident as major for at least one or more financial entities.\n\nYes\n\nYes\n\nYes\n\nChoice (multiple):\n\n—\n\nclients, financial counterparts and transactions affected;\n\n—\n\nreputational impact;\n\n—\n\nduration and service downtime;\n\n—\n\ngeographical spread;\n\n—\n\ndata losses;\n\n—\n\ncritical services affected;\n\n—\n\neconomic impact.\n\n2.6.\n\nMateriality thresholds for the classification criterion ‘Geographical spread’\n\nEEA Member States impacted by the major ICT-related incident\n\nWhen assessing the impact of the major ICT-related incident in other Member States, financial entities shall take into account Articles 4 and 12 of Delegated Regulation 2024/1772.\n\nYes, if ‘Geographical spread’ threshold is met\n\nYes, if ‘Geographical spread’ threshold is met\n\nYes, if ‘Geographical spread’ threshold is met\n\nChoice (multiple) populated by using ISO 3166 ALPHA-2 of the affected countries\n\n2.7.\n\nDiscovery of the major ICT-related incident\n\nIndication of how the major ICT-related incident has been discovered.\n\nYes\n\nYes\n\nYes\n\nChoice:\n\n—\n\nIT Security;\n\n—\n\nstaff;\n\n—\n\ninternal audit;\n\n—\n\nexternal audit;\n\n—\n\nclients;\n\n—\n\nfinancial counterparts;\n\n—\n\nthird-party provider;\n\n—\n\nattacker;\n\n—\n\nmonitoring systems;\n\n—\n\nauthority/agency/ law enforcement body;\n\n—\n\nother.\n\n2.8.\n\nIndication whether the incident originates from a third-party provider or another financial entity\n\nIndication whether the major ICT-related incident originates from a third-party provider or another financial entity.\n\nFinancial entities shall indicate whether the major ICT-related incident originates from a third-party provider or another financial entity (including financial entities belonging to the same group as the reporting entity) and the name, identification code of the third-party provider or financial entity and type of the identification code (e.g. LEI or EUID).\n\nYes, if the incident originates from a third-party provider or another financial entity\n\nYes, if the incident originates from a third-party provider or another financial entity\n\nYes, if the incident originates from a third-party provider or another financial entity\n\nAlphanumeric\n\n2.9.\n\nActivation of business continuity plan, if activated\n\nIndication of whether there has been a formal activation of the business continuity response measures of the financial entity.\n\nYes\n\nYes\n\nYes\n\nBoolean (Yes or No)\n\n2.10.\n\nOther relevant information\n\nAny further information not covered in the template.\n\nFinancial entities that have reclassified a major ICT-related incident as non-major shall describe the reasons why the ICT-related incident does not fulfil, and is not expected to fulfil, the criteria to be considered as a major ICT-related incident.\n\nYes, if there is other information not covered in the template or if the major ICT-related incident has been reclassified as non-major.\n\nYes, if there is other information not covered in the template or if the major ICT-related incident has been reclassified as non-major\n\nYes, if there is other information not covered in the template or if the major ICT-related incident has been reclassified as non-major\n\nAlphanumeric\n\nContent of the intermediate report\n\n3.1.\n\nIncident reference code provided by the competent authority\n\nUnique reference code assigned by the competent authority at the time of receipt of the initial notification to unequivocally identify the major ICT-related incident.\n\nNo\n\nYes, if applicable\n\nYes, if applicable\n\nAlphanumeric\n\n3.2.\n\nDate and time of occurrence of the incident\n\nDate and time at which the major ICT-related incident has occurred, if different from the time the financial entity has become aware of the major ICT-related incident.\n\nFor recurring major ICT-related incidents, the date and the time at which the last major ICT-related incident has occurred.\n\nNo\n\nYes\n\nYes\n\nISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)\n\n3.3.\n\nDate and time when services, activities or operations have been recovered\n\nInformation on the date and time of the recovery of the services, activities or operations affected by the major ICT-related incident.\n\nNo\n\nYes, if data field 3.16. ‘Service downtime’ has been populated\n\nYes, if data field 3.16. ‘Service downtime’ has been populated\n\nISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)\n\n3.4.\n\nNumber of clients affected\n\nNumber of clients affected by the major ICT-related incident that use the service provided by the financial entity.\n\nWhen assessing the number of clients affected, financial entities shall take into account Articles 1(1) and 9(1), point (b), of Delegated Regulation (EU) 2024/1772 in their assessment. A financial entity that cannot determine the actual number of clients impacted shall use estimates based on available data from comparable reference periods.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, the total number of clients affected across all financial entities.\n\nNo\n\nYes\n\nYes\n\nNumerical integer\n\n3.5.\n\nPercentage of clients affected\n\nPercentage of clients affected by the major ICT-related incident in relation to the total number of clients that make use of the affected service provided by the financial entity. In case of more than one service affected, the services shall be provided in an aggregated manner.\n\nFinancial entities shall take into account Article 1(1) and Article 9(1), point (a), of Delegated Regulation (EU) 2024/1772 in their assessment.\n\nA financial entity that cannot determine the actual percentage of clients impacted shall use estimates based on available data from comparable reference periods.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, a financial entity shall divide the sum of all affected clients by the total number of clients of all impacted financial entities.\n\nNo\n\nYes\n\nYes\n\nExpressed as percentage – any value up to 5 numeric characters including up to 1 decimal place expressed as percentage (e.g. 2,4 instead of 2,4 %). If the value has more than 1 digit after the decimal, reporting counterparties shall round half-up\n\n3.6.\n\nNumber of financial counterparts affected\n\nNumber of financial counterparts affected by the major ICT-related incident that have concluded a contract with the financial entity.\n\nWhen assessing the number of financial counterparts affected, financial entities shall take into account Article 1(2) of Delegated Regulation (EU) 2024/1772 in their assessment. A financial entity that cannot determine the actual number of financial counterparts impacted shall use estimates based on available data from comparable reference periods.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, the total number of financial counterparts affected across all financial entities.\n\nNo\n\nYes\n\nYes\n\nNumerical integer\n\n3.7.\n\nPercentage of financial counterparts affected\n\nPercentage of financial counterparts affected by the major ICT-related incident in relation to the total number of financial counterparts that have concluded a contract with the financial entity.\n\nWhen assessing the percentage of financial counterparts affected, financial entities shall take into account Articles 1(1) and 9(1), point (c) of Delegated Regulation (EU) 2024/1772 in their assessment.\n\nA financial entity that cannot determine the actual percentage of financial counterparts impacted shall use estimates based on available data from comparable reference periods.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, indicate the sum of all affected financial counterparts divided by the total number of financial counterparts of all impacted financial entities.\n\nNo\n\nYes\n\nYes\n\nExpressed as percentage – any value up to 5 numeric characters including up to 1 decimal place expressed as percentage (e.g. 2,4 instead of 2,4 %). If the value has more than 1 digit after the decimal, reporting counterparties shall round half-up\n\n3.8.\n\nImpact on relevant clients or financial counterparts\n\nAny identified impact on relevant clients or financial counterpart as referred to in Article 1(3) and Article 9(1), point (f), of Delegated Regulation (EU) 2024/1772.\n\nNo\n\nYes, if ‘Relevance of clients and financial counterparts’ threshold is met\n\nYes, if ‘Relevance of clients and financial counterparts’ threshold is met\n\nBoolean (Yes or No)\n\n3.9.\n\nNumber of affected transactions\n\nNumber of transactions affected by the major ICT-related incident.\n\nWhen assessing the impact on transactions, financial entities shall take into account Article 1(4) of Delegated Regulation (EU) 2024/1772, including all affected domestic and cross-border transactions containing a monetary amount that have at least one part of the transaction carried out in the Union.\n\nA financial entity that cannot determine the actual number of transactions impacted shall use estimates based on available data from comparable reference periods.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, indicate the total number of transactions affected across all financial entities.\n\nNo\n\nYes, if any transaction has been affected by the incident\n\nYes, if any transaction has been affected by the incident\n\nNumerical integer\n\n3.10.\n\nPercentage of affected transactions\n\nPercentage of affected transactions in relation to the daily average number of domestic and cross-border transactions carried out by the financial entity related to the affected service.\n\nFinancial entities shall take into account Article 1(4) and Article 9(1), point (d), of Delegated Regulation (EU) 2024/1772.\n\nA financial entity that cannot determine the actual percentage of transactions impacted shall use estimates.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, a financial entity shall sum the number of all affected transactions and divide the sum by the total number of transactions of all impacted financial entities.\n\nNo\n\nYes, if any transaction has been affected by the incident\n\nYes, if any transaction has been affected by the incident\n\nExpressed as percentage – any value up to 5 numeric characters including up to 1 decimal place expressed as percentage (e.g. 2,4 instead of 2,4 %). If the value has more than 1 digit after the decimal, reporting counterparties shall round half-up\n\n3.11.\n\nValue of affected transactions\n\nTotal value of the transactions affected by the major ICT-related incident shall be assessed in accordance with Article 1(4) and Article 9(1), point (e) of Delegated Regulation (EU) 2024/1772.\n\nA financial entity that cannot determine the actual value of transactions impacted shall use estimates based on available data from comparable reference periods.\n\nA financial entity shall report the monetary amount as a positive value.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, the total value of the transactions affected across all financial entities.\n\nNo\n\nYes, if any transactions have been affected by the incident\n\nYes, if any transaction has been affected by the incident\n\nMonetary\n\nFinancial entities shall report the data point in units using a minimum precision equivalent to thousands of units (e.g. 2,5 instead of EUR 2 500 ).\n\n3.12.\n\nInformation on whether the numbers are actual or estimates, or whether there has not been any impact\n\nInformation on whether the values reported in the data fields 3.4 to 3.11 are actual or estimates, or whether there has not been any impact.\n\nNo\n\nYes\n\nYes\n\nChoice (multiple):\n\n—\n\nactual figures for clients affected;\n\n—\n\nactual figures for financial counterparts affected;\n\n—\n\nactual figures for transactions affected;\n\n—\n\nestimates for clients affected;\n\n—\n\nestimates for financial counterparts affected;\n\n—\n\nestimates for transactions affected;\n\n—\n\nno impact on clients;\n\n—\n\nno impact on financial counterparts;\n\n—\n\nno impact on transactions.\n\n3.13.\n\nReputational impact\n\nInformation about the reputational impact resulting from the major ICT-related incident as referred to in Articles 2 and 10 of Delegated Regulation (EU) 2024/1772.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, the reputational impact categories that apply to at least one financial entity.\n\nNo\n\nYes, if ‘Reputational impact’ criterion met\n\nYes, if ‘Reputational impact’ criterion met\n\nChoice (multiple):\n\n—\n\nthe major ICT-related incident has been reflected in the media;\n\n—\n\nthe major ICT-related incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships\n\n—\n\nthe financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the major ICT-related incident;\n\n—\n\nthe financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the major ICT-related incident.\n\n3.14.\n\nContextual information about the reputational impact\n\nInformation describing how the major ICT-related incident has affected or could affect the reputation of the financial entity, including infringements of law, regulatory requirements not met, number of client complaints, and other.\n\nThe contextual information shall include the type of media (e.g. traditional and digital media, blogs, streaming platforms) and media coverage, including reach of the media (local, national, international). Media coverage in this context shall not mean a few negative comments by followers or users of social networks.\n\nThe financial entity shall also indicate whether the media coverage highlighted significant risks for its clients in relation to the major ICT-related incident, including the risk of the financial entity’s insolvency or the risk of losing funds.\n\nFinancial entities shall also indicate whether they have provided information to the media that served to reliably inform the public about the major ICT-related incident and its consequences.\n\nFinancial entities may also indicate whether there was false information in the media in relation to the ICT-related incident, including information based on deliberate misinformation spread by threat actors, or information relating to or illustrating defacement of the financial entity’s website.\n\nNo\n\nYes, if ‘Reputational impact’ criterion met.\n\nYes, if ‘Reputational impact’ criterion met.\n\nAlphanumeric\n\n3.15.\n\nDuration of the incident\n\nFinancial entities shall measure the duration of the major ICT-related incident from the moment the major ICT-related incident occurred until the moment the incident was resolved.\n\nFinancial entities that are unable to determine the moment when the major ICT-related incident has occurred shall measure the duration of the major ICT-related incident from the earlier between the moment the financial entity detected the incident and the moment when the financial entity recorded the incident in network or system logs or other data sources. Financial entities that do not yet know the moment when the major ICT-related incident will be resolved shall apply estimates. The value shall be expressed in days, hours, and minutes.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall measure the longest duration of the major ICT-related incident in case of differences between financial entities.\n\nNo\n\nYes\n\nYes\n\nDD:HH:MM\n\n3.16.\n\nService downtime\n\nService downtime measured from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users, until the moment when regular activities or operations have been restored to the level of service that was provided prior to the major ICT-related incident.\n\nWhere the service downtime causes a delay in the provision of service after regular activities or operations have been restored, financial entities shall measure the downtime from the start of the major ICT-related incident until the moment when that delayed service is provided. Financial entities that are unable to determine the moment when the service downtime has started, shall measure the service downtime from the earlier between the moment the incident was detected and the moment when it has been recorded.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall measure the longest duration of the service downtime in case of differences between financial entities.\n\nNo\n\nYes, if the incident has caused a service downtime\n\nYes, if the incident has caused a service downtime\n\nDD:HH:MM\n\n3.17.\n\nInformation on whether the numbers for duration and service downtime are actual or estimates\n\nInformation on whether the values reported in data fields 3.15 and 3.16 are actual or estimates.\n\nNo\n\nYes, if ‘Duration and service downtime’ criterion met\n\nYes, if ‘Duration and service downtime’ criterion met\n\nChoice:\n\n—\n\nActual figures;\n\n—\n\nEstimates;\n\n—\n\nActual figures and estimates;\n\n—\n\nNo information available.\n\n3.18.\n\nTypes of impact in the Member States\n\nType of impact in the respective EEA Member States.\n\nIndication of whether the major ICT-related incident has had an impact in other EEA Member States (other than the Member State of the competent authority to which the incident is directly reported), in accordance with Article 4 of Delegated Regulation (EU) 2024/1772, and in particular with regard to the significance of the impact in relation to:\n\n(a)\n\nclients and financial counterparts affected in other Member States; or\n\n(b)\n\nbranches or other financial entities within the group carrying out activities in other Member States; or\n\n(c)\n\nfinancial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services.\n\nNo\n\nYes, if ‘Geographical spread’ threshold is met\n\nYes, if ‘Geographical spread’ threshold is met\n\nChoice (multiple):\n\n—\n\nclients;\n\n—\n\nfinancial counterparts;\n\n—\n\nbranch of the financial entity;\n\n—\n\nfinancial entities within the group carrying out activities in the respective Member State;\n\n—\n\nfinancial market infrastructure;\n\n—\n\nthird-party providers that may be common to other financial entities.\n\n3.19.\n\nDescription of how the incident has an impact in other Member States\n\nDescription of the impact and severity of the major ICT-related incident in each affected Member State, including an assessment of the impact and severity on:\n\n(a)\n\nclients;\n\n(b)\n\nfinancial counterparts;\n\n(c)\n\nbranches of the financial entity;\n\n(d)\n\nother financial entities within the group carrying out activities in the respective Member State;\n\n(e)\n\nfinancial market infrastructures;\n\n(f)\n\nthird-party providers that may be common to other financial entities as applicable in other Member State(s).\n\nNo\n\nYes, if ‘Geographical spread’ threshold is met\n\nYes, if ‘Geographical spread’ threshold is met\n\nAlphanumeric\n\n3.20.\n\nMateriality thresholds for the classification criterion ‘Data losses’\n\nType of data losses that the major ICT-related incident entails in relation to availability, authenticity, integrity, and confidentiality of data.\n\nFinancial entities shall take into account Articles 5 and 13 of Delegated Regulation (EU) 2024/1772 in their assessment.\n\nIn case of aggregated reporting as referred to in Article 7 of this Regulation, the data losses affecting at least one financial entity.\n\nNo\n\nYes, if ‘Data losses’ criterion is met\n\nYes, if ‘Data losses’ criterion is met\n\nChoice (multiple):\n\n—\n\navailability;\n\n—\n\nauthenticity;\n\n—\n\nintegrity;\n\n—\n\nconfidentiality.\n\n3.21.\n\nDescription of the data losses\n\nDescription of the impact of the major ICT-related incident on availability, authenticity, integrity, and confidentiality of critical data in accordance with Articles 5 and 13 of Delegated Regulation (EU) 2024/1772.\n\nInformation about the impact on the implementation of the business objectives of the financial entity or on meeting regulatory requirements.\n\nAs part of the information provided, financial entities shall indicate whether the data affected are client data, other entities’ data (e.g. financial counterparts), or data of the financial entity itself.\n\nThe financial entity may also indicate the type of data involved in the incident – in particular, whether the data is confidential and what type of confidentiality was involved (e.g. commercial/business confidentiality, personal data, professional secrecy: banking secrecy, insurance secrecy, payment services secrecy, etc.).\n\nThe information may also include possible risks associated with the data losses, such as whether the data affected by the incident can be used to identify individuals and could be used by the threat actor to obtain credit or loans without their consent, to conduct spear phishing attacks, to disclose information publicly.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, a general description of the impact of the incident on the affected financial entities. Where there are differences of the impact, the description of the impact shall clearly indicate the specific impact on the different financial entities.\n\nNo\n\nYes, if ‘Data losses’ criterion is met\n\nYes, if ‘Data losses’ criterion is met\n\nAlphanumeric\n\n3.22.\n\nClassification criterion ‘Critical services affected’\n\nInformation related to the criterion ‘Critical services affected’.\n\nFinancial entities shall take into account Articles 6 of Delegated Regulation (EU) 2024/1772 in their assessment, including information about:\n\n—\n\nthe affected services or activities that require authorisation, registration or that are supervised by competent authorities; or\n\n—\n\nthe ICT services or network and information systems that support critical or important functions of the financial entity; and\n\n—\n\nthe nature of the malicious and unauthorised access to the network and information systems of the financial entity.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, the impact on critical services that apply to at least one financial entity.\n\nNo\n\nYes\n\nYes\n\nAlphanumeric\n\n3.23.\n\nType of the incident\n\nClassification of incidents by type.\n\nNo\n\nYes\n\nYes\n\nChoice (multiple):\n\n—\n\nCybersecurity-related;\n\n—\n\nProcess failure;\n\n—\n\nSystem failure;\n\n—\n\nExternal event;\n\n—\n\nPayment-related;\n\n—\n\nOther (please specify).\n\n3.24.\n\nOther types of incidents\n\nOther types of ICT-related incidents: financial entities that have selected ‘other’ type of incidents in the data field 3.23, shall specify the type of ICT-related incident.\n\nNo\n\nYes, if ‘other’ type of incidents is selected in data field 3.23\n\nYes, if ‘other’ type of incidents is selected in data field 3.23\n\nAlphanumeric\n\n3.25.\n\nThreats and techniques used by the threat actor\n\nIndicate the threats and techniques used by the threat actor, including:\n\n(a)\n\nsocial engineering, including phishing;\n\n(b)\n\n(D)DoS;\n\n(c)\n\nidentity theft;\n\n(d)\n\ndata encryption for impact, including ransomware;\n\n(e)\n\nresource hijacking;\n\n(f)\n\ndata exfiltration and manipulation, excluding identity theft;\n\n(g)\n\ndata destruction;\n\n(h)\n\ndefacement;\n\n(i)\n\nsupply-chain attack;\n\n(j)\n\nother (please specify).\n\nNo\n\nYes, if the type of the ICT-related incident is ‘cybersecurity-related’ in field 3.23\n\nYes, if the type of the ICT-related incident is ‘cybersecurity-related’ in field 3.23\n\nChoice (multiple):\n\n—\n\nSocial engineering (including phishing);\n\n—\n\n(D)DoS;\n\n—\n\nIdentity theft;\n\n—\n\nData encryption for impact, including ransomware;\n\n—\n\nResource hijacking;\n\n—\n\nData exfiltration and manipulation, including identity theft;\n\n—\n\nData destruction;\n\n—\n\nDefacement;\n\n—\n\nSupply-chain attack;\n\n—\n\nOther (please specify).\n\n3.26.\n\nOther types of techniques\n\nOther types of techniques\n\nFinancial entities that have selected ‘other’ type of techniques in data field 3.25 shall specify the type of technique.\n\nNo\n\nYes, if other’ type of techniques is selected in data field 3.25\n\nYes, if other’ type of techniques is selected in data field 3.25\n\nAlphanumeric\n\n3.27.\n\nInformation about affected functional areas and business processes\n\nIndication of the functional areas and business processes that are affected by the incident, including products and services.\n\nThe functional areas shall include but are not limited to:\n\n(a)\n\nmarketing and business development;\n\n(b)\n\ncustomer service;\n\n(c)\n\nproduct management;\n\n(d)\n\nregulatory compliance;\n\n(e)\n\nrisk management;\n\n(f)\n\nfinance and accounting;\n\n(g)\n\nHR and general services;\n\n(h)\n\ninformation Technology.\n\nThe business processes shall include but are not limited to:\n\n—\n\naccount information;\n\n—\n\nactuarial services;\n\n—\n\nacquiring of payment transactions;\n\n—\n\nauthentication/authorization;\n\n—\n\nauthority;\n\n—\n\nclient on-boarding;\n\n—\n\nbenefit administration;\n\n—\n\nbenefit payment management;\n\n—\n\nbuying and selling packaged insurances policies between insurances;\n\n—\n\ncard payments;\n\n—\n\ncash management;\n\n—\n\ncash placement or withdrawals;\n\n—\n\ninsurance claim management;\n\n—\n\nclaim process insurance;\n\n—\n\nclearing;\n\n—\n\ncorporate loans conglomerates;\n\n—\n\ncollective insurances;\n\n—\n\ncredit transfers;\n\n—\n\ncustody and asset safekeeping;\n\n—\n\ncustomer onboarding;\n\n—\n\ndata ingestion;\n\n—\n\ndata processing;\n\n—\n\ndirect debits;\n\n—\n\nexport insurances;\n\n—\n\nfinalizing trades/deals;\n\n—\n\nfinancial instruments placing;\n\n—\n\nfund accounting;\n\n—\n\nFX money;\n\n—\n\ninvestment advice;\n\n—\n\ninvestment management;\n\n—\n\nissuing of payment instruments;\n\n—\n\nlending management;\n\n—\n\nlife insurance payments process;\n\n—\n\nmoney remittance;\n\n—\n\nnet asset calculation;\n\n—\n\norder;\n\n—\n\npayment initiation;\n\n—\n\ninsurance underwriting;\n\n—\n\nportfolio management;\n\n—\n\npremium collection;\n\n—\n\nreception/transmission/execution;\n\n—\n\nreinsurance;\n\n—\n\nsettlement;\n\n—\n\ntransaction monitoring.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, the affected functional areas and business processes in at least one financial entity.\n\nNo\n\nYes\n\nYes\n\nAlphanumeric\n\n3.28.\n\nAffected infrastructure components supporting business processes\n\nInformation on whether infrastructure components (servers, operating systems, software, application servers, middleware, network components, others) supporting business processes have been affected by the major ICT-related incident.\n\nNo\n\nYes\n\nYes\n\nChoice:\n\n—\n\nYes;\n\n—\n\nNo;\n\n—\n\nInformation not available.\n\n3.29.\n\nInformation about affected infrastructure components supporting business processes\n\nDescription on the impact of the major ICT-related incident on infrastructure components supporting business processes including hardware and software.\n\nHardware includes servers, computers, data centres, switches, routers, hubs. Software includes operating systems, applications, databases, security tools, network components, others please specify. The descriptions shall describe or name affected infrastructure components or systems, and, where available:\n\n(a)\n\nversion information;\n\n(b)\n\ninternal infrastructure/partially outsourced/fully outsourced – third-party provider name;\n\n(c)\n\nwhether the infrastructure is used or shared across multiple business functions;\n\n(d)\n\nrelevant resilience/continuity/recovery/ substitutability arrangements in place.\n\nNo\n\nYes, if the incident has affected infrastructure components supporting business processes\n\nYes, if the incident has affected infrastructure components supporting business processes\n\nAlphanumeric\n\n3.30.\n\nImpact on the financial interest of clients\n\nInformation on whether the major ICT-related incident has impacted the financial interest of clients.\n\nNo\n\nYes\n\nYes\n\nChoice:\n\n—\n\nYes;\n\n—\n\nNo;\n\n—\n\nInformation not available.\n\n3.31.\n\nReporting to other authorities\n\nSpecification of which authorities were informed about the major ICT-related incident.\n\nTaking into account the differences resulting from the national legislation of the Member States, the concept of law enforcement authorities shall be understood by financial entities broadly to include public authorities empowered to prosecute cybercrime, including police, law enforcement agencies, and public prosecutors.\n\nNo\n\nYes\n\nYes\n\nChoice (multiple):\n\n—\n\nPolice/Law Enforcement;\n\n—\n\nCSIRT;\n\n—\n\nData Protection Authority;\n\n—\n\nNational Cybersecurity Agency;\n\n—\n\nNone;\n\n—\n\nOther (please specify).\n\n3.32.\n\nSpecification of ‘other’ authorities\n\nSpecification of ‘other’ types of authorities informed about the major ICT-related incident.\n\nIf selected in Data field 3.31 ‘Other’, the description shall include more detailed information about the authority to which the financial entity has submitted information about the major ICT-related incident.\n\nNo\n\nYes, if ‘other’ type of authorities have been informed by the financial entity about the major ICT-related incident.\n\nYes, if ‘other’ type of authorities have been informed by the financial entity about the major ICT-related incident\n\nAlphanumeric\n\n3.33.\n\nTemporary actions/measures taken or planned to be taken to recover from the incident\n\nIndication of whether financial entity has implemented (or plan to implement) any temporary actions that have been taken (or planned to be taken) to recover from the major ICT-related incident.\n\nNo\n\nYes\n\nYes\n\nBoolean (Yes or No)\n\n3.34.\n\nDescription of any temporary actions and measures taken or planned to be taken to recover from the incident\n\nThe information shall describe the immediate actions taken, including the isolation of the incident at the network level, workaround procedures activated, USB ports blocked, Disaster Recovery site activated, any other additional security controls temporarily put in place.\n\nFinancial entities shall indicate the date and the time of the implementation of the temporary actions and the expected date of return to the primary site. For any temporary actions that have not been implemented but are still planned, indication of the date by when their implementation is expected.\n\nIf no temporary actions/measures have been taken, please indicate the reason.\n\nNo\n\nYes, if temporary actions/measures have been taken or are planned to be taken (data field 3.33)\n\nYes, if temporary actions/measures have been taken or are planned to be taken (data field 3.33)\n\nAlphanumeric\n\n3.35.\n\nIndicators of compromise\n\nInformation related to the major ICT-related incident that may help identify malicious activity within a network or information system (Indicators of Compromise, or IoC), where applicable.\n\nThe field applies only to those financial entities that fall within the scope of Directive (EU) 2022/2555 of the European Parliament and of the Council (1) and those financial entities financial entities identified as essential or important entities pursuant to national rules transposing Article 3 of Directive (EU) 2022/2555, where relevant.\n\nThe IoC provided by the financial entity shall include the following categories of data:\n\n(a)\n\nIP addresses;\n\n(b)\n\nURL addresses;\n\n(c)\n\ndomains;\n\n(d)\n\nfile hashes;\n\n(e)\n\nmalware data (malware name, file names and their locations, specific registry keys associated with malware activity);\n\n(f)\n\nnetwork activity data (ports, protocols, addresses, referrers, user agents, headers, specific logs or distinctive patterns in network traffic);\n\n(g)\n\nemail message data (sender, recipient, subject, header, content);\n\n(h)\n\nDNS requests and registry configurations;\n\n(i)\n\nuser account activities (logins, privileged user account activity, privilege escalation);\n\n(j)\n\ndatabase traffic (read/write), requests to the same file.\n\nIn practice, this type of information may include data relating to, inter alia, indicators describing patterns in network traffic corresponding to known attacks/botnet communications, IP addresses of machines infected with malware (bots), data relating to ‘command and control’ servers used by malware (usually domains or IP addresses), and URLs relating to phishing sites or websites observed hosting malware or exploit kits.\n\nNo\n\nYes, if cybersecurity-related is selected as a type of incident in data field 3.23\n\nYes, if cybersecurity-related is selected as a type of incident in data field 3.23\n\nAlphanumeric\n\nContent of the final report\n\n4.1.\n\nHigh-level classification of root causes of the incident\n\nHigh-level classification of root cause of the major ICT-related incident under the incident types, including the following high-level categories:\n\n(a)\n\nmalicious actions;\n\n(b)\n\nprocess failure;\n\n(c)\n\nsystem failure/malfunction;\n\n(d)\n\nhuman error;\n\n(e)\n\nexternal event.\n\nNo\n\nNo\n\nYes\n\nChoice (multiple):\n\n—\n\nmalicious actions;\n\n—\n\nprocess failure;\n\n—\n\nsystem failure / malfunction;\n\n—\n\nhuman error;\n\n—\n\nexternal event.\n\n4.2.\n\nDetailed classification of root causes of the incident\n\nDetailed classification of root causes of the major ICT-related incident under the incident types, including the following detailed categories linked to the high-level categories that are reported in data field 4.1:\n\n1.\n\nMalicious actions (if selected, choose one or more the following):\n\n(a)\n\ndeliberate internal actions;\n\n(b)\n\ndeliberate physical damage/manipulation/theft;\n\n(c)\n\nfraudulent actions.\n\n2.\n\nProcess failure (if selected, choose one or more the following):\n\n(a)\n\ninsufficient monitoring or failure of monitoring and control;\n\n(b)\n\ninsufficient/unclear roles and responsibilities;\n\n(c)\n\nICT risk management process failure;\n\n(d)\n\ninsufficient or failure of ICT operations and ICT security operations;\n\n(e)\n\ninsufficient or failure of ICT project management;\n\n(f)\n\ninadequate internal policies, procedures and documentation;\n\n(g)\n\ninadequate ICT systems acquisition, development, or maintenance;\n\n(h)\n\nother (please specify).\n\n3.\n\nSystem failure/malfunction (if selected, choose one or more the following):\n\n(a)\n\nhardware capacity and performance: major ICT-related incidents caused by hardware resources which prove inadequate in terms of capacity or performance to fulfil the applicable legislative requirements;\n\n(b)\n\nhardware maintenance: major ICT-related incidents resulting from inadequate or insufficient maintenance of hardware components, other than ‘Hardware obsolescence/ageing’;\n\n(c)\n\nhardware obsolescence/ageing: this root cause type involves major ICT-related incidents resulting from outdated or aging hardware components;\n\n(d)\n\nsoftware compatibility/configuration: major ICT-related incidents caused by software components that are incompatible with other software or system configurations, including major ICT-related incidents resulting from software conflicts, incorrect settings, or misconfigured parameters that impact the overall system functionality;\n\n(e)\n\nsoftware performance: major ICT-related incidents resulting from software components that exhibit poor performance or inefficiencies, for reasons other than those specified under ‘Software compatibility/configuration’, including major ICT-related incidents caused by slow response times, excessive resource consumption, or inefficient query execution impacting the performance of the software or system;\n\n(f)\n\nnetwork configuration: major ICT-related incidents resulting from incorrect or misconfigured network settings or infrastructure, including major ICT-related incidents caused by network configuration errors, routing issues, firewall misconfigurations, or other network-related problems affecting connectivity or communication;\n\n(g)\n\nphysical damage: major ICT-related incidents caused by physical damage to ICT infrastructure which lead to system failures;\n\n(h)\n\nother (please specify).\n\n4.\n\nHuman error (if selected, choose one or more the following):\n\n(a)\n\nomission (unintentional);\n\n(b)\n\nmistake;\n\n(c)\n\nskills & knowledge: major ICT-related incidents resulting from a lack of expertise or proficiency in handling ICT systems or processes that may be caused by inadequate training, insufficient knowledge, or gaps in skills required to perform specific tasks or address technical challenges;\n\n(d)\n\ninadequate human resources: major ICT-related incidents caused by a lack of necessary resources, including hardware, software, infrastructure, or personnel, and including situations where insufficient resources lead to operational inefficiencies, system failures, or an inability to meet business demands;\n\n(e)\n\nmiscommunication;\n\n(f)\n\nother (please specify).\n\n5.\n\nExternal event (if selected, choose one or more the following):\n\n(a)\n\nnatural disasters/force majeure;\n\n(b)\n\nthird-party failures;\n\n(c)\n\nother (please specify).\n\nFinancial entities shall consider that for recurring major ICT-related incidents, the specific apparent root cause of the incident is taken into account and not the broad categories included in this field.\n\nNo\n\nNo\n\nYes\n\nChoice (multiple):\n\n—\n\nmalicious actions: deliberate internal actions;\n\n—\n\nmalicious actions: deliberate physical damage/manipulation/theft;\n\n—\n\nmalicious actions: fraudulent actions;\n\n—\n\nprocess failure: insufficient monitoring or failure of monitoring and control;\n\n—\n\nprocess failure: insufficient/unclear roles and responsibilities;\n\n—\n\nprocess failure: ICT risk management process failure;\n\n—\n\nprocess failure: insufficient or failure of ICT operations and ICT security operations;\n\n—\n\nprocess failure: insufficient or failure of ICT project management;\n\n—\n\nprocess failure: inadequacy of internal policies, procedures and documentation;\n\n—\n\nProcess failure: inadequate ICT systems acquisition, development, and maintenance;\n\n—\n\nprocess failure: other (please specify);\n\n—\n\nsystem failure: hardware capacity and performance;\n\n—\n\nsystem failure: hardware maintenance;\n\n—\n\nsystem failure: hardware obsolescence/ageing;\n\n—\n\nsystem failure: software compatibility/configuration;\n\n—\n\nsystem failure: software performance;\n\n—\n\nsystem failure: network configuration;\n\n—\n\nsystem failure: physical damage;\n\n—\n\nsystem failure: other (please specify);\n\n—\n\nhuman error: omission;\n\n—\n\nhuman error: mistake;\n\n—\n\nhuman error: skills & knowledge;\n\n—\n\nhuman error: inadequate human resources;\n\n—\n\nhuman error miscommunication;\n\n—\n\nhuman error: other (please specify);\n\n—\n\nexternal event: natural disasters/force majeure;\n\n—\n\nexternal event: third-party failures;\n\n—\n\nexternal event: other (please specify).\n\n4.3.\n\nAdditional classification of root causes of the incident\n\nAdditional classification of root causes of the major ICT-related incident under the incident type, including the following additional classification categories linked to the detailed categories that are to be reported in data field 4.2.\n\nThe field is mandatory for the final report if specific categories that require further granularity are reported in data field 4.2.\n\n2(a)\n\nInsufficient or failure of monitoring and control:\n\n(a)\n\nmonitoring of policy adherence;\n\n(b)\n\nmonitoring of third-party service providers;\n\n(c)\n\nmonitoring and verification of remediation of vulnerabilities;\n\n(d)\n\nidentity and access management;\n\n(e)\n\nencryption and cryptography;\n\n(f)\n\nlogging.\n\n2(c)\n\nICT risk management process failure:\n\n(a)\n\nfailure in specifying accurate risk tolerance levels;\n\n(b)\n\ninsufficient vulnerability and threat assessments;\n\n(c)\n\ninadequate risk treatment measures;\n\n(d)\n\npoor management of residual ICT risks.\n\n2(d)\n\nInsufficient or failure of ICT operations and ICT security operations:\n\n(a)\n\nvulnerability and patch management;\n\n(b)\n\nchange management;\n\n(c)\n\ncapacity and performance management;\n\n(d)\n\nICT asset management and information classification;\n\n(e)\n\nbackup and restore;\n\n(f)\n\nerror handling.\n\n2(g)\n\nInadequate ICT Systems acquisition, development, and maintenance:\n\n(a)\n\ninadequate ICT Systems acquisition, development, and maintenance;\n\n(b)\n\ninsufficient software testing or failure of software testing.\n\nNo\n\nNo\n\nYes\n\nChoice (multiple):\n\n—\n\nmonitoring of policy adherence;\n\n—\n\nmonitoring of third-party service providers;\n\n—\n\nmonitoring and verification of remediation of vulnerabilities;\n\n—\n\nidentity and access management;\n\n—\n\nencryption and cryptography;\n\n—\n\nlogging;\n\n—\n\nfailure in specifying accurate risk tolerance levels;\n\n—\n\ninsufficient vulnerability and threat assessments;\n\n—\n\ninadequate risk treatment measures;\n\n—\n\npoor management of residual ICT risks;\n\n—\n\nvulnerability and patch management;\n\n—\n\nchange management;\n\n—\n\ncapacity and performance management;\n\n—\n\nICT asset management and information classification;\n\n—\n\nbackup and restore;\n\n—\n\nerror handling;\n\n—\n\ninadequate ICT systems acquisition, development, and maintenance;\n\n—\n\ninsufficient or failure of software testing.\n\n4.4.\n\nOther types of root cause types\n\nFinancial entities that have selected ‘other’ type of root cause in data field 4.2 shall specify other types of root cause types\n\nNo\n\nNo\n\nYes, if ‘other’ type of root causes is selected in data field 4.2.\n\nAlphanumeric\n\n4.5.\n\nInformation about the root causes of the incident\n\nDescription of the sequence of events that led to the major ICT-related incident and description of how the major ICT-related incident has a similar apparent root cause if that incident is classified as a recurring incident, including a concise description of all underlying reasons and primary factors that contributed to the occurrence of the major ICT-related incident.\n\nWhere there were malicious actions, description of the modus operandi of the malicious action, including the tactics, techniques and procedures used, as well as the entry vector of the major ICT-related incident, including a description of the investigations and analysis that led to the identification of the root causes, if applicable.\n\nNo\n\nNo\n\nYes\n\nAlphanumeric\n\n4.6.\n\nIncident resolution\n\nAdditional information regarding the actions/measures taken/planned to permanently resolve the major ICT-related incident and to prevent that incident from happening again.\n\nLessons learnt from the major ICT-related incident.\n\nThe description shall contain the following points:\n\n1.\n\nResolution actions description\n\n(a)\n\nActions taken to permanently resolve the major ICT-related incident (excluding any temporary actions);\n\n(b)\n\nfor each action taken, indicate the potential involvement of a third-party provider and of the financial entity;\n\n(c)\n\nindicate whether procedures have been adapted following the major ICT-related incident;\n\n(d)\n\nindicate any additional controls that were put in place or that are planned with related implementation timeline.\n\nPotential issues identified regarding the robustness of the IT systems impacted /or in terms of the procedures or controls in place, if applicable.\n\nFinancial entities shall clearly indicate how the envisaged remediation actions will address the identified root causes and when the major ICT-related incident is expected to be resolved permanently.\n\n2.\n\nLessons learnt\n\nFinancial entities shall describe findings from the post-incident review.\n\nNo\n\nNo\n\nYes\n\nAlphanumeric\n\n4.7.\n\nDate and time when the incident root cause was addressed\n\nDate and time when the incident root cause was addressed.\n\nNo\n\nNo\n\nYes\n\nISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)\n\n4.8.\n\nDate and time when the incident was resolved\n\nDate and time when the incident was resolved.\n\nNo\n\nNo\n\nYes\n\nISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)\n\n4.9.\n\nInformation if the permanent resolution date of the incidents differs from the initially planned implementation date\n\nDescriptions of the reason why the permanent resolution date of the major ICT-related incidents is different from the initially planned implementation date, where applicable.\n\nNo\n\nNo\n\nYes\n\nAlphanumeric\n\n4.10.\n\nAssessment of risk to critical functions for resolution purposes\n\nAssessment of whether the major ICT-related incident poses a risk to critical functions within the meaning of Article 2(1), point (35), of Directive 2014/59/EU of the European Parliament and of the Council (2).\n\nEntities as referred to in Article 1(1) of Directive 2014/59/EU shall indicate whether the incident poses a risk to the critical functions within the meaning of Article 2(1), point (35), of Directive 2014/59/EU, and as reported in Template Z07.01 of Commission Implementing Regulation (EU) 2018/1624 (3) and mapped to the specific entity in Template Z07.02.\n\nNo\n\nNo\n\nYes, if the incident poses a risk to critical functions of financial entities under Article 2(1), point 35, of Directive 2014/59/EU\n\nAlphanumeric\n\n4.11.\n\nInformation relevant for resolution authorities\n\nDescription of whether and, if so, how the major ICT-related incident has affected the resolvability of the entity or the group.\n\nEntities as referred to in Article 1(1) of Directive 2014/59/EU shall provide information on whether and, if so, how the major ICT-related incident has affected the resolvability of the entity or the group.\n\nThose entities shall also indicate whether the major ICT-related incident affects the solvency or liquidity of the financial entity and the potential quantification of the impact.\n\nThose entities shall also provide information on the impact on operational continuity, impact on resolvability of the entity, any additional impact on the costs and losses from the major ICT-related incident, including on the financial entity’s capital position, and whether the contractual arrangements on the use of ICT services are still robust and fully enforceable in the event of resolution of the entity.\n\nNo\n\nNo\n\nYes, if the incident has affected the resolvability of the entity or the group\n\nAlphanumeric\n\n4.12.\n\nMateriality threshold for the classification criterion ‘Economic impact’\n\nDetailed information about thresholds eventually reached by the major ICT-related incident in relation to the criterion ‘Economic impact’ referred to in Articles 7 and 14 of the Delegated Regulation (EU) 2024/1772.\n\nNo\n\nNo\n\nYes\n\nAlphanumeric\n\n4.13.\n\nAmount of gross direct and indirect costs and losses\n\nTotal amount of gross direct and indirect costs and losses incurred by the financial entity stemming from the major ICT-related incident, including:\n\n(a)\n\nthe amount of expropriated funds or financial assets for which the financial entity is liable;\n\n(b)\n\nthe amount of replacement or relocation costs of software, hardware or infrastructure;\n\n(c)\n\nthe amount of staff costs, including costs associated to replacing or relocating staff, hiring extra staff, remuneration of overtime and recovering lost or impaired skills of staff;\n\n(d)\n\nthe amount of fees due to non-compliance with contractual obligations;\n\n(e)\n\nthe amount of customer redress and compensation costs;\n\n(f)\n\nthe amount of losses due to forgone revenues;\n\n(g)\n\nthe amount of costs associated with internal and external communication;\n\n(h)\n\nthe amount of advisory costs, including costs associated with legal counselling, forensic and remediation services;\n\n(i)\n\nthe amount other costs and losses, including:\n\n(i)\n\ndirect charges, including impairments and settlement charges, to the profit and loss account and write-downs due to the major ICT-related incident;\n\n(ii)\n\nprovisions or reserves accounted for in the profit and loss account against probable losses related to the major ICT-related incident;\n\n(iii)\n\npending losses, in the form of losses stemming from the major ICT-related incident, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the profit and loss which are planned to be included within a time period commensurate to the size and age of the pending item;\n\n(iv)\n\nmaterial uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the major ICT-related incident, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time;\n\n(v)\n\ntiming losses, where they span more than one financial accounting year and give rise to legal risk.\n\nFinancial entities shall take into account in their assessment Article 7(1) and (2) of Delegated Regulation (EU) 2024/1772. Financial entities shall not include in this figure financial recoveries of any type.\n\nFinancial entities shall report the monetary amount as a positive value.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall take into account the total amount of costs and losses across all financial entities.\n\nFinancial entities shall report the data point in units using a minimum precision equivalent to thousands of units.\n\nNo\n\nNo\n\nYes\n\nMonetary\n\n4.14.\n\nAmount of financial recoveries\n\nTotal amount of financial recoveries.\n\nFinancial recoveries shall relate to the original loss caused by the incident, independently from the time when the financial recoveries in the form of funds or inflows of economic benefits are received.\n\nFinancial entities shall report the monetary amount as a positive value.\n\nIn the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall take into account the total amount of financial recoveries across all financial entities.\n\nNo\n\nNo\n\nYes\n\nMonetary\n\nFinancial entities shall report the data point in units using a minimum precision equivalent to thousands of units\n\n4.15.\n\nInformation on whether the non-major incidents have been recurring\n\nInformation on whether more than one non-major ICT-related incident have been recurring and are together considered to be a major incident within the meaning of Article 8(2) of Delegated Regulation (EU) 2024/1772.\n\nFinancial entities shall indicate whether the non-major ICT-related incidents have been recurring and are together considered as one major ICT-related incident.\n\nFinancial entities shall also indicate the number of occurrences of these non-major ICT-related incidents.\n\nNo\n\nNo\n\nYes, if the major incident comprises more than one non-major recurring incidents.\n\nAlphanumeric\n\n4.16.\n\nDate and time of occurrence of recurring incidents\n\nWhere financial entities report recurring ICT-related incidents, date and time at which the first ICT-related incident has occurred.\n\nNo\n\nNo\n\nYes, for recurring incidents\n\nISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)\n\n(1)  Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80, http://data.europa.eu/eli/dir/2022/2555/oj).\n\n(2)  Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council (OJ L 173, 12.6.2014, p. 190, http://data.europa.eu/eli/dir/2014/59/oj).\n\n(3)  Commission Implementing Regulation (EU) 2018/1624 of 23 October 2018 laying down implementing technical standards with regard to procedures and standard forms and templates for the provision of information for the purposes of resolution plans for credit institutions and investment firms pursuant to Directive 2014/59/EU of the European Parliament and of the Council, and repealing Commission Implementing Regulation (EU) 2016/1066 (OJ L 277, 7.11.2018, p. 1, http://data.europa.eu/eli/reg_impl/2018/1624/oj).\n\nANNEX III\n\nTEMPLATES FOR NOTIFICATION OF SIGNIFICANT CYBER THREATS\n\nNumber of field\n\nData field\n\n1\n\nName of the entity submitting the notification\n\n2\n\nIdentification code of the entity submitting the notification\n\n3\n\nType of the financial entity submitting the notification\n\n4\n\nName of the financial entity\n\n5\n\nLEI code of the financial entity\n\n6\n\nPrimary contact person name\n\n7\n\nPrimary contact person email\n\n8\n\nPrimary contact person telephone\n\n9\n\nSecond contact person name\n\n10\n\nSecond contact person email\n\n11\n\nSecond contact person telephone\n\n12\n\nDate and time of detection of the cyber threat\n\n13\n\nDescription of the significant cyber threat\n\n14\n\nInformation about potential impact\n\n15\n\nPotential incident classification criteria\n\n16\n\nStatus of the cyber threat\n\n17\n\nActions taken to prevent materialisation\n\n18\n\nNotification to other stakeholders\n\n19\n\nIndicators of compromise\n\n20\n\nOther relevant information\n\nANNEX IV\n\nDATA GLOSSARY AND INSTRUCTIONS FOR NOTIFICATION OF SIGNIFICANT CYBER THREATS\n\nData field\n\nDescription\n\nMandatory field\n\nField type\n\n1.\n\nName of the entity submitting the notification\n\nFull legal name of the entity submitting the notification.\n\nYes\n\nAlphanumeric\n\n2.\n\nIdentification code of the entity submitting the notification\n\nIdentification code of the entity submitting the notification.\n\nWhere financial entities submit the notification/report, the identification code shall be a Legal Entity Identifier (LEI), which is a unique 20 alphanumeric character code, based on ISO 17442-1:2020.\n\nWhere a third-party provider submits a report for a financial entity, it may use an identification code as specified in the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554.\n\nYes\n\nAlphanumeric\n\n3.\n\nType of financial entity submitting the report\n\nType of the entity referred to in Article 2(1), points (a) to (t) of Regulation (EU) 2022/2554 submitting the report.\n\nYes, if the report is not provided by the affected financial entity directly.\n\nChoice (multiselect):\n\n—\n\ncredit institution;\n\n—\n\npayment institution;\n\n—\n\nexempted payment institution;\n\n—\n\naccount information service provider;\n\n—\n\nelectronic money institution;\n\n—\n\nexempted electronic money institution;\n\n—\n\ninvestment firm;\n\n—\n\ncrypto-asset service provider;\n\n—\n\nissuer of asset-referenced tokens;\n\n—\n\ncentral securities depository;\n\n—\n\ncentral counterparty;\n\n—\n\ntrading venue;\n\n—\n\ntrade repository;\n\n—\n\nmanager of alternative investment fund;\n\n—\n\nmanagement company;\n\n—\n\ndata reporting service provider;\n\n—\n\ninsurance and reinsurance undertaking;\n\n—\n\ninsurance intermediary, reinsurance intermediary and ancillary insurance intermediary;\n\n—\n\ninstitution for occupational retirement provision;\n\n—\n\ncredit rating agency;\n\n—\n\nadministrator of critical benchmarks;\n\n—\n\ncrowdfunding service provider;\n\n—\n\nsecuritisation repository.\n\n4.\n\nName of the financial entity\n\nFull legal name of the financial entity notifying the significant cyber threat.\n\nYes, if the financial entity is different from the entity submitting the notification\n\nAlphanumeric\n\n5.\n\nLEI code of the financial entity\n\nLegal Entity Identifier (LEI) of the financial entity notifying the significant cyber threat, assigned in accordance with the International Organisation for Standardisation.\n\nYes, if the financial entity notifying the significant cyber threat is different from the entity submitting the report\n\nUnique alphanumeric 20 character code, based on ISO 17442-1:2020\n\n6.\n\nPrimary contact person name\n\nName and surname of the primary contact person of the financial entity.\n\nYes\n\nAlphanumeric\n\n7.\n\nPrimary contact person email\n\nEmail address of the primary contact person that can be used by the competent authority for follow-up communication.\n\nYes\n\nAlphanumeric\n\n8.\n\nPrimary contact person telephone\n\nThe telephone number of the primary contact person that can be used by the competent authority for follow-up communication.\n\nThe telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX)\n\nYes\n\nAlphanumeric\n\n9.\n\nSecond contact person name\n\nName and surname of the second contact person of the financial entity or an entity submitting the notification on behalf of the financial entity, where available.\n\nYes, if name and surname of the second contact person of the financial entity or an entity submitting the notification for the financial entity is available\n\nAlphanumeric\n\n10.\n\nSecond contact person email\n\nEmail address of the second contact person or a functional email address of the team that can be used by the competent authority for follow-up communication, where available.\n\nYes, if email address of the second contact person or a functional email address of the team that can be used by the competent authority for follow-up communication is available\n\nAlphanumeric\n\n11.\n\nSecond contact person telephone\n\nThe telephone number of the second contact person that can be used by the competent authority for follow-up communication, where available.\n\nThe telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX).\n\nYes, if the telephone number of the second contact person that can be used by the competent authority for follow-up communication is available\n\nAlphanumeric\n\n12.\n\nDate and time of detection of the cyber threat\n\nDate and time at which the financial entity has become aware of the significant cyber threat.\n\nYes\n\nISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)\n\n13.\n\nDescription of the significant cyber threat\n\nDescription of the most relevant aspects of the significant cyber threat.\n\nFinancial entities shall provide:\n\n(a)\n\na high-level overview of the most relevant aspects of the significant cyber threat;\n\n(b)\n\nthe related risks arising from it, including potential vulnerabilities of the systems of the financial entity that can be exploited;\n\n(c)\n\ninformation about the probability of materialisation of the significant cyber threat; and\n\n(d)\n\ninformation about the source of information about the cyber threat.\n\nYes\n\nAlphanumeric\n\n14.\n\nInformation about potential impact\n\nInformation about the potential impact of the cyber threat on the financial entity, its clients or financial counterparts if the cyber threat has materialised\n\nYes\n\nAlphanumeric\n\n15.\n\nPotential incident classification criteria\n\nThe classification criteria that could have triggered a major incident report if the cyber threat had materialised.\n\nYes\n\nChoice (multiple):\n\n—\n\nclients, financial counterparts and transactions affected;\n\n—\n\nreputational impact;\n\n—\n\nduration and service downtime;\n\n—\n\ngeographical spread;\n\n—\n\ndata losses;\n\n—\n\ncritical services affected;\n\n—\n\neconomic impact.\n\n16.\n\nStatus of the cyber threat\n\nInformation about the status of the cyber threat for the financial entity and whether there have been any changes in the threat activity.\n\nWhere the cyber threat has stopped communicating with the financial entity’s information systems, the status can be marked as inactive. If the financial entity has information that the threat remains active against other parties or the financial system as a whole, the status shall be marked as active.\n\nYes\n\nChoice:\n\n—\n\nactive;\n\n—\n\ninactive.\n\n17.\n\nActions taken to prevent materialisation\n\nHigh-level information about the actions taken by the financial entity to prevent the materialisation of the significant cyber threats, if applicable.\n\nYes\n\nAlphanumeric\n\n18.\n\nNotification to other stakeholders\n\nInformation about notification of the cyber threat to other financial entities or authorities.\n\nYes, if other financial entities or authorities have been informed about the cyber threat)\n\nAlphanumeric\n\n19.\n\nIndicators of compromise\n\nInformation related to the significant threat that may help identify malicious activity within a network or information system (Indicators of Compromise, or IoC), where applicable.\n\nThe IoC provided by the financial entity may include, but is not to be limited to, the following categories of data:\n\n(a)\n\nIP addresses;\n\n(b)\n\nURL addresses;\n\n(c)\n\ndomains;\n\n(d)\n\nfile hashes;\n\n(e)\n\nmalware data (malware name, file names and their locations, specific registry keys associated with malware activity);\n\n(f)\n\nnetwork activity data (ports, protocols, addresses, referrers, user agents, headers, specific logs or distinctive patterns in network traffic);\n\n(g)\n\nemail message data (sender, recipient, subject, header, content);\n\n(h)\n\nDNS requests and registry configurations;\n\n(i)\n\nuser account activities (logins, privileged user account activity, privilege escalation);\n\n(j)\n\ndatabase traffic (read/write), requests to the same file.\n\nThis type of information may include data relating to indicators describing patterns in network traffic corresponding to known attacks/botnet communications, IP addresses of machines infected with malware (bots), data relating to ‘command and control’ servers used by malware (usually domains or IP addresses), and URLs relating to phishing sites or websites observed hosting malware or exploit kits.\n\nYes, if information about indicators of compromise connected with the cyber threat are available)\n\nAlphanumeric\n\n20.\n\nOther relevant information\n\nAny other relevant information about the significant cyber threat\n\nYes, if applicable and if there is other information available, not covered in the template\n\nAlphanumeric\n\nELI: http://data.europa.eu/eli/reg_impl/2025/302/oj\n\nISSN 1977-0677 (electronic edition)\n\n////////////////////////$(document).ready(function(){generateTOC(true,'', 'Top','false');scrollToCurrentUrlAnchor();});" } ], "definitions": [], "recitals": [ { "recital_number": 1, "text": "To ensure that financial entities report major incidents to their competent authorities in a consistent manner and to ensure that they provide those authorities with data of good quality, it should be specified which data fields financial entities need to provide at the various stages of the reporting referred to in Article 19(4) of Regulation (EU) 2022/2554. It is important that that information is presented in a way that allows for a single overview of the incident. It is therefore necessary to lay down a single reporting template for those purposes." }, { "recital_number": 2, "text": "Financial entities should complete those data fields of the reporting template that correspond to the information requirements of the respective notification or report. However, financial entities that already have information which they are to provide at a later reporting stage, i.e. in the intermediate or final report, should be allowed to anticipate the submission of the data." }, { "recital_number": 3, "text": "Since multiple or recurring incidents may constitute a major incident as referred to in Article 8 of Commission Delegated Regulation (EU) 2024/1772 (2), the design of the reporting template and of the data fields should enable financial entities to report such recurring incidents." }, { "recital_number": 4, "text": "To ensure accurate and up to-date information, the reporting template should enable financial entities, when submitting the intermediate and final report, to update any information that was submitted previously, and where necessary reclassify major incidents as non-major." }, { "recital_number": 5, "text": "The legal identification of entities should be aligned with the identifiers specified in the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554." }, { "recital_number": 6, "text": "Where financial entities outsource the major ICT-related incident reporting obligations to a third party, competent authorities should be aware of the identity of the third-party reporting on behalf of the financial entity prior to the submission of the first notification or reporting, in order to verify the legitimacy of the reporting third party." }, { "recital_number": 7, "text": "To identify easily the impact of an incident that occurred at, or was caused by a third-party provider, and that affects multiple financial entities within a single Member State, and to reduce the reporting effort for financial entities, the reporting template should allow for the submission of an aggregated report covering aggregated information about the impact of the incident on all impacted financial entities that have classified the incident as major." }, { "recital_number": 8, "text": "The reporting template should be designed in a technology neutral way to allow for its implementation into various incident reporting solutions that already exist or that may be developed for the implementation of the requirements of Regulation (EU) 2022/2554." }, { "recital_number": 9, "text": "The design of the reporting template and data fields should facilitate the reporting of major ICT-related incidents by third parties to whom financial entities outsourced their reporting obligation in accordance with Article 19(5) of Regulation (EU) 2022/2554." }, { "recital_number": 10, "text": "This Regulation is based on the draft implementing technical standards submitted to the Commission by the European Supervisory Authorities." }, { "recital_number": 11, "text": "The European Supervisory Authorities have conducted open public consultations on the draft implementing technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group established in accordance with Article 37 of Regulations (EU) No 1093/2010 (3), (EU) No 1094/2010 (4), (EU) No 1095/2010 (5) of the European Parliament and of the Council." }, { "recital_number": 12, "text": "The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) and delivered a positive opinion on 22 July 2024. Any processing of personal data within the scope of this Regulation should be performed in accordance with the applicable data protection principles and provisions set out in Regulation (EU) 2018/1725,\n\nHAS ADOPTED THIS REGULATION:" }, { "recital_number": 12, "text": "The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) and delivered a positive opinion on 22 July 2024. Any processing of personal data within the scope of this Regulation should be performed in accordance with the applicable data protection principles and provisions set out in Regulation (EU) 2018/1725,\n\nHAS ADOPTED THIS REGULATION:" } ], "effective_date": "2025-01-17" }