Source: OJ L, 2025/302, 20.2.2025Current language: EN
- Digital operational resilience in the financial sector
ICT-related incidents
- ITS on templates for incident reporting
Article 1 Template for reporting ICT-related major incidents
Summary What does Article 1 of the ITS on templates for incident reporting say?
This is the central operational article of the regulation, establishing how financial entities must use the standardised reporting template in Annex I when notifying competent authorities of major ICT-related incidents.
It directly implements the reporting obligation under Article 19(4) of DORA (Regulation (EU) 2022/2554) and works in conjunction with Delegated Regulation (EU) 2025/301, which sets out the content requirements for each stage of reporting.
The article governs all three reporting stages — initial notification, intermediate report, and final report — and sets clear expectations around accuracy, the use of estimates when precise data is unavailable, and the need to update previously submitted information as the reporting process progresses.
Important points:
- Use the Annex I template to submit all three stages of major ICT-related incident reporting, completing the data fields relevant to each stage as defined in Delegated Regulation (EU) 2025/301.
- Ensure all reported information is complete and accurate, and where accurate data is not yet available, provide estimated values based on available data and information.
- Follow the data glossary and instructions in Annex II when completing the template, and update previously submitted information in each subsequent report.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows:
financial entities that submit an initial notification shall complete the data fields of the template which correspond to the information to be provided in accordance with Article 2 of Commission Delegated Regulation (EU) 2025/301(7), and may, where they already have that information, complete those data fields the completion of which is not required for an initial notification but is required for an intermediate or final report;
financial entities that submit an intermediate report shall complete the data fields of the template which correspond to the information to be provided in accordance with Article 3 of Delegated Regulation (EU) 2025/301 and may, where they already have the relevant information, complete data fields the completion of which is not required for the intermediate report, but is required for the final report.
financial entities that submit a final report shall complete the data fields of the template which correspond to the information to be provided in accordance with Article 4 of Delegated Regulation (EU) 2025/301.
Financial entities shall ensure that the information contained in the initial notification, and in the intermediate and final report, is complete and accurate.
Financial entities shall provide estimated values based on other available data and information, to the extent possible, where accurate data are not available at the time of reporting for the initial notification or the intermediate report.
When submitting an intermediate or final report, financial entities shall use the template laid down in Annex I to submit all required information and update, where applicable, the information that was previously provided in the initial notification or in the intermediate report.
Financial entities shall follow the data glossary and instructions set out in Annex II when completing the template laid down in Annex I.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Footnote 7