Article 6 Notification of outsourcing of the reporting obligations

Summary What does Article 6 of the ITS on templates for incident reporting say?

This article governs the transparency obligations that apply when a financial entity chooses to outsource its major ICT-related incident reporting duties to a third party, as permitted under Article 19(5) of Regulation (EU) 2022/2554.

It establishes a clear notification duty in both directions: when the outsourcing arrangement begins and when it ends, ensuring the competent authority is always aware of who is responsible for submitting incident reports at any given time.

Important points:

Inform your competent authority of any outsourcing arrangement for incident reporting before the first notification or report is submitted.
Provide the competent authority with the name, contact details, and identification code of the third-party submitting reports on your behalf.
Inform your competent authority as soon as the outsourcing arrangement for reporting obligations is no longer in place.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

1. Financial entities that have outsourced the obligation to report major ICT-related incidents in accordance with Article 19(5) of Regulation (EU) 2022/2554 shall inform their competent authority of that outsourcing arrangement as soon as the outsourcing arrangement has been concluded and at the latest prior to the first notification or reporting.
1. Financial entities shall provide the competent authority with the name, contact details, and identification code of the third-party that will submit the major ICT-related incident notifications or reports for them.
1. Financial entities shall inform their competent authority as soon as they no longer outsource their reporting obligations as referred to in Article 19(5) of Regulation (EU) 2022/2554.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.