Source: OJ L, 2025/302, 20.2.2025Current language: EN
- Digital operational resilience in the financial sector
ICT-related incidents
- ITS on templates for incident reporting
Article 7 Aggregated reporting
Summary What does Article 7 of the ITS on templates for incident reporting say?
This article sets out the conditions under which a third-party service provider, having taken on outsourced reporting obligations under Article 6, may submit a single aggregated incident report on behalf of multiple financial entities.
It establishes a narrow permission for consolidated reporting, while carving out specific categories of financial entities that are explicitly excluded from this arrangement and must always report individually.
Important points:
- Third-party service providers may submit one aggregated report for multiple financial entities only when five cumulative conditions are met, including that the incident originates from the third-party provider, all affected entities are in the same Member State under the same competent authority, and aggregated reporting has been explicitly permitted by that competent authority.
- Significant credit institutions, operators of trading venues, and central counterparties are excluded from aggregated reporting and must always submit individual notifications to their competent authority.
- Competent authorities retain the right to request an individual report from a financial entity at any time, even where an aggregated report has already been submitted on its behalf.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met:
the major ICT-related incident to be reported originates from or is being caused by a third-party ICT service provider;
that third-party service provider provides the relevant ICT service to more than one financial entity, or to a group;
the ICT-related incident is classified as major by each financial entity covered in the aggregated notification or report;
the major ICT-related incident affects financial entities within a single Member State and the aggregated report relates to financial entities which are supervised by the same competent authority;
competent authorities have explicitly permitted this type of financial entities to aggregate their reporting.
Paragraph 1 shall not apply to credit institutions that are considered to be of significant relevance as referred to in Article 2 point (16) of Regulation (EU) No 468/2014 of the European Central Bank(8), operators of trading venues, and central counterparties, which shall only use the template in Annex I to submit major ICT-related incident notifications or reports individually to their competent authority.
Where competent authorities require information on the individual impact of the major ICT-related incident on a single financial entity, upon request of the competent authority, the financial entity shall submit an individual notification or a report on the major ICT-related incident.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
central counterparty
Definition
trading venue
Definition
network and information system
Definition
group
Definition
credit institution
Definition
major ICT-related incident
Definition
ICT-related incident
Definition
critical or important function
Footnote 8