Source: OJ L, 2025/302, 20.2.2025

Current language: EN

Article 7 Aggregated reporting


Summary What does Article 7 of the ITS on templates for incident reporting say?

This article sets out the conditions under which a third-party service provider, having taken on outsourced reporting obligations under Article 6, may submit a single aggregated incident report on behalf of multiple financial entities.

It establishes a narrow permission for consolidated reporting, while carving out specific categories of financial entities that are explicitly excluded from this arrangement and must always report individually.

Important points:

  • Third-party service providers may submit one aggregated report for multiple financial entities only when five cumulative conditions are met, including that the incident originates from the third-party provider, all affected entities are in the same Member State under the same competent authority, and aggregated reporting has been explicitly permitted by that competent authority.
  • Significant credit institutions, operators of trading venues, and central counterparties are excluded from aggregated reporting and must always submit individual notifications to their competent authority.
  • Competent authorities retain the right to request an individual report from a financial entity at any time, even where an aggregated report has already been submitted on its behalf.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met:

      1. the major ICT-related incident to be reported originates from or is being caused by a third-party ICT service provider;

      2. that third-party service provider provides the relevant ICT service to more than one financial entity, or to a group;

      3. the ICT-related incident is classified as major by each financial entity covered in the aggregated notification or report;

      4. the major ICT-related incident affects financial entities within a single Member State and the aggregated report relates to financial entities which are supervised by the same competent authority;

      5. competent authorities have explicitly permitted this type of financial entities to aggregate their reporting.

    1. Paragraph 1 shall not apply to credit institutions that are considered to be of significant relevance as referred to in Article 2 point (16) of Regulation (EU) No 468/2014 of the European Central Bank(8), operators of trading venues, and central counterparties, which shall only use the template in Annex I to submit major ICT-related incident notifications or reports individually to their competent authority.

    1. Where competent authorities require information on the individual impact of the major ICT-related incident on a single financial entity, upon request of the competent authority, the financial entity shall submit an individual notification or a report on the major ICT-related incident.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod