Source: OJ L, 2025/302, 20.2.2025Current language: EN
- Digital operational resilience in the financial sector
ICT-related incidents
- ITS on templates for incident reporting
Article 8 Notification of significant cyber threats
Summary What does Article 8 of the ITS on templates for incident reporting say?
This brief article addresses the procedural requirements for financial entities that choose to notify competent authorities of significant cyber threats.
It mirrors the approach taken in earlier articles of this regulation regarding major ICT-related incident reporting, but applies specifically to the voluntary notification pathway for significant cyber threats under DORA.
Rather than leaving the format open-ended, the article directs financial entities to use a dedicated template and accompanying glossary — namely Annex III and Annex IV — and places a clear obligation on the accuracy and completeness of the information submitted.
Important points:
- Use Annex III as the prescribed template and Annex IV as the data glossary when notifying competent authorities of significant cyber threats.
- Ensure all information submitted in the notification is complete and accurate.
- This article applies specifically to the voluntary notification of significant cyber threats, which are threats that could potentially result in a major ICT-related incident, as distinct from the mandatory major incident reporting covered elsewhere in the regulation.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Financial entities that notify significant cyber threats to competent authorities in accordance with Article 19(2) of Regulation (EU) 2022/2554 shall use the template laid down in Annex III to this Regulation and follow the data glossary and instructions set out Annex IV to this Regulation.
Financial entities shall ensure that the information contained in the notification of significant cyber threats is complete and accurate.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
major operational or security payment-related incident
Definition
network and information system
Definition
cyber threat
Definition
significant cyber threat
Definition
major ICT-related incident
Definition
operational or security payment-related incident
Definition
ICT-related incident
Definition
critical or important function