Source: OJ L, 2025/301, 20.2.2025

Current language: EN

Article 1 General information to be provided in initial notifications and intermediate and final reports on major ICT-related incidents

Summary What does Article 1 of this act say?

This article establishes the general information that financial entities must include across all three types of major ICT-related incident reports — the initial notification, the intermediate report, and the final report — as required under Article 19(4) of DORA (Regulation (EU) 2022/2554).

It acts as a foundational baseline that applies consistently to all report types, covering identifying details about the reporting entity, the submitting entity, and key contact and contextual information.

Important points:

  • Include a standard set of general identifying information in every report, regardless of whether it is an initial notification, intermediate report, or final report.
  • Provide contact details for the person responsible for communicating with the competent authority about the major ICT-related incident.
  • Where applicable, disclose parent undertaking details, aggregated entity LEI codes, and the currency used for any monetary amounts reported.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information:

  1. the type of submission (initial notification, intermediate report, or final report);

  2. the name of the financial entity, its LEI code, and the type of financial entity, as referred to in Article 2(1) of Regulation (EU) 2022/2554;

  3. the name and identification code of the entity that submits the initial notification, or intermediate or final report, for the financial entity;

  4. where applicable, the names and LEI codes of all financial entities covered in the aggregated initial notification or intermediate or final report;

  5. the contact details of the persons responsible for communicating with the competent authority on the major ICT-related incident;

  6. where applicable, the identification of the parent undertaking of the group to which the financial entity belongs;

  7. where there is monetary impact, the currency the amounts are based on.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod