Source: OJ L, 2025/301, 20.2.2025

Current language: EN

Article 2 Specific information to be provided in initial notifications

Summary What does Article 2 of the RTS on incident reporting say?

This article specifies the minimum content requirements for the initial notification that financial entities must submit when a major ICT-related incident occurs.

It builds directly on the general information requirements established in Article 1, adding the incident-specific detail that competent authorities need at the earliest stage of reporting.

The article covers the essential facts of the incident — what happened, when it was detected, why it was classified as major, where it has impact, and how it was discovered — while also touching on response actions already taken.

Important points:

  • Include the classification criteria from Delegated Regulation (EU) 2024/1772 that justify designating the incident as major — this is a mandatory element of the initial notification.
  • State whether a business continuity plan has been activated, as this is a required disclosure from the outset.
  • Where applicable, report any reclassification of the incident from major to non-major as part of this initial notification.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information:

  1. the incident reference code assigned by the financial entity;

  2. the date of detection, time of detection, and classification of the incident pursuant to Article 8 of Commission Delegated Regulation (EU) 2024/1772(7);

  3. a description of the ICT-related incident;

  4. the criteria, laid down in Articles 1 to 8 of Delegated Regulation (EU) 2024/1772, on the basis of which the financial entity classified the ICT-related incident as major;

  5. the Members States that are impacted by the ICT-related incident;

  6. information on how the ICT-related incident was discovered;

  7. where available, information about the origin of the ICT-related incident;

  8. information about whether the financial entity has activated a business continuity plan;

  9. where applicable, information about the reclassification of the ICT-related incident from major to non-major;

  10. where available, any other relevant information.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod