Source: OJ L, 2025/301, 20.2.2025

Current language: EN

Article 3 Specific information to be provided in intermediate reports

Summary What does Article 3 of the RTS on incident reporting say?

This article defines the minimum content requirements for the intermediate report that financial entities must submit following a major ICT-related incident.

Building directly on Article 2, which governs the initial notification, this article represents the next stage of the reporting process and demands a considerably deeper level of detail.

Where the initial notification establishes that an incident has occurred and why it qualifies as major, the intermediate report requires financial entities to provide a fuller operational picture — covering the nature of the incident, its impact on clients and business processes, the infrastructure affected, and the recovery measures underway or planned.

Important points:

  • Include in the intermediate report a detailed account of how the incident met the major classification criteria under Delegated Regulation (EU) 2024/1772.
  • Report on the impact on clients' financial interests, affected business processes, and infrastructure components.
  • Document temporary recovery actions already taken or planned, and disclose any reporting of the incident to other authorities.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information:

  1. where applicable, the incident reference code provided by the competent authority;

  2. the date and time of occurrence of the ICT-related incident;

  3. where applicable, the date and time when the financial entity has recovered its regular activities;

  4. information about how the criteria laid down in Articles 1 to 8 of Delegated Regulation (EU) 2024/1772 have been fulfilled, on the basis of which the financial entity classified the ITC-related incident as major;

  5. the type of ICT-related incident;

  6. where applicable, the threats and techniques used by the threat actor;

  7. affected functional areas and business processes;

  8. affected infrastructure components supporting business processes;

  9. impact on the financial interest of clients;

  10. information about reporting about the ICT-related incident to other authorities;

  11. temporary actions or measures taken or planned to be taken by the financial entity to recover from the ICT-related incident;

  12. where applicable, information on indicators of compromise.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod