Article 4 Article Specific information to be provided in final reports

Summary What does Article 4 of the RTS on incident reporting say?

Article 4 completes the three-part reporting sequence established across Articles 2, 3, and 4 by specifying what must be included in the final report submitted following a major ICT-related incident.

Where the initial notification and intermediate report focus on early detection and ongoing status, this final report is retrospective in nature — it requires financial entities to provide a thorough post-incident account covering root causes, resolution details, and the financial impact of the incident.

Important points:

Include a full account of root causes, resolution details, and the dates and times the incident was resolved and root causes addressed.
Report on both direct and indirect costs and losses from the incident, as well as any financial recoveries.
Where applicable, provide information relevant for resolution authorities and flag any recurring ICT-related incidents.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the following specific information:

information about the root causes of the ICT-related incident;
dates and times when the ICT-related incident was resolved and the root cause(s) addressed;
information on the resolution of the ICT-related incident;
where applicable, information relevant for resolution authorities;
information about direct and indirect costs and losses stemming from the ICT-related incident and information about financial recoveries;
where applicable, information about recurring ICT-related incidents.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.