Source: OJ L, 2025/301, 20.2.2025

Current language: EN

Article 6 Content of the voluntary notification of significant cyber threats

Summary What does Article 6 of the RTS on incident reporting say?

This article sets out what financial entities must include when making a voluntary notification about a significant cyber threat — that is, a cyber threat that could potentially result in a major ICT-related incident, even if it has not yet materialised.

It complements the mandatory incident reporting framework established in earlier articles by addressing this distinct, pre-incident scenario.

The content requirements cover the nature and status of the threat, its potential impact, the classification criteria that would have applied had it escalated into a real incident, and any actions taken or notifications made to other parties.

Important points:

  • Include the classification criteria from Delegated Regulation (EU) 2024/1772 that would have triggered a major incident report, treating the voluntary notification as a hypothetical major incident assessment.
  • Provide details on the potential impact of the significant cyber threat on your financial entity, its clients, and financial counterparts.
  • Notify whether the significant cyber threat has been reported to other financial entities or authorities, ensuring transparency across the broader reporting landscape.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following:

  1. general information about the notifying financial entity as set out in Article 1;

  2. the date and time of detection of the significant cyber threat and any other relevant timestamps related to the significant cyber threat;

  3. a description of the significant cyber threat;

  4. information about the potential impact of the significant cyber threat on the financial entity, its clients, or financial counterparts;

  5. the classification criteria that would have triggered a major incident report laid down in Articles 1 to 8 of Delegated Regulation (EU) 2024/1772 if the cyber threat had materialised;

  6. information about the status of the significant cyber threat and any changes in the threat activity;

  7. where applicable, a description of the actions taken by the financial entity to prevent the materialisation of the significant cyber threats;

  8. information about any notification of the significant cyber threat to other financial entities or authorities;

  9. where applicable, information on indicators of compromise;

  10. where available, any other relevant information.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod