Preamble Recitals

To ensure the harmonisation and simplication of the notification and reporting requirements for major ICT-related incidents referred to in Article 19(4) of Regulation (EU) 2022/2554, the time limits for reporting major ICT-related incidents should follow a consistent approach for all types of financial entities. For these reasons, the time limits should also, to the greatest extent possible, follow a consistent approach with, and at least be equivalent in effect to, the requirements set out in Directive (EU) 2022/2555 of the European Parliament and of the Council(²).

To avoid imposing an undue reporting burden on financial entities at a time when they are handling the ICT-related incident, the content of the initial notification should be limited to the most significant information. To be able to take proper supervisory action, competent authorities need to receive information about major ICT-related incidents as quickly as possible after the financial entity has classified an ICT-related incident as major. Consequently, the time limit for submitting an initial notification as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 should be as short as possible after an ICT-related incident has been classified as major, whilst still allowing for flexibility, especially for service business models that are not particularly time-critical, in case financial entities need more time to handle the ICT-related incident after becoming aware of it.

After having received the initial notification, competent authorities should receive more detailed information about the ICT-related incident in the intermediate report and all relevant information in the final report. The information in those reports should enable competent authorities to further assess the ICT-related incident and evaluate supervisory actions they may want to take.

The reporting time limits referred to in Article 20, first paragraph, point (a)(ii), of Regulation (EU) 2022/2554 should therefore balance the need for competent authorities to receive the information quickly, with the need to provide financial entities with sufficient time to obtain complete and accurate information.

Taking into account the criteria set out in Article 20, first paragraph, point (a), of Regulation (EU) 2022/2554, the reporting timelines should not pose a disproportionate burden to microenterprises and to other financial entities that are not significant. In addition, to avoid a disproportional burden on financial entities, the reporting time limits should take into account weekends and bank holidays.

Since significant cyber threats are to be notified on a voluntary basis, the content of such notifications should not impose a burden on financial entities and should be more limited than the information requested for major ICT-related incidents.

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Supervisory Authorities.

The European Supervisory Authorities have conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Stakeholders Groups established in accordance with Article 37 of Regulations (EU) No 1093/2010(³), (EU) No 1094/2010(⁴) and (EU) No 1095/2010(⁵) of the European Parliament and of the Council.

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(⁶) and delivered a positive opinion on 22 July 2024. Any processing of personal data within the scope of this Regulation should be performed in accordance with the applicable data protection principles and provisions from Regulation (EU) 2018/1725,