Source: OJ L, 2025/302, 20.2.2025
EN- Digital operational resilience in the financial sector
ICT-related incidents
- ITS on templates for incident reporting
Annex I Templates for the reporting of major incidents
Number of field | Data field | |
|---|---|---|
General information about the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; | ||
1.1 | Type of submission | |
1.2 | Name of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the report | |
1.3 | Identification code of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the report | |
1.4 | Type of financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; affected | |
1.5 | Name of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; affected | |
1.6 | LEI code of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; affected | |
1.7 | Primary contact person name | |
1.8 | Primary contact person email | |
1.9 | Primary contact person telephone | |
1.10 | Second contact person name | |
1.11 | Second contact person email | |
1.12 | Second contact person telephone | |
1.13 | Name of the ultimate parent undertaking means a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU; | |
1.14 | LEI code of the ultimate parent undertaking means a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU; | |
1.15 | Reporting currency | |
Content of the initial notification | ||
2.1 | Incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reference code assigned by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; | |
2.2 | Date and time of detection of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
2.3 | Date and time of classification of the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; as major | |
2.4 | Description of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
2.5 | Classification criteria that triggered the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; report | |
2.6 | Materiality thresholds for the classification criterion ‘Geographical spread’ | |
2.7 | Discovery of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
2.8 | Indication whether the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; originates from a third-party provider or another financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; | |
2.9 | Activation of business continuity plan, if activated | |
2.10 | Other relevant information | |
Content of the intermediate report | ||
3.1 | Incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reference code provided by the competent authorityas defined in Article 46 | |
3.2 | Date and time of occurrence of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
3.3 | Date and time when services, activities or operations have been recovered | |
3.4 | Number of clients affected | |
3.5 | Percentage of clients affected | |
3.6 | Number of financial counterparts affected | |
3.7 | Percentage of financial counterparts affected | |
3.8 | Impact on relevant clients or financial counterparts | |
3.9 | Number of affected transactions | |
3.10 | Percentage of affected transactions | |
3.11 | Value of affected transactions | |
3.12 | Information on whether the numbers are actual or estimates, or whether there has not been any impact | |
3.13 | Reputational impact | |
3.14 | Contextual information about the reputational impact | |
3.15 | Duration of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
3.16 | Service downtime | |
3.17 | Information on whether the numbers for duration and service downtime are actual or estimates. | |
3.18 | Types of impact in the Member States | |
3.19 | Description of how the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; has an impact in other Member States | |
3.20 | Materiality thresholds for the classification criterion ‘Data losses’ | |
3.21 | Description of the data losses | |
3.22 | Classification criterion ‘Critical services affected’ | |
3.23 | Type of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
3.24 | Other types of incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; | |
3.25 | Threats and techniques used by the threat actor | |
3.26 | Other types of techniques | |
3.27 | Information about affected functional areas and business processes | |
3.28 | Affected infrastructure components means software or hardware intended for integration into an electronic information system; supporting business processes | |
3.29 | Information about affected infrastructure components means software or hardware intended for integration into an electronic information system; supporting business processes | |
3.30 | Impact on the financial interest of clients | |
3.31 | Reporting to other authorities | |
3.32 | Specification of ‘other’ authorities | |
3.33 | Temporary actions/measures taken or planned to be taken to recover from the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; | |
3.34 | Description of any temporary actions and measures taken or planned to be taken to recover from the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; | |
3.35 | Indicators of compromise | |
Content of the final report | ||
4.1 | High-level classification of root causes of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; | |
4.2 | Detailed classification of root causes of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; | |
4.3 | Additional classification of root causes of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; | |
4.4 | Other types of root cause types | |
4.5 | Information about the root causes of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; | |
4.6 | Incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; resolution summary | |
4.7 | Date and time when the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; root cause was addressed | |
4.8 | Date and time when the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; was resolved | |
4.9 | Information if the permanent resolution date of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; differs from the initially planned implementation date | |
4.10 | Assessment of risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to critical functions for resolution purposes | |
4.11 | Information relevant for resolution authorities | |
4.12 | Materiality threshold for the classification criterion ‘Economic impact’ | |
4.13 | Amount of gross direct and indirect costs and losses | |
4.14 | Amount of financial recoveries | |
4.15 | Information on whether the non-major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; have been recurring | |
4.16 | Date and time of occurrence of recurring incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; | |
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.