Annex II Data glossary and instructions for the reporting of major incidents

• initial notification;

• intermediate report;

• final report;

• major incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reclassified as non-major.

Identification code of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the report.

Where financial entitiesas defined in Article 2, points (a) to (t) submit the notification/report, the identification code shall be a Legal Entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; Identifier (LEI), which is a unique 20 alphanumeric character code, based on ISO 17442-1:2020.

A third-party provider that submits a report for a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; can use an identification code as specified in the implementing technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554.

Type of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 2(1), points (a) to (t), of Regulation (EU) 2022/2554 for whom the report is submitted.

In case of aggregated reporting as referred to in Article 7 of this Regulation, the different types of financial entitiesas defined in Article 2, points (a) to (t) covered in the aggregated report to be selected.

• credit institution means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).;

• payment institution means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;;

• exempted payment institution means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;;

• account information service provider means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366;;

• electronic money institution means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council;;

• exempted electronic money institution means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council;;

• investment firm means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU;;

• crypto-asset service provider means a crypto-asset service provider as defined in the relevant provision of the Regulation on markets in crypto-assets;;

• issuer of asset-referenced tokens means an issuer of asset-referenced tokens as defined in the relevant provision of the Regulation on markets in crypto-assets;;

• central securities depository means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;;

• central counterparty means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;;

• trading venue means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU;;

• trade repository means a trade repository as defined in Article 2, point (2), of Regulation (EU) No 648/2012;;

• manager of alternative investment fund;

• management company means a management company as defined in Article 2(1), point (b), of Directive 2009/65/EC;;

• data reporting service provider means a data reporting service provider within the meaning of Regulation (EU) No 600/2014, as referred to in Article 2(1), points (34) to (36) thereof;;

• insurance and reinsurance undertaking means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC;;

• insurance intermediary means an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 of the European Parliament and of the Council (^34^); Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (OJ L 26, 2.2.2016, p. 19)., reinsurance intermediary means a reinsurance intermediary as defined in Article 2(1), point (5), of Directive (EU) 2016/97; and ancillary insurance intermediary means an ancillary insurance intermediary as defined in Article 2(1), point (4), of Directive (EU) 2016/97;;

• institution for occupational retirement provision means an institution for occupational retirement provision as defined in Article 6, point (1), of Directive (EU) 2016/2341;;

• credit rating agency means a credit rating agency as defined in Article 3(1), point (b), of Regulation (EC) No 1060/2009;;

• administrator of critical benchmarks means an administrator of ‘critical benchmarks’ as defined in Article 3(1), point (25), of Regulation (EU) 2016/1011;;

• crowdfunding service provider means a crowdfunding service provider as defined in Article 2(1), point (e), of Regulation (EU) 2020/1503 of the European Parliament and of the Council (^35^); Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European crowdfunding service providers for business, and amending Regulation (EU) 2017/1129 and Directive (EU) 2019/1937 (OJ L 347, 20.10.2020, p. 1).;

• securitisation repository means a securitisation repository as defined in Article 2, point (23), of Regulation (EU) 2017/2402 of the European Parliament and of the Council (^36^); Regulation (EU) 2017/2402 of the European Parliament and of the Council of 12 December 2017 laying down a general framework for securitisation and creating a specific framework for simple, transparent and standardised securitisation, and amending Directives 2009/65/EC, 2009/138/EC and 2011/61/EU and Regulations (EC) No 1060/2009 and (EU) No 648/2012 (OJ L 347, 28.12.2017, p. 35)..

Full legal name of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; affected by the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and required to report the major incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; to its competent authorityas defined in Article 46 under Article 19 of Regulation (EU) 2022/2554.

• list of all names of the financial entitiesas defined in Article 2, points (a) to (t) affected by the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, separated by a semicolon;

• the third-party provider submitting a major incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notification or report in an aggregated manner as referred to in Article 7 of this Regulation, to list the names of all financial entitiesas defined in Article 2, points (a) to (t) impacted by the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, separated by a semicolon.

Legal Entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; Identifier (LEI) of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; affected by the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; assigned in accordance with the International Organisation for Standardisation.

• a list of all LEI codes of the financial entitiesas defined in Article 2, points (a) to (t) affected by the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, separated by a semicolon.

• the third-party provider submitting a major incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notification or report in an aggregated manner as referred to in Article 7 of this Regulation to list the LEI codes of all financial entitiesas defined in Article 2, points (a) to (t) impacted by the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, separated by a semicolon.

The order of appearance of LEI codes and financial entitiesas defined in Article 2, points (a) to (t) names shall be identical.

Name and surname of the primary contact person of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

In case of aggregated reporting as referred to in Article 7 of this Regulation, the name of the primary contact person in the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the aggregated report.

Email address of the primary contact person that can be used by the competent authorityas defined in Article 46 for follow-up communication.

In case of aggregated reporting as referred to in Article 7 of this Regulation, the email of the primary contact person in the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the aggregated report.

The telephone number of the primary contact person that can be used by the competent authorityas defined in Article 46 for follow-up communication.

In case of aggregated reporting as referred to in Article 7 of this Regulation, the telephone number of the primary contact person in the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the aggregated report.

The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX)

The telephone number of the second contact person, or of a team, that can be used by the competent authorityas defined in Article 46 for follow-up communication.

The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX)

Unique reference code issued by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; unequivocally identifying the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

In case of aggregated reporting as referred to in Article 7 of this Regulation, the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reference code assigned by the third-party provider.

Date and time at which the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; has become aware of the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;.

For recurring incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, the date and the time at which the last ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; was detected.

Description of the most relevant aspects of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

Financial entitiesas defined in Article 2, points (a) to (t) shall provide a high-level overview of the following information such as possible causes, immediate impacts, systems affected, and others. Financial entitiesas defined in Article 2, points (a) to (t), shall include, where known or reasonably expected, whether the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; impacts third-party providers or other financial entitiesas defined in Article 2, points (a) to (t), the type of provider or financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, their name, their respective identification codes and type of the identification code (e.g. LEI or EUID).

In subsequent reports, the field content can evolve over time to reflect the ongoing understanding of the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and describe any other relevant information about the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; not captured by the data fields, including the internal severity assessment by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; (e.g. very low, low, medium, high, very high) and an indication of the level and name of most senior decision structures that has been involved in response to the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;.

Classification criteria under Delegated Regulation (EU) 2024/1772 that have triggered determination of the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; as major and subsequent notification and reporting.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, the classification criteria that have triggered determination of the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; as major for at least one or more financial entitiesas defined in Article 2, points (a) to (t).

• clients, financial counterparts and transactions affected;

• reputational impact;

• duration and service downtime;

• geographical spread;

• data losses;

• critical services affected;

• economic impact.

EEA Member States impacted by the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;

When assessing the impact of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; in other Member States, financial entitiesas defined in Article 2, points (a) to (t) shall take into account Articles 4 and 12 of Delegated Regulation 2024/1772.

• IT Security;

• staff;

• internal audit;

• external audit;

• clients;

• financial counterparts;

• third-party provider;

• attacker;

• monitoring systems;

• authority/agency/ law enforcement body;

• other.

Indication whether the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; originates from a third-party provider or another financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

Financial entitiesas defined in Article 2, points (a) to (t) shall indicate whether the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; originates from a third-party provider or another financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; (including financial entitiesas defined in Article 2, points (a) to (t) belonging to the same group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; as the reporting entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;) and the name, identification code of the third-party provider or financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and type of the identification code (e.g. LEI or EUID).

Any further information not covered in the template.

Financial entitiesas defined in Article 2, points (a) to (t) that have reclassified a major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; as non-major shall describe the reasons why the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; does not fulfil, and is not expected to fulfil, the criteria to be considered as a major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

Date and time at which the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; has occurred, if different from the time the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; has become aware of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

For recurring major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, the date and the time at which the last major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; has occurred.

Number of clients affected by the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; that use the service provided by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

When assessing the number of clients affected, financial entitiesas defined in Article 2, points (a) to (t) shall take into account Articles 1(1) and 9(1), point (b), of Delegated Regulation (EU) 2024/1772 in their assessment. A financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that cannot determine the actual number of clients impacted shall use estimates based on available data from comparable reference periods.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, the total number of clients affected across all financial entitiesas defined in Article 2, points (a) to (t).

Percentage of clients affected by the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; in relation to the total number of clients that make use of the affected service provided by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. In case of more than one service affected, the services shall be provided in an aggregated manner.

Financial entitiesas defined in Article 2, points (a) to (t) shall take into account Article 1(1) and Article 9(1), point (a), of Delegated Regulation (EU) 2024/1772 in their assessment.

A financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that cannot determine the actual percentage of clients impacted shall use estimates based on available data from comparable reference periods.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall divide the sum of all affected clients by the total number of clients of all impacted financial entitiesas defined in Article 2, points (a) to (t).

Number of financial counterparts affected by the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; that have concluded a contract with the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

When assessing the number of financial counterparts affected, financial entitiesas defined in Article 2, points (a) to (t) shall take into account Article 1(2) of Delegated Regulation (EU) 2024/1772 in their assessment. A financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that cannot determine the actual number of financial counterparts impacted shall use estimates based on available data from comparable reference periods.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, the total number of financial counterparts affected across all financial entitiesas defined in Article 2, points (a) to (t).

Percentage of financial counterparts affected by the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; in relation to the total number of financial counterparts that have concluded a contract with the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

When assessing the percentage of financial counterparts affected, financial entitiesas defined in Article 2, points (a) to (t) shall take into account Articles 1(1) and 9(1), point (c) of Delegated Regulation (EU) 2024/1772 in their assessment.

A financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that cannot determine the actual percentage of financial counterparts impacted shall use estimates based on available data from comparable reference periods.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, indicate the sum of all affected financial counterparts divided by the total number of financial counterparts of all impacted financial entitiesas defined in Article 2, points (a) to (t).

Number of transactions affected by the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

When assessing the impact on transactions, financial entitiesas defined in Article 2, points (a) to (t) shall take into account Article 1(4) of Delegated Regulation (EU) 2024/1772, including all affected domestic and cross-border transactions containing a monetary amount that have at least one part of the transaction carried out in the Union.

A financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that cannot determine the actual number of transactions impacted shall use estimates based on available data from comparable reference periods.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, indicate the total number of transactions affected across all financial entitiesas defined in Article 2, points (a) to (t).

Percentage of affected transactions in relation to the daily average number of domestic and cross-border transactions carried out by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; related to the affected service.

Financial entitiesas defined in Article 2, points (a) to (t) shall take into account Article 1(4) and Article 9(1), point (d), of Delegated Regulation (EU) 2024/1772.

A financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that cannot determine the actual percentage of transactions impacted shall use estimates.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall sum the number of all affected transactions and divide the sum by the total number of transactions of all impacted financial entitiesas defined in Article 2, points (a) to (t).

Total value of the transactions affected by the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; shall be assessed in accordance with Article 1(4) and Article 9(1), point (e) of Delegated Regulation (EU) 2024/1772.

A financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that cannot determine the actual value of transactions impacted shall use estimates based on available data from comparable reference periods.

A financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall report the monetary amount as a positive value.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, the total value of the transactions affected across all financial entitiesas defined in Article 2, points (a) to (t).

Monetary

Financial entitiesas defined in Article 2, points (a) to (t) shall report the data point in units using a minimum precision equivalent to thousands of units (e.g. 2,5 instead of EUR2 500).

• actual figures for clients affected;

• actual figures for financial counterparts affected;

• actual figures for transactions affected;

• estimates for clients affected;

• estimates for financial counterparts affected;

• estimates for transactions affected;

• no impact on clients;

• no impact on financial counterparts;

• no impact on transactions.

Information about the reputational impact resulting from the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; as referred to in Articles 2 and 10 of Delegated Regulation (EU) 2024/1772.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, the reputational impact categories that apply to at least one financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

• the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; has been reflected in the media;

• the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships

• the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; will not be able to or is likely not to be able to meet regulatory requirements as a result of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;;

• the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

Information describing how the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; has affected or could affect the reputation of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, including infringements of law, regulatory requirements not met, number of client complaints, and other.

The contextual information shall include the type of media (e.g. traditional and digital media, blogs, streaming platforms) and media coverage, including reach of the media (local, national, international). Media coverage in this context shall not mean a few negative comments by followers or users of social networks.

The financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall also indicate whether the media coverage highlighted significant risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; for its clients in relation to the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, including the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s insolvency or the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of losing funds.

Financial entitiesas defined in Article 2, points (a) to (t) shall also indicate whether they have provided information to the media that served to reliably inform the public about the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and its consequences.

Financial entitiesas defined in Article 2, points (a) to (t) may also indicate whether there was false information in the media in relation to the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, including information based on deliberate misinformation spread by threat actors, or information relating to or illustrating defacement of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s website.

Financial entitiesas defined in Article 2, points (a) to (t) shall measure the duration of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; from the moment the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; occurred until the moment the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; was resolved.

Financial entitiesas defined in Article 2, points (a) to (t) that are unable to determine the moment when the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; has occurred shall measure the duration of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; from the earlier between the moment the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; detected the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and the moment when the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; recorded the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; in network or system logs or other data sources. Financial entitiesas defined in Article 2, points (a) to (t) that do not yet know the moment when the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; will be resolved shall apply estimates. The value shall be expressed in days, hours, and minutes.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entitiesas defined in Article 2, points (a) to (t) shall measure the longest duration of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; in case of differences between financial entitiesas defined in Article 2, points (a) to (t).

Service downtime measured from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users, until the moment when regular activities or operations have been restored to the level of service that was provided prior to the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, financial entitiesas defined in Article 2, points (a) to (t) shall measure the downtime from the start of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; until the moment when that delayed service is provided. Financial entitiesas defined in Article 2, points (a) to (t) that are unable to determine the moment when the service downtime has started, shall measure the service downtime from the earlier between the moment the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; was detected and the moment when it has been recorded.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entitiesas defined in Article 2, points (a) to (t) shall measure the longest duration of the service downtime in case of differences between financial entitiesas defined in Article 2, points (a) to (t).

• Actual figures;

• Estimates;

• Actual figures and estimates;

• No information available.

Type of impact in the respective EEA Member States.

• clients and financial counterparts affected in other Member States; or

• branches or other financial entitiesas defined in Article 2, points (a) to (t) within the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; carrying out activities in other Member States; or

• financial market infrastructures or third-party providers, which may affect financial entitiesas defined in Article 2, points (a) to (t) in other Member States to which they provide services.

• clients;

• financial counterparts;

• branch of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

• financial entitiesas defined in Article 2, points (a) to (t) within the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; carrying out activities in the respective Member State;

• financial market infrastructure;

• third-party providers that may be common to other financial entitiesas defined in Article 2, points (a) to (t).

• clients;

• financial counterparts;

• branches of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

• other financial entitiesas defined in Article 2, points (a) to (t) within the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; carrying out activities in the respective Member State;

• financial market infrastructures;

• third-party providers that may be common to other financial entitiesas defined in Article 2, points (a) to (t) as applicable in other Member State(s).

Type of data losses that the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; entails in relation to availability, authenticity, integrity, and confidentiality of data.

Financial entitiesas defined in Article 2, points (a) to (t) shall take into account Articles 5 and 13 of Delegated Regulation (EU) 2024/1772 in their assessment.

In case of aggregated reporting as referred to in Article 7 of this Regulation, the data losses affecting at least one financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

• availability;

• authenticity;

• integrity;

• confidentiality.

Description of the impact of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; on availability, authenticity, integrity, and confidentiality of critical data in accordance with Articles 5 and 13 of Delegated Regulation (EU) 2024/1772.

Information about the impact on the implementation of the business objectives of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or on meeting regulatory requirements.

As part of the information provided, financial entitiesas defined in Article 2, points (a) to (t) shall indicate whether the data affected are client data, other entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ data (e.g. financial counterparts), or data of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; itself.

The financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; may also indicate the type of data involved in the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; – in particular, whether the data is confidential and what type of confidentiality was involved (e.g. commercial/business confidentiality, personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;, professional secrecy: banking secrecy, insurance secrecy, payment services secrecy, etc.).

The information may also include possible risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the data losses, such as whether the data affected by the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; can be used to identify individuals and could be used by the threat actor to obtain credit or loans without their consent, to conduct spear phishing attacks, to disclose information publicly.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, a general description of the impact of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; on the affected financial entitiesas defined in Article 2, points (a) to (t). Where there are differences of the impact, the description of the impact shall clearly indicate the specific impact on the different financial entitiesas defined in Article 2, points (a) to (t).

Information related to the criterion ‘Critical services affected’.

• the affected services or activities that require authorisation, registration or that are supervised by competent authoritiesas defined in Article 46; or

• the ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; or network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; that support critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;; and

• the nature of the malicious and unauthorised access to the network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, the impact on critical services that apply to at least one financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

• Cybersecurity-related;

• Process failure;

• System failure;

• External event;

• Payment-related;

• Other (please specify).

• social engineering, including phishing;

• (D)DoS;

• identity theft;

• data encryption for impact, including ransomware;

• resource hijacking;

• data exfiltration and manipulation, excluding identity theft;

• data destruction;

• defacement;

• supply-chain attack;

• other (please specify).

• Social engineering (including phishing);

• (D)DoS;

• Identity theft;

• Data encryption for impact, including ransomware;

• Resource hijacking;

• Data exfiltration and manipulation, including identity theft;

• Data destruction;

• Defacement;

• Supply-chain attack;

• Other (please specify).

Other types of techniques

Financial entitiesas defined in Article 2, points (a) to (t) that have selected ‘other’ type of techniques in data field 3.25 shall specify the type of technique.

Indication of the functional areas and business processes that are affected by the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, including products and services.

• marketing and business development;

• customer service;

• product management;

• regulatory compliance;

• risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management;

• finance and accounting;

• HR and general services;

• information Technology.

• account information;

• actuarial services;

• acquiring of payment transactions;

• authentication/authorization;

• authority;

• client on-boarding;

• benefit administration;

• benefit payment management;

• buying and selling packaged insurances policies between insurances;

• card payments;

• cash management;

• cash placement or withdrawals means withdrawal as defined in Article 3, point (23), of Regulation (EU) 2019/1020;;

• insurance claim management;

• claim process insurance;

• clearing;

• corporate loans conglomerates;

• collective insurances;

• credit transfers;

• custody and asset safekeeping;

• customer onboarding;

• data ingestion;

• data processing;

• direct debits;

• export insurances;

• finalizing trades/deals;

• financial instruments placing;

• fund accounting;

• FX money;

• investment advice;

• investment management;

• issuing of payment instruments;

• lending management;

• life insurance payments process;

• money remittance;

• net asset calculation;

• order;

• payment initiation;

• insurance underwriting;

• portfolio management;

• premium collection;

• reception/transmission/execution;

• reinsurance;

• settlement;

• transaction monitoring.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, the affected functional areas and business processes in at least one financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

• Yes;

• No;

• Information not available.

Description on the impact of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; on infrastructure components means software or hardware intended for integration into an electronic information system; supporting business processes including hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; and software means the part of an electronic information system which consists of computer code;.

• version information;

• internal infrastructure/partially outsourced/fully outsourced – third-party provider name;

• whether the infrastructure is used or shared across multiple business functions;

• relevant resilience/continuity/recovery/ substitutability arrangements in place.

• Yes;

• No;

• Information not available.

Specification of which authorities were informed about the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

Taking into account the differences resulting from the national legislation of the Member States, the concept of law enforcement authorities shall be understood by financial entitiesas defined in Article 2, points (a) to (t) broadly to include public authorities means any government or other public administration entity, including national central banks. empowered to prosecute cybercrime, including police, law enforcement agencies, and public prosecutors.

• Police/Law Enforcement;

• CSIRT;

• Data Protection Authority;

• National Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; Agency;

• None;

• Other (please specify).

Specification of ‘other’ types of authorities informed about the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

If selected in Data field 3.31 ‘Other’, the description shall include more detailed information about the authority to which the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; has submitted information about the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

The information shall describe the immediate actions taken, including the isolation of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; at the network level, workaround procedures activated, USB ports blocked, Disaster Recovery site activated, any other additional security controls temporarily put in place.

Financial entitiesas defined in Article 2, points (a) to (t) shall indicate the date and the time of the implementation of the temporary actions and the expected date of return to the primary site. For any temporary actions that have not been implemented but are still planned, indication of the date by when their implementation is expected.

If no temporary actions/measures have been taken, please indicate the reason.

Information related to the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; that may help identify malicious activity within a network or information system (Indicators of Compromise, or IoC), where applicable.

The field applies only to those financial entitiesas defined in Article 2, points (a) to (t) that fall within the scope of Directive (EU) 2022/2555 of the European Parliament and of the Council(¹)Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80, http://data.europa.eu/eli/dir/2022/2555/oj).

• IP addresses;

• URL addresses;

• domains;

• file hashes;

• malware data (malware name, file names and their locations, specific registry keys associated with malware activity);

• network activity data (ports, protocols, addresses, referrers, user agents, headers, specific logs or distinctive patterns in network traffic);

• email message data (sender, recipient, subject, header, content);

• DNS requests and registry configurations;

• user account activities (logins, privileged user account activity, privilege escalation);

• database traffic (read/write), requests to the same file.

In practice, this type of information may include data relating to, inter alia, indicators describing patterns in network traffic corresponding to known attacks/botnet communications, IP addresses of machines infected with malware (bots), data relating to ‘command and control’ servers used by malware (usually domains or IP addresses), and URLs relating to phishing sites or websites observed hosting malware or exploit kits.

• malicious actions;

• process failure;

• system failure/malfunction;

• human error;

• external event.

• malicious actions;

• process failure;

• system failure / malfunction;

• human error;

• external event.

• Malicious actions (if selected, choose one or more the following):

  • deliberate internal actions;

  • deliberate physical damage/manipulation/theft;

  • fraudulent actions.

• Process failure (if selected, choose one or more the following):

  • insufficient monitoring or failure of monitoring and control;

  • insufficient/unclear roles and responsibilities;

  • ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management process failure;

  • insufficient or failure of ICT operations and ICT security operations;

  • insufficient or failure of ICT project management;

  • inadequate internal policies, procedures and documentation;

  • inadequate ICT systems acquisition, development, or maintenance;

  • other (please specify).

• System failure/malfunction (if selected, choose one or more the following):

  • hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; capacity and performance: major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; caused by hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; resources which prove inadequate in terms of capacity or performance to fulfil the applicable legislative requirements;

  • hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; maintenance: major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; resulting from inadequate or insufficient maintenance of hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; components means software or hardware intended for integration into an electronic information system;, other than ‘Hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; obsolescence/ageing’;

  • hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; obsolescence/ageing: this root cause type involves major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; resulting from outdated or aging hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; components means software or hardware intended for integration into an electronic information system;;

  • software means the part of an electronic information system which consists of computer code; compatibility/configuration: major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; caused by software means the part of an electronic information system which consists of computer code; components means software or hardware intended for integration into an electronic information system; that are incompatible with other software means the part of an electronic information system which consists of computer code; or system configurations, including major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; resulting from software means the part of an electronic information system which consists of computer code; conflicts, incorrect settings, or misconfigured parameters that impact the overall system functionality;

  • software means the part of an electronic information system which consists of computer code; performance: major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; resulting from software means the part of an electronic information system which consists of computer code; components means software or hardware intended for integration into an electronic information system; that exhibit poor performance or inefficiencies, for reasons other than those specified under ‘Software means the part of an electronic information system which consists of computer code; compatibility/configuration’, including major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; caused by slow response times, excessive resource consumption, or inefficient query execution impacting the performance of the software means the part of an electronic information system which consists of computer code; or system;

  • network configuration: major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; resulting from incorrect or misconfigured network settings or infrastructure, including major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; caused by network configuration errors, routing issues, firewall misconfigurations, or other network-related problems affecting connectivity or communication;

  • physical damage: major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; caused by physical damage to ICT infrastructure which lead to system failures;

  • other (please specify).

• Human error (if selected, choose one or more the following):

  • omission (unintentional);

  • mistake;

  • skills & knowledge: major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; resulting from a lack of expertise or proficiency in handling ICT systems or processes that may be caused by inadequate training, insufficient knowledge, or gaps in skills required to perform specific tasks or address technical challenges;

  • inadequate human resources: major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; caused by a lack of necessary resources, including hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data;, software means the part of an electronic information system which consists of computer code;, infrastructure, or personnel, and including situations where insufficient resources lead to operational inefficiencies, system failures, or an inability to meet business demands;

  • miscommunication;

  • other (please specify).

• External event (if selected, choose one or more the following):

  • natural disasters/force majeure;

  • third-party failures;

  • other (please specify).

Financial entitiesas defined in Article 2, points (a) to (t) shall consider that for recurring major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, the specific apparent root cause of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; is taken into account and not the broad categories included in this field.

• malicious actions: deliberate internal actions;

• malicious actions: deliberate physical damage/manipulation/theft;

• malicious actions: fraudulent actions;

• process failure: insufficient monitoring or failure of monitoring and control;

• process failure: insufficient/unclear roles and responsibilities;

• process failure: ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management process failure;

• process failure: insufficient or failure of ICT operations and ICT security operations;

• process failure: insufficient or failure of ICT project management;

• process failure: inadequacy of internal policies, procedures and documentation;

• Process failure: inadequate ICT systems acquisition, development, and maintenance;

• process failure: other (please specify);

• system failure: hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; capacity and performance;

• system failure: hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; maintenance;

• system failure: hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; obsolescence/ageing;

• system failure: software means the part of an electronic information system which consists of computer code; compatibility/configuration;

• system failure: software means the part of an electronic information system which consists of computer code; performance;

• system failure: network configuration;

• system failure: physical damage;

• system failure: other (please specify);

• human error: omission;

• human error: mistake;

• human error: skills & knowledge;

• human error: inadequate human resources;

• human error miscommunication;

• human error: other (please specify);

• external event: natural disasters/force majeure;

• external event: third-party failures;

• external event: other (please specify).

Additional classification of root causes of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; under the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; type, including the following additional classification categories linked to the detailed categories that are to be reported in data field 4.2.

• Insufficient or failure of monitoring and control:

  • monitoring of policy adherence;

  • monitoring of third-party service providers;

  • monitoring and verification of remediation of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;;

  • identity and access management;

  • encryption and cryptography;

  • logging.

• ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management process failure:

  • failure in specifying accurate risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; tolerance levels;

  • insufficient vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and threat assessments;

  • inadequate risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; treatment measures;

  • poor management of residual ICT risks means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;.

• Insufficient or failure of ICT operations and ICT security operations:

  • vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and patch management;

  • change management;

  • capacity and performance management;

  • ICT asset means a software or hardware asset in the network and information systems used by the financial entity; management and information classification;

  • backup and restore;

  • error handling.

• Inadequate ICT Systems acquisition, development, and maintenance:

  • inadequate ICT Systems acquisition, development, and maintenance;

  • insufficient software means the part of an electronic information system which consists of computer code; testing or failure of software means the part of an electronic information system which consists of computer code; testing.

• monitoring of policy adherence;

• monitoring of third-party service providers;

• monitoring and verification of remediation of vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;;

• identity and access management;

• encryption and cryptography;

• logging;

• failure in specifying accurate risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; tolerance levels;

• insufficient vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and threat assessments;

• inadequate risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; treatment measures;

• poor management of residual ICT risks means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;;

• vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and patch management;

• change management;

• capacity and performance management;

• ICT asset means a software or hardware asset in the network and information systems used by the financial entity; management and information classification;

• backup and restore;

• error handling;

• inadequate ICT systems acquisition, development, and maintenance;

• insufficient or failure of software means the part of an electronic information system which consists of computer code; testing.

Description of the sequence of events that led to the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and description of how the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; has a similar apparent root cause if that incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; is classified as a recurring incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, including a concise description of all underlying reasons and primary factors that contributed to the occurrence of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

Where there were malicious actions, description of the modus operandi of the malicious action, including the tactics, techniques and procedures used, as well as the entry vector of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, including a description of the investigations and analysis that led to the identification of the root causes, if applicable.

Additional information regarding the actions/measures taken/planned to permanently resolve the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and to prevent that incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; from happening again.

Lessons learnt from the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

• Resolution actions description

  • Actions taken to permanently resolve the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; (excluding any temporary actions);

  • for each action taken, indicate the potential involvement of a third-party provider and of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

  • indicate whether procedures have been adapted following the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;;

  • indicate any additional controls that were put in place or that are planned with related implementation timeline.

  Potential issues identified regarding the robustness of the IT systems impacted /or in terms of the procedures or controls in place, if applicable.

  Financial entitiesas defined in Article 2, points (a) to (t) shall clearly indicate how the envisaged remediation actions will address the identified root causes and when the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; is expected to be resolved permanently.

• Lessons learnt

  Financial entitiesas defined in Article 2, points (a) to (t) shall describe findings from the post-incident review.

Assessment of whether the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; poses a risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to critical functions within the meaning of Article 2(1), point (35), of Directive 2014/59/EU of the European Parliament and of the Council(²)Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council (OJ L 173, 12.6.2014, p. 190, http://data.europa.eu/eli/dir/2014/59/oj).

Entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 1(1) of Directive 2014/59/EU shall indicate whether the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; poses a risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to the critical functions within the meaning of Article 2(1), point (35), of Directive 2014/59/EU, and as reported in Template Z07.01 of Commission Implementing Regulation (EU) 2018/1624(³)Commission Implementing Regulation (EU) 2018/1624 of 23 October 2018 laying down implementing technical standards with regard to procedures and standard forms and templates for the provision of information for the purposes of resolution plans for credit institutions and investment firms pursuant to Directive 2014/59/EU of the European Parliament and of the Council, and repealing Commission Implementing Regulation (EU) 2016/1066 (OJ L 277, 7.11.2018, p. 1, http://data.europa.eu/eli/reg_impl/2018/1624/oj).

Description of whether and, if so, how the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; has affected the resolvability of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;.

Entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; as referred to in Article 1(1) of Directive 2014/59/EU shall provide information on whether and, if so, how the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; has affected the resolvability of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or the group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;.

Those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall also indicate whether the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; affects the solvency or liquidity of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and the potential quantification of the impact.

Those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall also provide information on the impact on operational continuity, impact on resolvability of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, any additional impact on the costs and losses from the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, including on the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s capital position, and whether the contractual arrangements on the use of ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; are still robust and fully enforceable in the event of resolution of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

• the amount of expropriated funds or financial assets for which the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is liable;

• the amount of replacement or relocation costs of software means the part of an electronic information system which consists of computer code;, hardware means a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data; or infrastructure;

• the amount of staff costs, including costs associated to replacing or relocating staff, hiring extra staff, remuneration of overtime and recovering lost or impaired skills of staff;

• the amount of fees due to non-compliance with contractual obligations;

• the amount of customer redress and compensation costs;

• the amount of losses due to forgone revenues;

• the amount of costs associated with internal and external communication;

• the amount of advisory costs, including costs associated with legal counselling, forensic and remediation services;

• the amount other costs and losses, including:

  • direct charges, including impairments and settlement charges, to the profit and loss account and write-downs due to the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;;

  • provisions or reserves accounted for in the profit and loss account against probable losses related to the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;;

  • pending losses, in the form of losses stemming from the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the profit and loss which are planned to be included within a time period commensurate to the size and age of the pending item;

  • material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time;

  • timing losses, where they span more than one financial accounting year and give rise to legal risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;.

Financial entitiesas defined in Article 2, points (a) to (t) shall take into account in their assessment Article 7(1) and (2) of Delegated Regulation (EU) 2024/1772. Financial entitiesas defined in Article 2, points (a) to (t) shall not include in this figure financial recoveries of any type.

Financial entitiesas defined in Article 2, points (a) to (t) shall report the monetary amount as a positive value.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entitiesas defined in Article 2, points (a) to (t) shall take into account the total amount of costs and losses across all financial entitiesas defined in Article 2, points (a) to (t).

Financial entitiesas defined in Article 2, points (a) to (t) shall report the data point in units using a minimum precision equivalent to thousands of units.

Total amount of financial recoveries.

Financial recoveries shall relate to the original loss caused by the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, independently from the time when the financial recoveries in the form of funds or inflows of economic benefits are received.

Financial entitiesas defined in Article 2, points (a) to (t) shall report the monetary amount as a positive value.

In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entitiesas defined in Article 2, points (a) to (t) shall take into account the total amount of financial recoveries across all financial entitiesas defined in Article 2, points (a) to (t).

Monetary

Financial entitiesas defined in Article 2, points (a) to (t) shall report the data point in units using a minimum precision equivalent to thousands of units

Information on whether more than one non-major ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; have been recurring and are together considered to be a major incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; within the meaning of Article 8(2) of Delegated Regulation (EU) 2024/1772.

Financial entitiesas defined in Article 2, points (a) to (t) shall indicate whether the non-major ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; have been recurring and are together considered as one major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.

Financial entitiesas defined in Article 2, points (a) to (t) shall also indicate the number of occurrences of these non-major ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;.