Source: OJ L, 2025/302, 20.2.2025
EN- Digital operational resilience in the financial sector
ICT-related incidents
- ITS on templates for incident reporting
Annex IV Data glossary and instructions for notification of significant cyber threats
Data field | Description | Mandatory field | Field type |
---|---|---|---|
| Full legal name of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the notification. | Yes | Alphanumeric |
| Identification code of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the notification. Where financial entitiesas defined in Article 2, points (a) to (t) submit the notification/report, the identification code shall be a Legal Entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; Identifier (LEI), which is a unique 20 alphanumeric character code, based on ISO 17442-1:2020. Where a third-party provider submits a report for a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, it may use an identification code as specified in the implementing technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554. | Yes | Alphanumeric |
| Type of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; referred to in Article 2(1), points (a) to (t) of Regulation (EU) 2022/2554 submitting the report. | Yes, if the report is not provided by the affected financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; directly. | Choice (multiselect):
|
| Full legal name of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; notifying the significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage;. | Yes, if the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is different from the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the notification | Alphanumeric |
| Legal Entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; Identifier (LEI) of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; notifying the significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage;, assigned in accordance with the International Organisation for Standardisation. | Yes, if the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; notifying the significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; is different from the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the report | Unique alphanumeric 20 character code, based on ISO 17442-1:2020 |
| Name and surname of the primary contact person of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. | Yes | Alphanumeric |
| Email address of the primary contact person that can be used by the competent authorityas defined in Article 46 for follow-up communication. | Yes | Alphanumeric |
| The telephone number of the primary contact person that can be used by the competent authorityas defined in Article 46 for follow-up communication. The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX) | Yes | Alphanumeric |
| Name and surname of the second contact person of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the notification on behalf of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, where available. | Yes, if name and surname of the second contact person of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; submitting the notification for the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is available | Alphanumeric |
| Email address of the second contact person or a functional email address of the team that can be used by the competent authorityas defined in Article 46 for follow-up communication, where available. | Yes, if email address of the second contact person or a functional email address of the team that can be used by the competent authorityas defined in Article 46 for follow-up communication is available | Alphanumeric |
| The telephone number of the second contact person that can be used by the competent authorityas defined in Article 46 for follow-up communication, where available. The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX). | Yes, if the telephone number of the second contact person that can be used by the competent authorityas defined in Article 46 for follow-up communication is available | Alphanumeric |
| Date and time at which the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; has become aware of the significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage;. | Yes | ISO 8601 standard means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). UTC (YYYY-MM-DD Thh: mm:ss) |
| Description of the most relevant aspects of the significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage;. Financial entitiesas defined in Article 2, points (a) to (t) shall provide:
| Yes | Alphanumeric |
| Information about the potential impact of the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; on the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, its clients or financial counterparts if the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; has materialised | Yes | Alphanumeric |
| The classification criteria that could have triggered a major incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; report if the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; had materialised. | Yes | Choice (multiple):
|
| Information about the status of the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; for the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and whether there have been any changes in the threat activity. Where the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; has stopped communicating with the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s information systems, the status can be marked as inactive. If the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; has information that the threat remains active against other parties or the financial system as a whole, the status shall be marked as active. | Yes | Choice:
|
| High-level information about the actions taken by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to prevent the materialisation of the significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage;, if applicable. | Yes | Alphanumeric |
| Information about notification of the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; to other financial entitiesas defined in Article 2, points (a) to (t) or authorities. | Yes, if other financial entitiesas defined in Article 2, points (a) to (t) or authorities have been informed about the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;) | Alphanumeric |
| Information related to the significant threat that may help identify malicious activity within a network or information system (Indicators of Compromise, or IoC), where applicable. The IoC provided by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; may include, but is not to be limited to, the following categories of data:
This type of information may include data relating to indicators describing patterns in network traffic corresponding to known attacks/botnet communications, IP addresses of machines infected with malware (bots), data relating to ‘command and control’ servers used by malware (usually domains or IP addresses), and URLs relating to phishing sites or websites observed hosting malware or exploit kits. | Yes, if information about indicators of compromise connected with the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; are available) | Alphanumeric |
| Any other relevant information about the significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; | Yes, if applicable and if there is other information available, not covered in the template | Alphanumeric |
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.