Art. 7 Aggregated reporting | ITS on templates for incident reporting | DORA

1. A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; impacting multiple financial entitiesas defined in Article 2, points (a) to (t) in one single notification or report, and submit that notification or report to the competent authorityas defined in Article 46 on behalf of all impacted financial entitiesas defined in Article 2, points (a) to (t), provided that all of the following conditions are met:
  1. the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; to be reported originates from or is being caused by a third-party ICT service means an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; provider;
  2. that third-party service provider provides the relevant ICT service means an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; to more than one financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, or to a group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;;
  3. the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; is classified as major by each financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; covered in the aggregated notification or report;
  4. the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; affects financial entitiesas defined in Article 2, points (a) to (t) within a single Member State and the aggregated report relates to financial entitiesas defined in Article 2, points (a) to (t) which are supervised by the same competent authorityas defined in Article 46;
  5. competent authoritiesas defined in Article 46 have explicitly permitted this type of financial entitiesas defined in Article 2, points (a) to (t) to aggregate their reporting.
1. Paragraph 1 shall not apply to credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). that are considered to be of significant relevance as referred to in Article 2 point (16) of Regulation (EU) No 468/2014 of the European Central Bank (⁸)Regulation (EU) No 468/2014 of the European Central Bank of 16 April 2014 establishing the framework for cooperation within the Single Supervisory Mechanism between the European Central Bank and national competent authorities and with national designated authorities (SSM Framework Regulation) (ECB/2014/17) (OJ L 141, 14.5.2014, p. 1, ELI: http://data.europa.eu/eli/reg/2014/468/oj)., operators of trading venues means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU;, and central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;, which shall only use the template in Annex I to submit major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; notifications or reports individually to their competent authorityas defined in Article 46.
1. Where competent authoritiesas defined in Article 46 require information on the individual impact of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; on a single financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, upon request of the competent authorityas defined in Article 46, the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall submit an individual notification or a report on the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.