Art. 5 Time limits for the initial notification, and for the intermediate and final reports | RTS on incident reporting |

1. Financial entitiesas defined in Article 2, points (a) to (t) shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits:
  1. for the initial report: as early as possible, but in any case, within four hours from the classification of the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; as a major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and no later than 24 hours from the moment the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; has become aware of the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;;
  2. for the intermediate report: at the latest within 72 hours from the submission of the initial notification, even where the status or the handling of the incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; have not changed as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554. Financial entitiesas defined in Article 2, points (a) to (t) shall submit an updated intermediate report without undue delay, and in any case when the regular activities have been recovered;
  3. for the final report: no later than one month after either the submission of the intermediate report, or, where applicable, after the latest updated intermediate report.
1. Where the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; has not classified an ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; as major within 24 hours from the moment the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; has become aware of the ITC-related incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; but classifies that ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; as major at a later stage, the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall submit the initial notification within four hours from the classification of the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; as a major incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;.
1. Financial entitiesas defined in Article 2, points (a) to (t) that are unable to submit the initial notification, intermediate report, or final report within the time limits set out in paragraph 1, shall inform the competent authorityas defined in Article 46 thereof without undue delay, but no later than the respective time limits for the submission of the notification or report, and shall explain the reasons for the delay.
1. Where the time limit for the submission of an initial notification, intermediate report, or a final report falls on a weekend day or a bank holiday in the Member State of the reporting financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; may submit the initial notification, intermediate or final reports by noon of the next working day.
1. Paragraph 4 shall not apply for the submission of an initial notification or an intermediate report by credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1)., central counterparties means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;, operators of trading venues means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU;, and other financial entitiesas defined in Article 2, points (a) to (t) identified as essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 pursuant to Article 3 of Directive (EU) 2022/2555.
1. Competent authoritiesas defined in Article 46 may decide that paragraph 4 shall not apply for the submission of an initial notification or an intermediate report by financial entitiesas defined in Article 2, points (a) to (t), other than those referred to in paragraph 5, which are significant or have a systemic character for the financial sector at national or Union level. Competent authoritiesas defined in Article 46 shall notify their decision to the identified financial entitiesas defined in Article 2, points (a) to (t). The decision of the competent authorityas defined in Article 46 shall only apply in respect of incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; reported after the date of notification of the decision by the competent authorityas defined in Article 46 to the identified financial entitiesas defined in Article 2, points (a) to (t).