Major incident reporting

Preamble (Recitals 1 – 8)

Recitals

Article 1

General provisions

Article 2

General information to be provided in the major incident initial notification, intermediate and final reports

Article 3

Content of initial notifications

Article 4

Content of intermediate reports

Article 5

Content of final reports

Article 6

Time limits for the initial notification and intermediate report and final reports referred to in Article 19(4) of Regulation (EU)2022/2554

Article 7

Content of the voluntary notification of significant cyber threat

Article 8

Entry into force

Article 7Note: This article is based on the final draft from the ESAs and is not yet adopted. Content of the voluntary notification of significant cyber threat

The content of the notification in relation to significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; in accordance with Article 19(2) of Regulation (EU) 2022/2554 shall cover:

  1. general information about the reporting entity as set out in Article 4;

  2. date and time of detection of the significant cyber threatmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; and any other relevant timestamps related to the threat;

  3. description of the significant cyber threatmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;;

  4. information about the potential impact of the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; on the financial entity, its clients and/or financial counterparts;

  5. the classification criteria that would have triggered a major incident report, if the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; had materialised;

  6. information about the status of the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; and any changes in the threat activity;

  7. description of the actions taken by the financial entity to prevent the materialisation of the significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;, where applicable; and

  8. information about notification of the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; to other financial entitiesas defined in Article 2, points (a) to (t) or authorities;

  9. information on indicators of compromise, where applicable; and

  10. other relevant information, where available.

Table of contents