Major incident reporting

Preamble (Recitals 1 – 8)

Recitals

Article 1

General provisions

Article 2

General information to be provided in the major incident initial notification, intermediate and final reports

Article 3

Content of initial notifications

Article 4

Content of intermediate reports

Article 5

Content of final reports

Article 6

Time limits for the initial notification and intermediate report and final reports referred to in Article 19(4) of Regulation (EU)2022/2554

Article 7

Content of the voluntary notification of significant cyber threat

Article 8

Entry into force

MIR Recitals

Recital 1

Given that Regulation (EU) 2022/2554 aims to harmonise and streamline incident reporting requirements, and to ensure that competent and other relveant authorities receive all necessary information about the major incident in order to take supervisory actions and to prevent potential spill-over effects, the reports for major incidents submitted from financial entitiesas defined in Article 2, points (a) to (t) to competent authoritiesas defined in Article 46 should provide essential and exhaustive information about the incident, in a consistent and standardised manner for all financial entitiesas defined in Article 2, points (a) to (t) within the scope of Regulation (EU) 2022/2554.

Recital 2

With a view to ensure the harmonisation of the reporting requirements for major incidents and to maintain a consistent approach with Directive (EU) 2022/2555, the time limits for reporting major incidents should be consistent for all types of financial entitiesas defined in Article 2, points (a) to (t). The time limits should also be consistent with, to the greatest extent possible, and at least equivalent in effect to the requirements set out in Directive (EU) 2022/2555.

Recital 3

In order to take proper action, competent authoritiesas defined in Article 46 need to receive information about the major incident at the very early stages after the incident has been classified as major. Consequently, the timeline for submitting the initial notification should be as short as possible after classification of the incident but also providing flexibility for financial entitiesas defined in Article 2, points (a) to (t), especially for non-time critical service business models, with a longer timeline after financial entitiesas defined in Article 2, points (a) to (t) become aware of the incident in case financial entitiesas defined in Article 2, points (a) to (t) require more time to handle the incident. To avoid imposing an undue reporting burden to the financial entity at a time when it will be handling with the incident, the content of such initial notification should be limited to the most significant information.

Recital 4

Given that, after having received the initial notification, competent authoritiesas defined in Article 46 will need more detailed information about the incident with the intermediate report and the full set of relevant information with the final report to further assess the situation and evaluate supervisory actions they may want to take, the reporting timelines should be such to allow competent authoritiesas defined in Article 46 to receive the information timely, while ensuring financial entitiesas defined in Article 2, points (a) to (t) have sufficient time to obtain complete and accurate information.

Recital 5

In accordance with the proportionality requirement set out in Article 20(a), second sub-paragraph of Regulation (EU) 2022/2554, the reporting timelines should not pose burden to microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million; and other financial entitiesas defined in Article 2, points (a) to (t) that are not significant. Therefore, the reporting timelines should take into account, in particular weekends and bank holidays.

Recital 6

Since significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; are to be reported on a voluntary basis, the requested information should not pose burden to financial entitiesas defined in Article 2, points (a) to (t) to obtain and should be more limited than the information requested for major incidents.

Recital 7

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Supervisory Authorities.

Recital 8

The European Supervisory Authorities have conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the […] Stakeholder Groupmeans a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulations (EU) No 1093/2010, 1094/2010 and 1095/2010 of the European Parliament and of the Council (1)Regulation (EU) No 109x/2010 of the European Parliament and of the Council ...[+full title] (OJ L [number], [date dd.mm.yyyy], [p. ].)..