Source: OJ L, 2025/302, 20.2.2025Current language: FR
- Digital operational resilience in the financial sector
ICT-related incidents
- ITS on templates for incident reporting
Article 8 Notification des cybermenaces importantes
Summary What does Article 8 of the ITS on templates for incident reporting say?
This brief article addresses the procedural requirements for financial entities that choose to notify competent authorities of significant cyber threats.
It mirrors the approach taken in earlier articles of this regulation regarding major ICT-related incident reporting, but applies specifically to the voluntary notification pathway for significant cyber threats under DORA.
Rather than leaving the format open-ended, the article directs financial entities to use a dedicated template and accompanying glossary — namely Annex III and Annex IV — and places a clear obligation on the accuracy and completeness of the information submitted.
Important points:
- Use Annex III as the prescribed template and Annex IV as the data glossary when notifying competent authorities of significant cyber threats.
- Ensure all information submitted in the notification is complete and accurate.
- This article applies specifically to the voluntary notification of significant cyber threats, which are threats that could potentially result in a major ICT-related incident, as distinct from the mandatory major incident reporting covered elsewhere in the regulation.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Les entités financières qui notifient des cybermenaces importantes aux autorités compétentes conformément à l’article 19, paragraphe 2, du règlement (UE) 2022/2554 utilisent le modèle figurant à l’annexe III du présent règlement et se conforment au glossaire de données et aux instructions figurant à l’annexe IV du présent règlement.
Les entités financières veillent à ce que les informations figurant dans la notification des cybermenaces importantes soient complètes et exactes.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident opérationnel ou de sécurité majeur lié au paiement
(En. major operational or security payment-related incident)
Definition
cybermenace
(En. cyber threat)
Definition
sécurité des réseaux et des systèmes d’information
(En. security of network and information systems)
Definition
incident lié aux TIC
(En. ICT-related incident)
Definition
incident opérationnel ou de sécurité lié au paiement
(En. operational or security payment-related incident)
Definition
cybermenace importante
(En. significant cyber threat)
Definition
incident majeur lié aux TIC
(En. major ICT-related incident)
Definition
fonction critique ou importante
(En. critical or important function)