Source: OJ L, 2025/302, 20.2.2025
EN- Digital operational resilience in the financial sector
ICT-related incidents
- ITS on templates for incident reporting
Annex I Templates for the reporting of major incidents
Number of field | Data field | |
|---|---|---|
General information about the financial entity | ||
1.1 | Type of submission | |
1.2 | Name of the entity submitting the report | |
1.3 | Identification code of the entity submitting the report | |
1.4 | Type of financial entity affected | |
1.5 | Name of the financial entity affected | |
1.6 | LEI code of the financial entity affected | |
1.7 | Primary contact person name | |
1.8 | Primary contact person email | |
1.9 | Primary contact person telephone | |
1.10 | Second contact person name | |
1.11 | Second contact person email | |
1.12 | Second contact person telephone | |
1.13 | Name of the ultimate parent undertaking means a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU; | |
1.14 | LEI code of the ultimate parent undertaking means a parent undertaking within the meaning of Article 2, point (9), and Article 22 of Directive 2013/34/EU; | |
1.15 | Reporting currency | |
Content of the initial notification | ||
2.1 | Incident reference code assigned by the financial entity | |
2.2 | Date and time of detection of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
2.3 | Date and time of classification of the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; as major | |
2.4 | Description of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
2.5 | Classification criteria that triggered the incident report | |
2.6 | Materiality thresholds for the classification criterion ‘Geographical spread’ | |
2.7 | Discovery of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
2.8 | Indication whether the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; originates from a third-party provider or another financial entity | |
2.9 | Activation of business continuity plan, if activated | |
2.10 | Other relevant information | |
Content of the intermediate report | ||
3.1 | Incident reference code provided by the competent authorityas defined in Article 46 | |
3.2 | Date and time of occurrence of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
3.3 | Date and time when services, activities or operations have been recovered | |
3.4 | Number of clients affected | |
3.5 | Percentage of clients affected | |
3.6 | Number of financial counterparts affected | |
3.7 | Percentage of financial counterparts affected | |
3.8 | Impact on relevant clients or financial counterparts | |
3.9 | Number of affected transactions | |
3.10 | Percentage of affected transactions | |
3.11 | Value of affected transactions | |
3.12 | Information on whether the numbers are actual or estimates, or whether there has not been any impact | |
3.13 | Reputational impact | |
3.14 | Contextual information about the reputational impact | |
3.15 | Duration of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
3.16 | Service downtime | |
3.17 | Information on whether the numbers for duration and service downtime are actual or estimates. | |
3.18 | Types of impact in the Member States | |
3.19 | Description of how the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; has an impact in other Member States | |
3.20 | Materiality thresholds for the classification criterion ‘Data losses’ | |
3.21 | Description of the data losses | |
3.22 | Classification criterion ‘Critical services affected’ | |
3.23 | Type of the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; | |
3.24 | Other types of incidents | |
3.25 | Threats and techniques used by the threat actor | |
3.26 | Other types of techniques | |
3.27 | Information about affected functional areas and business processes | |
3.28 | Affected infrastructure components supporting business processes | |
3.29 | Information about affected infrastructure components supporting business processes | |
3.30 | Impact on the financial interest of clients | |
3.31 | Reporting to other authorities | |
3.32 | Specification of ‘other’ authorities | |
3.33 | Temporary actions/measures taken or planned to be taken to recover from the incident | |
3.34 | Description of any temporary actions and measures taken or planned to be taken to recover from the incident | |
3.35 | Indicators of compromise | |
Content of the final report | ||
4.1 | High-level classification of root causes of the incident | |
4.2 | Detailed classification of root causes of the incident | |
4.3 | Additional classification of root causes of the incident | |
4.4 | Other types of root cause types | |
4.5 | Information about the root causes of the incident | |
4.6 | Incident resolution summary | |
4.7 | Date and time when the incident root cause was addressed | |
4.8 | Date and time when the incident was resolved | |
4.9 | Information if the permanent resolution date of the incident differs from the initially planned implementation date | |
4.10 | Assessment of risk to critical functions for resolution purposes | |
4.11 | Information relevant for resolution authorities | |
4.12 | Materiality threshold for the classification criterion ‘Economic impact’ | |
4.13 | Amount of gross direct and indirect costs and losses | |
4.14 | Amount of financial recoveries | |
4.15 | Information on whether the non-major incidents have been recurring | |
4.16 | Date and time of occurrence of recurring incidents | |
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.