Annex IV Data glossary and instructions for notification of significant cyber threats

Identification code of the entity submitting the notification.

Where financial entitiesas defined in Article 2, points (a) to (t) submit the notification/report, the identification code shall be a Legal Entity Identifier (LEI), which is a unique 20 alphanumeric character code, based on ISO 17442-1:2020.

Where a third-party provider submits a report for a financial entity, it may use an identification code as specified in the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554.

• credit institution means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council(^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).;

• payment institution means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;;

• exempted payment institution means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;;

• account information service provider means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366;;

• electronic money institution means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council;;

• exempted electronic money institution means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council;;

• investment firm means an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU;;

• crypto-asset service provider means a crypto-asset service provider as defined in the relevant provision of the Regulation on markets in crypto-assets;;

• issuer of asset-referenced tokens means an issuer of asset-referenced tokens as defined in the relevant provision of the Regulation on markets in crypto-assets;;

• central securities depository means a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014;;

• central counterparty means a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;;

• trading venue means a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU;;

• trade repository means a trade repository as defined in Article 2, point (2), of Regulation (EU) No 648/2012;;

• manager of alternative investment fund;

• management company means a management company as defined in Article 2(1), point (b), of Directive 2009/65/EC;;

• data reporting service provider means a data reporting service provider within the meaning of Regulation (EU) No 600/2014, as referred to in Article 2(1), points (34) to (36) thereof;;

• insurance and reinsurance undertaking means a reinsurance undertaking as defined in Article 13, point (4), of Directive 2009/138/EC;;

• insurance intermediary means an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 of the European Parliament and of the Council(^34^); Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (OJ L 26, 2.2.2016, p. 19)., reinsurance intermediary means a reinsurance intermediary as defined in Article 2(1), point (5), of Directive (EU) 2016/97; and ancillary insurance intermediary means an ancillary insurance intermediary as defined in Article 2(1), point (4), of Directive (EU) 2016/97;;

• institution for occupational retirement provision means an institution for occupational retirement provision as defined in Article 6, point (1), of Directive (EU) 2016/2341;;

• credit rating agency means a credit rating agency as defined in Article 3(1), point (b), of Regulation (EC) No 1060/2009;;

• administrator of critical benchmarks means an administrator of ‘critical benchmarks’ as defined in Article 3(1), point (25), of Regulation (EU) 2016/1011;;

• crowdfunding service provider means a crowdfunding service provider as defined in Article 2(1), point (e), of Regulation (EU) 2020/1503 of the European Parliament and of the Council(^35^); Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European crowdfunding service providers for business, and amending Regulation (EU) 2017/1129 and Directive (EU) 2019/1937 (OJ L 347, 20.10.2020, p. 1).;

• securitisation repository means a securitisation repository as defined in Article 2, point (23), of Regulation (EU) 2017/2402 of the European Parliament and of the Council(^36^); Regulation (EU) 2017/2402 of the European Parliament and of the Council of 12 December 2017 laying down a general framework for securitisation and creating a specific framework for simple, transparent and standardised securitisation, and amending Directives 2009/65/EC, 2009/138/EC and 2011/61/EU and Regulations (EC) No 1060/2009 and (EU) No 648/2012 (OJ L 347, 28.12.2017, p. 35)..

The telephone number of the primary contact person that can be used by the competent authorityas defined in Article 46 for follow-up communication.

The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX)

The telephone number of the second contact person that can be used by the competent authorityas defined in Article 46 for follow-up communication, where available.

The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX).

Description of the most relevant aspects of the significant cyber threat means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;.

• a high-level overview of the most relevant aspects of the significant cyber threat means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;;

• the related risks arising from it, including potential vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; of the systems of the financial entity that can be exploited;

• information about the probability of materialisation of the significant cyber threat means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;; and

• information about the source of information about the cyber threat means ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881;.

• clients, financial counterparts and transactions affected;

• reputational impact;

• duration and service downtime;

• geographical spread;

• data losses;

• critical services affected;

• economic impact.

Information about the status of the cyber threat means ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; for the financial entity and whether there have been any changes in the threat activity.

Where the cyber threat means ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; has stopped communicating with the financial entity’s information systems, the status can be marked as inactive. If the financial entity has information that the threat remains active against other parties or the financial system as a whole, the status shall be marked as active.

• active;

• inactive.

Information related to the significant threat that may help identify malicious activity within a network or information system (Indicators of Compromise, or IoC), where applicable.

• IP addresses;

• URL addresses;

• domains;

• file hashes;

• malware data (malware name, file names and their locations, specific registry keys associated with malware activity);

• network activity data (ports, protocols, addresses, referrers, user agents, headers, specific logs or distinctive patterns in network traffic);

• email message data (sender, recipient, subject, header, content);

• DNS requests and registry configurations;

• user account activities (logins, privileged user account activity, privilege escalation);

• database traffic (read/write), requests to the same file.

This type of information may include data relating to indicators describing patterns in network traffic corresponding to known attacks/botnet communications, IP addresses of machines infected with malware (bots), data relating to ‘command and control’ servers used by malware (usually domains or IP addresses), and URLs relating to phishing sites or websites observed hosting malware or exploit kits.