Source: OJ L, 2025/301, 20.2.2025
EN- Digital operational resilience in the financial sector
ICT-related incidents
- RTS on incident reporting
Article 6 Content of the voluntary notification of significant cyber threats
The content of the voluntary notification in relation to significant cyber threats means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following:
general information about the notifying financial entity as set out in Article 1;
the date and time of detection of the significant cyber threat means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; and any other relevant timestamps related to the significant cyber threat means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;;
a description of the significant cyber threat means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;;
information about the potential impact of the significant cyber threat means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; on the financial entity, its clients, or financial counterparts;
the classification criteria that would have triggered a major incident report laid down in Articles 1 to 8 of Delegated Regulation (EU) 2024/1772 if the cyber threat means ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; had materialised;
information about the status of the significant cyber threat means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; and any changes in the threat activity;
where applicable, a description of the actions taken by the financial entity to prevent the materialisation of the significant cyber threats means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;;
information about any notification of the significant cyber threat means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; to other financial entitiesas defined in Article 2, points (a) to (t) or authorities;
where applicable, information on indicators of compromise;
where available, any other relevant information.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.