Article 3
Specific information to be provided in intermediate reports
Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information:
|
(a) |
where applicable, the incident reference code provided by the competent authority; |
|
(b) |
the date and time of occurrence of the ICT-related incident; |
|
(c) |
where applicable, the date and time when the financial entity has recovered its regular activities; |
|
(d) |
information about how the criteria laid down in Articles 1 to 8 of Delegated Regulation (EU) 2024/1772 have been fulfilled, on the basis of which the financial entity classified the ITC-related incident as major; |
|
(e) |
the type of ICT-related incident; |
|
(f) |
where applicable, the threats and techniques used by the threat actor; |
|
(g) |
affected functional areas and business processes; |
|
(h) |
affected infrastructure components supporting business processes; |
|
(i) |
impact on the financial interest of clients; |
|
(j) |
information about reporting about the ICT-related incident to other authorities; |
|
(k) |
temporary actions or measures taken or planned to be taken by the financial entity to recover from the ICT-related incident; |
|
(l) |
where applicable, information on indicators of compromise. |