Article 1 | Implementing Regulation 2025/302

Updated 09/05/2025

Metadata

In force

Initial Legal Act

Amendments

Article 1 - Implementing Regulation 2025/302

Article 1

Template for reporting ICT-related major incidents

1. Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows:

(a)

financial entities that submit an initial notification shall complete the data fields of the template which correspond to the information to be provided in accordance with Article 2 of Commission Delegated Regulation (EU) 2025/301 (7), and may, where they already have that information, complete those data fields the completion of which is not required for an initial notification but is required for an intermediate or final report;

(b)

financial entities that submit an intermediate report shall complete the data fields of the template which correspond to the information to be provided in accordance with Article 3 of Delegated Regulation (EU) 2025/301 and may, where they already have the relevant information, complete data fields the completion of which is not required for the intermediate report, but is required for the final report.

(c)	financial entities that submit a final report shall complete the data fields of the template which correspond to the information to be provided in accordance with Article 4 of Delegated Regulation (EU) 2025/301.

2. Financial entities shall ensure that the information contained in the initial notification, and in the intermediate and final report, is complete and accurate.

3. Financial entities shall provide estimated values based on other available data and information, to the extent possible, where accurate data are not available at the time of reporting for the initial notification or the intermediate report.

4. When submitting an intermediate or final report, financial entities shall use the template laid down in Annex I to submit all required information and update, where applicable, the information that was previously provided in the initial notification or in the intermediate report.

5. Financial entities shall follow the data glossary and instructions set out in Annex II when completing the template laid down in Annex I.

(7) Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats. (OJ L, 2025/301, 20.2.2025, ELI: http://data.europa.eu/eli/reg_del/2025/301/oj).

Recitals Article 1 - Template for reporting ICT-related major incidents Article 2 - Joint submission of initial notification, intermediate and final reports Article 3 - Recurring ICT-related incidents Article 4 - Use of secure electronic channels Article 5 - Reclassification of major ICT-related incidents Article 6 - Notification of outsourcing of the reporting obligations Article 7 - Aggregated reporting Article 8 - Notification of significant cyber threats Article 9 - Entry into force ANNEX I - TEMPLATES FOR THE REPORTING OF MAJOR INCIDENTS ANNEX II - DATA GLOSSARY AND INSTRUCTIONS FOR THE REPORTING OF MAJOR INCIDENTS ANNEX III - TEMPLATES FOR NOTIFICATION OF SIGNIFICANT CYBER THREATS ANNEX IV - DATA GLOSSARY AND INSTRUCTIONS FOR NOTIFICATION OF SIGNIFICANT CYBER THREATS

Metadata

Related documents

Article 1 - Implementing Regulation 2025/302

Table of contents