1.   A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met:

(a)	the major ICT-related incident to be reported originates from or is being caused by a third-party ICT service provider;

(b)	that third-party service provider provides the relevant ICT service to more than one financial entity, or to a group;

(c)	the ICT-related incident is classified as major by each financial entity covered in the aggregated notification or report;

(d)	the major ICT-related incident affects financial entities within a single Member State and the aggregated report relates to financial entities which are supervised by the same competent authority;

(e)	competent authorities have explicitly permitted this type of financial entities to aggregate their reporting.

2.   Paragraph 1 shall not apply to credit institutions that are considered to be of significant relevance as referred to in Article 2 point (16) of Regulation (EU) No 468/2014 of the European Central Bank (8), operators of trading venues, and central counterparties, which shall only use the template in Annex I to submit major ICT-related incident notifications or reports individually to their competent authority.

3.   Where competent authorities require information on the individual impact of the major ICT-related incident on a single financial entity, upon request of the competent authority, the financial entity shall submit an individual notification or a report on the major ICT-related incident.