0004009
COMMISSION IMPLEMENTING REGULATION (EU) …/... of 23.10.2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat (Draft)
European Commission
Regulations
Free
ITS on reporting of major ICT-related incidents (Draft)
COMMISSION IMPLEMENTING REGULATION (EU) …/... of 23.10.2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat (Draft)
2024-10-23
The document as a whole was last reviewed and released on 2024-12-13T00:00:00-0800.
0004009
Free
European Commission
Regulations
ITS on reporting of major ICT-related incidents (Draft)
COMMISSION IMPLEMENTING REGULATION (EU) …/... of 23.10.2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat (Draft)
2024-10-23
The document as a whole was last reviewed and released on 2024-12-13T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2025 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within COMMISSION IMPLEMENTING REGULATION (EU) …/... of 23.10.2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat (Draft) that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for COMMISSION IMPLEMENTING REGULATION (EU) …/... of 23.10.2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat (Draft) are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Establish/Maintain Documentation | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 [Financial entities shall use secure electronic channels as made available by their competent authority to lass="term_secondary-noun">verb">submit the initial notification and the intermediate and final backgrou="background-color:#F0BBBC;" class="term_primary-noun">nd-color:#F0BBBC;" class="term_primary-noun">reports. Article 4 1. Financial entities that are unable to use the secure electronic channels as made available by their competent authority shall inform their F0BBBC;" class="term_primary-noun">competent authority about a major ICT-related incident through other " class="term_primary-noun">secure means in agreement with the competent authority. If required by the competent authority, financial entities shall resubmit the initial notification, or intermediate or final report, through the secure electronic channel as made available by their competent authority once they are able to do so. Article 4 2.] | Business Processes | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 [{ICT-related incidents} Financial entities shall provide estimated mary-noun">values based on other available data and information, to the extent possible, where accurate data are not available at the time of reporting for the initial notification or the intermediate 2E3;" class="term_secondary-noun">report. Article 1 3.] | Actionable Reports or Measurements | Detective | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Document the incident and any relevant evidence in the incident report. CC ID 08659 [A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the major ICT-relateC;" class="term_primary-noun">erb">d incident to be D0E5;" class="term_secondary-verb">reported originates from or is being caused by a third-party ICT ;" class="term_primary-verb">ound-color:#B2E2E3;" class="term_secondary-noun">service provider; Article 7 1.(a) {ICT-related incident} When submitting an intermediate or final report, financial entities shall use the template laid down in Annex I to submit all required information and update, where applicable, the information that was previously ss="term_secondary-verb">provided in the initial notification or in the intermediate report. Article 1 4. A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to ry-verb">providen> aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are y-verb">met: that third-party service provider provides the relevant ICT service to more than one financial entity, or to a und-color:#B2E2E3;" class="term_secondary-noun">group; Article 7 1.(b) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the ICT-related incident is y-verb">class="term_primary-verb">classified as major by each financial entity covered in the aggregated ondary-noun">notification or report; Article 7 1.(c) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are background-color:#CBD0E5;" class="term_secondary-verb">met: the major ICT-related incident d-color:#B7D8ED;" class="term_primary-verb">affects financial entities within a single Member State and the aggregated "term_secondary-noun">style="background-color:#F0BBBC;" class="term_primary-noun">report relates to financial entities which are supervised by the same competent authority; Article 7 1.(d) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impactingry-verb"> multipn>le financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: competent authorities have explicitly y-verb">BD0E5;" class="term_secondary-verb">permitted this type of financial entities to ="background-color:#B7D8ED;" class="term_primary-verb">aggregate their reporting. Article 7 1.(e) Financial entities that provide information on non-major recurring ICT-related incidents that cumulatively meet the conditions for one major ICT-related incident as set out in Article 8(2) of Delegated Regulation (EU) 2024/1772, shall provide that class="term_primary-noun">information in an aggregated un">formspan>. Article 3 ¶ 1] | Establish/Maintain Documentation | Detective | |
| Share incident information with interested personnel and affected parties. CC ID 01212 [Where after further assessment, the financial entity concludes that the ICT-related incident previously reported as major, at no time fulfilled the classification criteria and thresholds set out in Article 8 of Delegated Regulation (EU) 2024/1772, the financial entity shall notify to the competent authority that it has reclassified the ICT-related incident from major to nonmajor by providing the ="term_secondary-noun">infolass="term_primary-verb">rmationn> about that reclassification in the template laid down in Annex II to this Regulation in relation to the fields ‘type of report’ and ‘other information’. Article 5 ¶ 1] | Data and Information Management | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 [Where competent authorities require information on the individual ;" class="term_secondary-noun">impact of the major ICT-related incident on a single financial entity, upon request of the competent authority, the financial entity shall submit an individual | Data and Information Management | Corrective | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [{is accurate} Financial entities shall ensure that the information ound-color:#F0BBBC;" class="term_primary-noun">erb">contained in the initial notification, and in the intermediate and final report, le="background-color:#B7D8ED;" class="term_primary-verb">is complete and accurate. Article 1 2. {is accurate} Financial entities shall ensure that the information erb">containedn> in the <span style="background-color:#F0BBBC;" class="term_primary-noun">notification of significant cyber threats term_primary-verb">is complete and accurate. Article 8 2.] | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [Financial entities shall follow the data glossary and instructions set out in Annex II when yle="background-color:#CBD0E5;" class="term_secondary-verb">completing the d-color:#B2E2E3;" class="term_secondary-noun">template laid down in Annex I. Article 1 5. Financial entities that notify significant cyber threats to competent authorities in accordance with Article 19(2) of Regulation (EU) 2022/2554 shall use the template laid down in Annex III to this Regulation and follow the data Financial entities may combine the submission of the initial notification, the intermediate report, and the final report to provide two or all of those at the same time, where regular activities haverm_secondary-verb"> recovered or the root cause analysis has been ackground-colorBBC;" class="term_primary-noun">ary-noun">ry-verb">:#CBD0E5;" class="term_secondary-verb">completed and provided that the time limits set out in Article 5 of Commission Delegated Regulation (EU) 2024/xxx [C(2024) 6901] are met. Article 2 ¶ 1 Financial entities that are unable to use the secure electronic channels as made available by their competent authority shall inform their competent authority about a major ICT-related incident through other secure means in agreement with the competent authority. If required by the competent authority, financial entities shall resubmit the initial notification, or intermediate or final report, through the secure electronic channel as or:#B7D8ED;" class="term_primary-verb">background-color:#F0BBBC;" class="term_primary-noun">lor:#CBD0E5;" class="term_secondary-verb">made available by their competent authority once they are able to do so. Article 4 2.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [Financial entities may combine the submission of the initial notification, the intermediate report, and the final report to provide two or all of those at the same time, where regular activities have recovered or the root cause analysis has been completed and BBC;" class="term_primary-noun">econdary-verb">provided that the time limits set out in Article 5 of Commission Delegated Regulation (EU) 2024/xxx [C(2024) 6901] are met. Article 2 ¶ 1] | Communicate | Preventive | |
| Create an incident response report. CC ID 12700 [Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows: financial entities that submit an intermediate report shall ;" class="term_primary-verb">complete the data fields of the template which correspond to the "background-color:#F0BBBC;" class="term_primary-noun">imary-noun">ass="term_secondary-noun">information to be provided in accordance with Article 3 of Delegated Regulation (EU) 2024/xxx [C(2024) 6901] and may, where they already have the relevant information, complete data fields the completion of which is not required for the intermediate report, but is required for the final report. Article 1 1.(b) Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows: financial entities that submit a final report shall ="term_primary-verb">complete the data fields of the template which correspond to the und-color:#F0BBBC;" class="term_primary-noun">imary-noun">ass="term_secondary-noun">information to be provided in accordance with Article 4 of Delegated Regulation (EU) 2024/xxx [C(2024) 6901]. Article 1 1.(c) {is accurate} Financial entities shall ensure that the information erb">containedn> in the initial notification, and in the intermediate and final report, is complete and accurate. Article 1 2.] | Establish/Maintain Documentation | Preventive | |
| Include entities notified of the incident in the incident response report. CC ID 17294 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in the incident response report. CC ID 17298 | Establish/Maintain Documentation | Preventive | |
| Include the incident reference code in the incident response report. CC ID 17297 | Establish/Maintain Documentation | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Establish/Maintain Documentation | Preventive | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Establish/Maintain Documentation | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Establish/Maintain Documentation | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Establish/Maintain Documentation | Preventive | |
| Include recovery measures in the incident response report. CC ID 17299 | Establish/Maintain Documentation | Preventive | |
| Include the date and time of recovery from the incident in the incident response report. CC ID 17296 | Establish/Maintain Documentation | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the major ICT-related incident to be b">D0E5;" class="term_secondary-verb">reportedan> originae="background-color:#B2E2E3;" class="term_secondary-noun">tes from or is being lor:#B7D8ED;" class="term_primary-verb">caused by a third-party ICT ;" class="term_primary-verb">ound-color:#B2E2E3;" class="term_secondary-noun">service provider; Article 7 1.(a) {ICT-related incident} When submitting an intermediate or final report, financial entities shall use the template laid down in Annex I to submit all required 2E3;" class="term_secondary-noun">und-color:#F0BBBC;" class="term_primary-noun">information and update, where applicable, the information that was previously provided in the initial notification or in the intermediate report. Article 1 4. Paragraph 1 shall not apply to credit institutions that are considered to be of significant relevance as referred to in Article 2 point (16) of Regulation (EU) No 468/20148, operators of trading venues, and central counterparties, which shall only use the template in Annex I to m_primary-noun">m_primary-verb">submit major ICT-related incident notifications or reports individually to their tyle="background-color:#B2E2E3;" class="term_secondary-noun">competent authority. Article 7 2. A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are ound-color:#B2E2E3;" class="term_secondary-noun">y-verb">met: that third-party service provider provides the relevant ICT service to more than one financial entity, or to a d-color:#F0BBBC;" class="term_primary-noun">und-color:#B2E2E3;" class="term_secondary-noun">group; Article 7 1.(b) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the ICT-related incident is 7D8ED;" A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the major ICT-related incident affects financial entities within a sinb">gle> Member Where competent authorities require information on the individual impact of the major ICT-related incident on a single financial entity, upon;" class="term_secondary-noun"> request of the competent authority, the financial entity shall submit an individual notification or a A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: competent authorities have explicitly color:#C | Communicate | Preventive | |
| Prepare for incident response notifications. CC ID 00584 [Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows: financial entities that submit an initial notification shall D;" class="term_primary-verb">complete the data fields of the template which correspond to the | Establish/Maintain Documentation | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Notify the supervisory authority. CC ID 00472 [Financial entities shall inform their competent authority as soon as they no longer ackground-color:#B7D8ED;" class="term_primary-verb">outsource their ="background-color:#F0BBBC;" class="term_primary-noun">reporting obligations as referred to in Article 19(5) of Regulation (EU) 2022/2554. Article 6 3.] | Behavior | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
| Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Financial entities shall provide the competent authority with the 0BBBC;" class="term_primary-noun">name, contact details, and identification code of the third-party that will submit the major ICT-related incident notifications ole="background-color:#F0BBBC;" class="term_primary-noun">r le="background-color:#B2E2E3;" class="term_secondary-noun">reports for them. Article 6 2.] | Process or Activity | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Communicate | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 [Financial entities that have outsourced the obligation to report major ICT-related incidents in accordance with Article 19(5) of Regulation (EU) 2022/2554 shall inform their competent authority of that outsourcing arrangement as soon as the outsourcing arrangement has been concluded and at the latest prior to the first notificatiss="term_primary-noun">on or style= | Communicate | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 [{ICT-related incidents} Financial entities shall provide estimated mary-noun">values based on other available data and information, to the extent possible, where accurate data are not available at the time of reporting for the initial notification or the intermediate 2E3;" class="term_secondary-noun">report. Article 1 3.] | Monitoring and measurement | Detective | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify the supervisory authority. CC ID 00472 [Financial entities shall inform their competent authority as soon as they no longer ackground-color:#B7D8ED;" class="term_primary-verb">outsource their ="background-color:#F0BBBC;" class="term_primary-noun">reporting obligations as referred to in Article 19(5) of Regulation (EU) 2022/2554. Article 6 3.] | Privacy protection for information and data | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 [Financial entities shall use secure electronic channels as made available by their competent authority to lass="term_secondary-noun">verb">submit the initial notification and the intermediate and final backgrou="background-color:#F0BBBC;" class="term_primary-noun">nd-color:#F0BBBC;" class="term_primary-noun">reports. Article 4 1. Financial entities that are unable to use the secure electronic channels as made available by their competent authority shall inform their F0BBBC;" class="term_primary-noun">competent authority about a major ICT-related incident through other " class="term_primary-noun">secure means in agreement with the competent authority. If required by the competent authority, financial entities shall resubmit the initial notification, or intermediate or final report, through the secure electronic channel as made available by their competent authority once they are able to do so. Article 4 2.] | Leadership and high level objectives | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [Financial entities may combine the submission of the initial notification, the intermediate report, and the final report to provide two or all of those at the same time, where regular activities have recovered or the root cause analysis has been completed and BBC;" class="term_primary-noun">econdary-verb">provided that the time limits set out in Article 5 of Commission Delegated Regulation (EU) 2024/xxx [C(2024) 6901] are met. Article 2 ¶ 1] | Operational management | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the major ICT-related incident to be b">D0E5;" class="term_secondary-verb">reportedan> originae="background-color:#B2E2E3;" class="term_secondary-noun">tes from or is being lor:#B7D8ED;" class="term_primary-verb">caused by a third-party ICT ;" class="term_primary-verb">ound-color:#B2E2E3;" class="term_secondary-noun">service provider; Article 7 1.(a) {ICT-related incident} When submitting an intermediate or final report, financial entities shall use the template laid down in Annex I to submit all required 2E3;" class="term_secondary-noun">und-color:#F0BBBC;" class="term_primary-noun">information and update, where applicable, the information that was previously provided in the initial notification or in the intermediate report. Article 1 4. Paragraph 1 shall not apply to credit institutions that are considered to be of significant relevance as referred to in Article 2 point (16) of Regulation (EU) No 468/20148, operators of trading venues, and central counterparties, which shall only use the template in Annex I to m_primary-noun">m_primary-verb">submit major ICT-related incident notifications or reports individually to their tyle="background-color:#B2E2E3;" class="term_secondary-noun">competent authority. Article 7 2. A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are ound-color:#B2E2E3;" class="term_secondary-noun">y-verb">met: that third-party service provider provides the relevant ICT service to more than one financial entity, or to a d-color:#F0BBBC;" class="term_primary-noun">und-color:#B2E2E3;" class="term_secondary-noun">group; Article 7 1.(b) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the ICT-related incident is 7D8ED;" A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the major ICT-related incident affects financial entities within a sinb">gle> Member Where competent authorities require information on the individual impact of the major ICT-related incident on a single financial entity, upon;" class="term_secondary-noun"> request of the competent authority, the financial entity shall submit an individual notification or a A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: competent authorities have explicitly color:#C | Operational management | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 [Financial entities that have outsourced the obligation to report major ICT-related incidents in accordance with Article 19(5) of Regulation (EU) 2022/2554 shall inform their competent authority of that outsourcing arrangement as soon as the outsourcing arrangement has been concluded and at the latest prior to the first notificatiss="term_primary-noun">on or style= | Third Party and supply chain oversight | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Share incident information with interested personnel and affected parties. CC ID 01212 [Where after further assessment, the financial entity concludes that the ICT-related incident previously reported as major, at no time fulfilled the classification criteria and thresholds set out in Article 8 of Delegated Regulation (EU) 2024/1772, the financial entity shall notify to the competent authority that it has reclassified the ICT-related incident from major to nonmajor by providing the ="term_secondary-noun">infolass="term_primary-verb">rmationn> about that reclassification in the template laid down in Annex II to this Regulation in relation to the fields ‘type of report’ and ‘other information’. Article 5 ¶ 1] | Operational management | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
| Report data loss event information to breach notification organizations. CC ID 01210 [Where competent authorities require information on the individual ;" class="term_secondary-noun">impact of the major ICT-related incident on a single financial entity, upon request of the competent authority, the financial entity shall submit an individual | Operational management | Corrective | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Preventive | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 [A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the major ICT-relateC;" class="term_primary-noun">erb">d incident to be D0E5;" class="term_secondary-verb">reported originates from or is being caused by a third-party ICT ;" class="term_primary-verb">ound-color:#B2E2E3;" class="term_secondary-noun">service provider; Article 7 1.(a) {ICT-related incident} When submitting an intermediate or final report, financial entities shall use the template laid down in Annex I to submit all required information and update, where applicable, the information that was previously ss="term_secondary-verb">provided in the initial notification or in the intermediate report. Article 1 4. A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to ry-verb">providen> aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are y-verb">met: that third-party service provider provides the relevant ICT service to more than one financial entity, or to a und-color:#B2E2E3;" class="term_secondary-noun">group; Article 7 1.(b) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the ICT-related incident is y-verb">class="term_primary-verb">classified as major by each financial entity covered in the aggregated ondary-noun">notification or report; Article 7 1.(c) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are background-color:#CBD0E5;" class="term_secondary-verb">met: the major ICT-related incident d-color:#B7D8ED;" class="term_primary-verb">affects financial entities within a single Member State and the aggregated "term_secondary-noun">style="background-color:#F0BBBC;" class="term_primary-noun">report relates to financial entities which are supervised by the same competent authority; Article 7 1.(d) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impactingry-verb"> multipn>le financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: competent authorities have explicitly y-verb">BD0E5;" class="term_secondary-verb">permitted this type of financial entities to ="background-color:#B7D8ED;" class="term_primary-verb">aggregate their reporting. Article 7 1.(e) Financial entities that provide information on non-major recurring ICT-related incidents that cumulatively meet the conditions for one major ICT-related incident as set out in Article 8(2) of Delegated Regulation (EU) 2024/1772, shall provide that class="term_primary-noun">information in an aggregated un">formspan>. Article 3 ¶ 1] | Operational management | Detective | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [{is accurate} Financial entities shall ensure that the information ound-color:#F0BBBC;" class="term_primary-noun">erb">contained in the initial notification, and in the intermediate and final report, le="background-color:#B7D8ED;" class="term_primary-verb">is complete and accurate. Article 1 2. {is accurate} Financial entities shall ensure that the information erb">containedn> in the <span style="background-color:#F0BBBC;" class="term_primary-noun">notification of significant cyber threats term_primary-verb">is complete and accurate. Article 8 2.] | Operational management | Corrective | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [Financial entities shall follow the data glossary and instructions set out in Annex II when yle="background-color:#CBD0E5;" class="term_secondary-verb">completing the d-color:#B2E2E3;" class="term_secondary-noun">template laid down in Annex I. Article 1 5. Financial entities that notify significant cyber threats to competent authorities in accordance with Article 19(2) of Regulation (EU) 2022/2554 shall use the template laid down in Annex III to this Regulation and follow the data Financial entities may combine the submission of the initial notification, the intermediate report, and the final report to provide two or all of those at the same time, where regular activities haverm_secondary-verb"> recovered or the root cause analysis has been ackground-colorBBC;" class="term_primary-noun">ary-noun">ry-verb">:#CBD0E5;" class="term_secondary-verb">completed and provided that the time limits set out in Article 5 of Commission Delegated Regulation (EU) 2024/xxx [C(2024) 6901] are met. Article 2 ¶ 1 Financial entities that are unable to use the secure electronic channels as made available by their competent authority shall inform their competent authority about a major ICT-related incident through other secure means in agreement with the competent authority. If required by the competent authority, financial entities shall resubmit the initial notification, or intermediate or final report, through the secure electronic channel as or:#B7D8ED;" class="term_primary-verb">background-color:#F0BBBC;" class="term_primary-noun">lor:#CBD0E5;" class="term_secondary-verb">made available by their competent authority once they are able to do so. Article 4 2.] | Operational management | Preventive | |
| Create an incident response report. CC ID 12700 [Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows: financial entities that submit an intermediate report shall ;" class="term_primary-verb">complete the data fields of the template which correspond to the "background-color:#F0BBBC;" class="term_primary-noun">imary-noun">ass="term_secondary-noun">information to be provided in accordance with Article 3 of Delegated Regulation (EU) 2024/xxx [C(2024) 6901] and may, where they already have the relevant information, complete data fields the completion of which is not required for the intermediate report, but is required for the final report. Article 1 1.(b) Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows: financial entities that submit a final report shall ="term_primary-verb">complete the data fields of the template which correspond to the und-color:#F0BBBC;" class="term_primary-noun">imary-noun">ass="term_secondary-noun">information to be provided in accordance with Article 4 of Delegated Regulation (EU) 2024/xxx [C(2024) 6901]. Article 1 1.(c) {is accurate} Financial entities shall ensure that the information erb">containedn> in the initial notification, and in the intermediate and final report, is complete and accurate. Article 1 2.] | Operational management | Preventive | |
| Include entities notified of the incident in the incident response report. CC ID 17294 | Operational management | Preventive | |
| Include details of the companies and persons involved in the incident response report. CC ID 17298 | Operational management | Preventive | |
| Include the incident reference code in the incident response report. CC ID 17297 | Operational management | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Operational management | Preventive | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Operational management | Preventive | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Preventive | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Preventive | |
| Include recovery measures in the incident response report. CC ID 17299 | Operational management | Preventive | |
| Include the date and time of recovery from the incident in the incident response report. CC ID 17296 | Operational management | Preventive | |
| Prepare for incident response notifications. CC ID 00584 [Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows: financial entities that submit an initial notification shall D;" class="term_primary-verb">complete the data fields of the template which correspond to the | Operational management | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Financial entities shall provide the competent authority with the 0BBBC;" class="term_primary-noun">name, contact details, and identification code of the third-party that will submit the major ICT-related incident notifications ole="background-color:#F0BBBC;" class="term_primary-noun">r le="background-color:#B2E2E3;" class="term_secondary-noun">reports for them. Article 6 2.] | Privacy protection for information and data | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Share incident information with interested personnel and affected parties. CC ID 01212 [Where after further assessment, the financial entity concludes that the ICT-related incident previously reported as major, at no time fulfilled the classification criteria and thresholds set out in Article 8 of Delegated Regulation (EU) 2024/1772, the financial entity shall notify to the competent authority that it has reclassified the ICT-related incident from major to nonmajor by providing the ="term_secondary-noun">infolass="term_primary-verb">rmationn> about that reclassification in the template laid down in Annex II to this Regulation in relation to the fields ‘type of report’ and ‘other information’. Article 5 ¶ 1] | Operational management | Data and Information Management | |
| Report data loss event information to breach notification organizations. CC ID 01210 [Where competent authorities require information on the individual ;" class="term_secondary-noun">impact of the major ICT-related incident on a single financial entity, upon request of the competent authority, the financial entity shall submit an individual | Operational management | Data and Information Management | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 [{is accurate} Financial entities shall ensure that the information ound-color:#F0BBBC;" class="term_primary-noun">erb">contained in the initial notification, and in the intermediate and final report, le="background-color:#B7D8ED;" class="term_primary-verb">is complete and accurate. Article 1 2. {is accurate} Financial entities shall ensure that the information erb">containedn> in the <span style="background-color:#F0BBBC;" class="term_primary-noun">notification of significant cyber threats term_primary-verb">is complete and accurate. Article 8 2.] | Operational management | Establish/Maintain Documentation | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 [{ICT-related incidents} Financial entities shall provide estimated mary-noun">values based on other available data and information, to the extent possible, where accurate data are not available at the time of reporting for the initial notification or the intermediate 2E3;" class="term_secondary-noun">report. Article 1 3.] | Monitoring and measurement | Actionable Reports or Measurements | |
| Document the incident and any relevant evidence in the incident report. CC ID 08659 [A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the major ICT-relateC;" class="term_primary-noun">erb">d incident to be D0E5;" class="term_secondary-verb">reported originates from or is being caused by a third-party ICT ;" class="term_primary-verb">ound-color:#B2E2E3;" class="term_secondary-noun">service provider; Article 7 1.(a) {ICT-related incident} When submitting an intermediate or final report, financial entities shall use the template laid down in Annex I to submit all required information and update, where applicable, the information that was previously ss="term_secondary-verb">provided in the initial notification or in the intermediate report. Article 1 4. A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to ry-verb">providen> aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are y-verb">met: that third-party service provider provides the relevant ICT service to more than one financial entity, or to a und-color:#B2E2E3;" class="term_secondary-noun">group; Article 7 1.(b) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the ICT-related incident is y-verb">class="term_primary-verb">classified as major by each financial entity covered in the aggregated ondary-noun">notification or report; Article 7 1.(c) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are background-color:#CBD0E5;" class="term_secondary-verb">met: the major ICT-related incident d-color:#B7D8ED;" class="term_primary-verb">affects financial entities within a single Member State and the aggregated "term_secondary-noun">style="background-color:#F0BBBC;" class="term_primary-noun">report relates to financial entities which are supervised by the same competent authority; Article 7 1.(d) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impactingry-verb"> multipn>le financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: competent authorities have explicitly y-verb">BD0E5;" class="term_secondary-verb">permitted this type of financial entities to ="background-color:#B7D8ED;" class="term_primary-verb">aggregate their reporting. Article 7 1.(e) Financial entities that provide information on non-major recurring ICT-related incidents that cumulatively meet the conditions for one major ICT-related incident as set out in Article 8(2) of Delegated Regulation (EU) 2024/1772, shall provide that class="term_primary-noun">information in an aggregated un">formspan>. Article 3 ¶ 1] | Operational management | Establish/Maintain Documentation | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Use secure communication protocols for telecommunications. CC ID 16458 [Financial entities shall use secure electronic channels as made available by their competent authority to lass="term_secondary-noun">verb">submit the initial notification and the intermediate and final backgrou="background-color:#F0BBBC;" class="term_primary-noun">nd-color:#F0BBBC;" class="term_primary-noun">reports. Article 4 1. Financial entities that are unable to use the secure electronic channels as made available by their competent authority shall inform their F0BBBC;" class="term_primary-noun">competent authority about a major ICT-related incident through other " class="term_primary-noun">secure means in agreement with the competent authority. If required by the competent authority, financial entities shall resubmit the initial notification, or intermediate or final report, through the secure electronic channel as made available by their competent authority once they are able to do so. Article 4 2.] | Leadership and high level objectives | Business Processes | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Include incident reporting procedures in the Incident Management program. CC ID 11772 [Financial entities shall follow the data glossary and instructions set out in Annex II when yle="background-color:#CBD0E5;" class="term_secondary-verb">completing the d-color:#B2E2E3;" class="term_secondary-noun">template laid down in Annex I. Article 1 5. Financial entities that notify significant cyber threats to competent authorities in accordance with Article 19(2) of Regulation (EU) 2022/2554 shall use the template laid down in Annex III to this Regulation and follow the data Financial entities may combine the submission of the initial notification, the intermediate report, and the final report to provide two or all of those at the same time, where regular activities haverm_secondary-verb"> recovered or the root cause analysis has been ackground-colorBBC;" class="term_primary-noun">ary-noun">ry-verb">:#CBD0E5;" class="term_secondary-verb">completed and provided that the time limits set out in Article 5 of Commission Delegated Regulation (EU) 2024/xxx [C(2024) 6901] are met. Article 2 ¶ 1 Financial entities that are unable to use the secure electronic channels as made available by their competent authority shall inform their competent authority about a major ICT-related incident through other secure means in agreement with the competent authority. If required by the competent authority, financial entities shall resubmit the initial notification, or intermediate or final report, through the secure electronic channel as or:#B7D8ED;" class="term_primary-verb">background-color:#F0BBBC;" class="term_primary-noun">lor:#CBD0E5;" class="term_secondary-verb">made available by their competent authority once they are able to do so. Article 4 2.] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [Financial entities may combine the submission of the initial notification, the intermediate report, and the final report to provide two or all of those at the same time, where regular activities have recovered or the root cause analysis has been completed and BBC;" class="term_primary-noun">econdary-verb">provided that the time limits set out in Article 5 of Commission Delegated Regulation (EU) 2024/xxx [C(2024) 6901] are met. Article 2 ¶ 1] | Operational management | Communicate | |
| Create an incident response report. CC ID 12700 [Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows: financial entities that submit an intermediate report shall ;" class="term_primary-verb">complete the data fields of the template which correspond to the "background-color:#F0BBBC;" class="term_primary-noun">imary-noun">ass="term_secondary-noun">information to be provided in accordance with Article 3 of Delegated Regulation (EU) 2024/xxx [C(2024) 6901] and may, where they already have the relevant information, complete data fields the completion of which is not required for the intermediate report, but is required for the final report. Article 1 1.(b) Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows: financial entities that submit a final report shall ="term_primary-verb">complete the data fields of the template which correspond to the und-color:#F0BBBC;" class="term_primary-noun">imary-noun">ass="term_secondary-noun">information to be provided in accordance with Article 4 of Delegated Regulation (EU) 2024/xxx [C(2024) 6901]. Article 1 1.(c) {is accurate} Financial entities shall ensure that the information erb">containedn> in the initial notification, and in the intermediate and final report, is complete and accurate. Article 1 2.] | Operational management | Establish/Maintain Documentation | |
| Include entities notified of the incident in the incident response report. CC ID 17294 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in the incident response report. CC ID 17298 | Operational management | Establish/Maintain Documentation | |
| Include the incident reference code in the incident response report. CC ID 17297 | Operational management | Establish/Maintain Documentation | |
| Include how the incident was discovered in the incident response report. CC ID 16987 | Operational management | Establish/Maintain Documentation | |
| Include the categories of data that were compromised in the incident response report. CC ID 16985 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions taken in the incident response report. CC ID 16810 | Operational management | Establish/Maintain Documentation | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 | Operational management | Establish/Maintain Documentation | |
| Include the number of individuals the incident response notification was sent to in the incident response report. CC ID 16789 | Operational management | Establish/Maintain Documentation | |
| Include recovery measures in the incident response report. CC ID 17299 | Operational management | Establish/Maintain Documentation | |
| Include the date and time of recovery from the incident in the incident response report. CC ID 17296 | Operational management | Establish/Maintain Documentation | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the major ICT-related incident to be b">D0E5;" class="term_secondary-verb">reportedan> originae="background-color:#B2E2E3;" class="term_secondary-noun">tes from or is being lor:#B7D8ED;" class="term_primary-verb">caused by a third-party ICT ;" class="term_primary-verb">ound-color:#B2E2E3;" class="term_secondary-noun">service provider; Article 7 1.(a) {ICT-related incident} When submitting an intermediate or final report, financial entities shall use the template laid down in Annex I to submit all required 2E3;" class="term_secondary-noun">und-color:#F0BBBC;" class="term_primary-noun">information and update, where applicable, the information that was previously provided in the initial notification or in the intermediate report. Article 1 4. Paragraph 1 shall not apply to credit institutions that are considered to be of significant relevance as referred to in Article 2 point (16) of Regulation (EU) No 468/20148, operators of trading venues, and central counterparties, which shall only use the template in Annex I to m_primary-noun">m_primary-verb">submit major ICT-related incident notifications or reports individually to their tyle="background-color:#B2E2E3;" class="term_secondary-noun">competent authority. Article 7 2. A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are ound-color:#B2E2E3;" class="term_secondary-noun">y-verb">met: that third-party service provider provides the relevant ICT service to more than one financial entity, or to a d-color:#F0BBBC;" class="term_primary-noun">und-color:#B2E2E3;" class="term_secondary-noun">group; Article 7 1.(b) A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the ICT-related incident is 7D8ED;" A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: the major ICT-related incident affects financial entities within a sinb">gle> Member Where competent authorities require information on the individual impact of the major ICT-related incident on a single financial entity, upon;" class="term_secondary-noun"> request of the competent authority, the financial entity shall submit an individual notification or a A third-party service provider to whom reporting obligations have been outsourced as referred to in Article 19(5) of Regulation (EU) 2022/2554 may use the template set out in Annex I to this Regulation to provide aggregated information about a major ICT-related incident impacting multiple financial entities in one single notification or report, and submit that notification or report to the competent authority on behalf of all impacted financial entities, provided that all of the following conditions are met: competent authorities have explicitly color:#C | Operational management | Communicate | |
| Prepare for incident response notifications. CC ID 00584 [Financial entities shall use the template laid down in Annex I to submit the initial notification, the intermediate report, and the final report referred to in Article 19(4) of Regulation (EU) 2022/2554 as follows: financial entities that submit an initial notification shall D;" class="term_primary-verb">complete the data fields of the template which correspond to the | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Notify the supervisory authority. CC ID 00472 [Financial entities shall inform their competent authority as soon as they no longer ackground-color:#B7D8ED;" class="term_primary-verb">outsource their ="background-color:#F0BBBC;" class="term_primary-noun">reporting obligations as referred to in Article 19(5) of Regulation (EU) 2022/2554. Article 6 3.] | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Financial entities shall provide the competent authority with the 0BBBC;" class="term_primary-noun">name, contact details, and identification code of the third-party that will submit the major ICT-related incident notifications ole="background-color:#F0BBBC;" class="term_primary-noun">r le="background-color:#B2E2E3;" class="term_secondary-noun">reports for them. Article 6 2.] | Privacy protection for information and data | Process or Activity | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 [Financial entities that have outsourced the obligation to report major ICT-related incidents in accordance with Article 19(5) of Regulation (EU) 2022/2554 shall inform their competent authority of that outsourcing arrangement as soon as the outsourcing arrangement has been concluded and at the latest prior to the first notificatiss="term_primary-noun">on or style= | Third Party and supply chain oversight | Communicate | |