0004011
COMMISSION DELEGATED REGULATION (EU) …/... of 23.10.2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICTrelated incidents, and the content of the voluntary notification for significant cyber threats (Draft)
European Commission
Regulations
Free
RTS on reporting of major ICT-related incidents (Draft)
COMMISSION DELEGATED REGULATION (EU) …/... of 23.10.2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICTrelated incidents, and the content of the voluntary notification for significant cyber threats (Draft)
2024-10-23
The document as a whole was last reviewed and released on 2024-12-09T00:00:00-0800.
0004011
Free
European Commission
Regulations
RTS on reporting of major ICT-related incidents (Draft)
COMMISSION DELEGATED REGULATION (EU) …/... of 23.10.2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICTrelated incidents, and the content of the voluntary notification for significant cyber threats (Draft)
2024-10-23
The document as a whole was last reviewed and released on 2024-12-09T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2025 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within COMMISSION DELEGATED REGULATION (EU) …/... of 23.10.2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICTrelated incidents, and the content of the voluntary notification for significant cyber threats (Draft) that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for COMMISSION DELEGATED REGULATION (EU) …/... of 23.10.2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICTrelated incidents, and the content of the voluntary notification for significant cyber threats (Draft) are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Communicate | Preventive | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 [The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: general information about the olor:#B7D8ED;" class="term_primary-verb">ary-verb">7D8ED;" class="termound-color:#F0BBBC;" class="term_primary-noun">_primary-verb">notifying financial entity as set out in Article 1; Article 6 ¶ 1(a)] | Communicate | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Business Processes | Preventive | |
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Technical Security | Preventive | |
| Communicate threat intelligence to interested personnel and affected parties. CC ID 14016 [The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: information about the status of the significant cyber threat aolor:#B7D8ED;" class="term_primary-verb">ary-verb">nd any The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following>: the date and time of color:#F0BBBC;" class="term_primary-noun">detection of the significant cyber threat and any other relevant style="background-color:#B2E2E3;" class="term_secondary-noun">timestamps related to the significant cyber threat; Article 6 ¶ 1(b) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the e="background-color:#CBD0E5;" class="term_secondary-verb">following: a description of the significant cyber threat; Article 6 ¶ 1(c) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: information about the potential impact of the solor:#B7D8ED;" class="term_primary-verb">ignificant cyber threat on the financial entity, its clients, or financial ss="term_secondary-noun">B2E2E3;" class="term_secondary-noun">counterparts; Article 6 ¶ 1(d) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following>: the classification criteria that would have triggered a major incident report laid down in Articles 1 to 8 of Delegatedary-verb"> Regulati>on (EU) 2024/1772 if the cyber threat had tyle="background-color:#CBD0E5;" class="term_secondary-verb">materialised; Article 6 ¶ 1(e) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the ary-verb">following: information about any notification of the significant cyber threat to other financial entities or ="background-color:#B2E2E3;" class="term_slass="term_secondary-noun">econdary-noun">authorities; Article 6 ¶ 1(h) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the olor:#B7D8ED;" class="term_primary-verb">ary-verb">following: where applicable, tyle="background-color:#F0BBBC;" class="term_primary-noun">information on indicators of compromise; Article 6 ¶ 1(i) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the e="background-color:#CBD0E5;" class="term_secondrimary-verb">ary-verb">following: where available, any other relevant information. Article 6 ¶ 1(j)] | Communicate | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Share security information with interested personnel and affected parties. CC ID 11732 [The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: where applicable, a description of the actions taken by the financial entity to | Communicate | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Establish/Maintain Documentation | Preventive | |
| Share incident information with interested personnel and affected parties. CC ID 01212 | Data and Information Management | Corrective | |
| Report data loss event information to breach notification organizations. CC ID 01210 [Where the financial entity has not classified an ICT-related incident as major within 24 hours from the moment the financial entity has become aware of the ITC-related incident but ndary-verb">classifies that ICT-related incident as major at a later stage, the financial entity shall submit the initial notification within four hours from the classification of the ICT-related incident as a or:#B2E2E3;" class="term_secondary-noun">major incident. Article 5 2. Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the initial report: as early as poss;" class="term_primary-noun">ible, but in any case, within four hours from the | Data and Information Management | Corrective | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 [Financial entities that are unable to submit the initial notification, intermediate report, or final report within the time limits set out in paragraph 1, shall inform the competent authority thereof without undue delay, but no later than the respective time limits for the submission of the notification orB7D8ED;" class="term_primary-verb"> report, and shall explain the reasons for the _secondary-noun">span style="background-color:#B7D8ED;" class="term_primary-verb"e="background-color:#F0BBBC;" class="term_primary-noun">>="term_primatyle="background-color:#F0BBBC;" class="term_primary-noun">le="background-color:#F0BBBC;" class="term_primary-noun">ry-noun">delay. Article 5 3.] | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Behavior | Corrective | |
| Include information required by law in incident response notifications. CC ID 00802 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the ="term_primary-verb">term_secondary-verb">following specific information: where available, any other relevant information. Article 2 ¶ 1(j) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the BBBC;" class="term_primary-noun">_primary-noun">type of submission (initial notification, intermediate report, or final report); Article 1 ¶ 1(a)] | Establish/Maintain Documentation | Detective | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: the criteria, laid down in Articles 1 to 8 term_secondary-verb">of Delegated Regulation (EU) 2024/1772, on the basis of which the financial entity classified the ICT-related incident as major; Article 2 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information on how the ICT-related incide="term_primary-verb">term_secondary-verb">nt was | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include the incident reference code in incident response notifications. CC ID 17292 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: the incident reterm_primary-verb">ference code 0E5;" class="term_secondary-verb">assigned by the E3;" class="term_secondary-noun">financial entity; Article 2 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Establish/Maintain Documentation | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: the date of detection, time of detection, and classification of the incident pursuant to Article 8 of Commission Delegated Regulation (EU) 2024/1772; Article 2 ¶ 1(b) Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: a description of the ICT-related incident; Article 2 ¶ 1(c) Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: where applicable, information about the reclassification of the ICT-related incident from major to non-major; Article 2 ¶ 1(i)] | Establish/Maintain Documentation | Preventive | |
| Include time information in incident response notifications. CC ID 04745 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: the date of detection, ;" class="term_primary-noun">time of detection, and classification of the incident pursuant to Article 8 of Commission Delegated Regulation (EU) 2024/1772; Article 2 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: where available, information about the _primary-noun">origin of the ICT-related incident; Article 2 ¶ 1(g)] | Establish/Maintain Documentation | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Establish/Maintain Documentation | Preventive | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information about whether the financial entity has tyle="background-color:#B7D8ED;" class="term_primary-verb">activated a e="background-color:#F0BBBC;" class="term_primary-noun">business continuity plan; Article 2 ¶ 1(h)] | Establish/Maintain Documentation | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the und-color:#F0BBBC;" class="term_primary-noun">names and LEI BBBC;" class="term_primary-noun">nd-color:#F0BBBC;" class="term_primary-noun">codes of all financial entities Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the name and s="term_primary-noun">identification code of the entity that e="background-color:#CBD0E5;" class="term_secondary-verb">submits the initial notification, or intermediate or final report, for the financial entity; Article 1 ¶ 1(c) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the " class="term_primary-noun">name of the financial entity, its LEI code, and the round-color:#F0BBBC;" class="term_primary-noun">-noun">type of financial entity, as referred to in Article 2(1) of Regulation (EU) 2022/2554; Article 1 ¶ 1(b) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the identification of the parent undertaking of the tyle="background-col="background-color:#F0BBBC;" class="term_primary-noun">or:#B2E2E3;" class="term_secondary-noun">group to which the financial entity belongs; Article 1 ¶ 1(f) Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: the Members States that are term_secondary-verb">background-color:#B7D8ED;" class="term_primaerm_primary-noun">ry-verb">impacted by the ICT-related incident; Article 2 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general 2E2E3;" class="term_secondary-noun">information: where there is monetary impact, the currency the amounts are :#CBD0E5;" class="term_secondary-verb">based on. Article 1 ¶ 1(g)] | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include contact information in incident response notifications. CC ID 04739 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the contact details of the persons responsible for | Establish/Maintain Documentation | Preventive | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [Where the time limit for the submission of an initial notification, intermediate report, or a final report falls on a weekend day or a bank holiday in the Member State of the reporting financial entity, the financial entity may submit the initial notification, intermediate or final reports by noon of tD;" class="term_primary-verb">he next lass="term_primary-noun">:#F0BBBC;" class="term_primary-noun">term_secondary-noun">working day. Article 5 4.] | Communicate | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Create an incident response report. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
| Include entities notified of the incident in the incident response report. CC ID 17294 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information about term_secondary-verb">-color:#B7D8ED;" class="term_primary-verb">reporting about the ICT-related incident to other tyle="background-color:#B2E2E3;" class="term_secondary-noun">authorities; Article 3 ¶ 1(j)] | Establish/Maintain Documentation | Preventive | |
| Include details of the companies and persons involved in the incident response report. CC ID 17298 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the und-color:#F0BBBC;" class="term_primary-noun">names and LEI imary-"background-color:#F0BBBC;" class="term_primary-noun">noun">codes of all financial entities Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the name and identification codean> of the entity that e="background-color:#CBD0E5;" class="term_secondary-verb">submits the initial notification, or intermediate or final report, for the financial entity; Article 1 ¶ 1(c) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the " class="term_primary-noun">name of the financial entity, its LEI code, and the " class="term_primaryround-color:#F0BBBC;" class="term_primary-noun">-noun">type of financial entity, as referred to in Article 2(1) of Regulation (EU) 2022/2554; Article 1 ¶ 1(b) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the identification of the parent undertaking of the l | Establish/Maintain Documentation | Preventive | |
| Include the incident reference code in the incident response report. CC ID 17297 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: where applicable, the incident reference coerb">term_secondary-verb">de style="background-color:#CBD0E5;" class="term_secondary-verb">provided by the E3;" class="term_secondary-noun">competent authority; Article 3 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the -verb">term_secondary-verb">following specific information: where applicable, information on indicators of compromise. Article 3 ¶ 1(l)] | Establish/Maintain Documentation | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the contact details of the persons responsible for | Establish/Maintain Documentation | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: information about direct and indirect BC;" class="term_primary-noun">costs and losses stemming from the ICT-related incident and information about financial recoveries; Article 4 ¶ 1(e) Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: impact on the financial interest of span style="background-color:#F0BBBC;" class="term_primary-noun">;" class="term_primary-noun">clients; Article 3 ¶ 1(i) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general 3;" class="term_secondary-noun">information: where there is monetary impact, the currency the amounts are :#CBD0E5;" class="term_secondary-verb">based on. Article 1 ¶ 1(g)] | Establish/Maintain Documentation | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: yle="background-color:#F0BBBC;" class="term_primary-noun">information about direct and indirect costs and losses stemming from the ICT-related incident and information about financial recoveries; Article 4 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 [{ICT-related incident} Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information abo-verb">ut how the criteria laid down in Articles 1 to 8 of Delegated Regulation (EU) 2024/1772 have been fulfilled, on the basis of which the financial entity background-color:#F0BBBC;" class="term_primary-noun">tyle="background-color:#CBD0E5;" class="term_secondary-verb">classified the ITC-related incident as major; Article 3 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: background-color:#B7D8ED;" class="term_primary-verb">affected infrastructure components ss="term_secondary-verb">supporting kground-color:#B2E2E3;" class="term_secondary-noun">business processes; Article 3 ¶ 1(h)] | Establish/Maintain Documentation | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: dates and times when the ICT-related incident was -color:#B2E2E3;" class="term_secondary-noun">e="background-color:#B7D8ED;" class="term_primary-verb">resolved and the style="background-color:#F0BBBC;" class="term_primary-noun">root cause(s) ground-color:#B7D8ED;" class="term_primary-verb">addressed; Article 4 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Include recovery measures in the incident response report. CC ID 17299 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: information about direct and indirect costs and losses stemming from the ICT-related incident and information about financial recoveries; Article 4 ¶ 1(e)] | Establish/Maintain Documentation | Preventive | |
| Include the date and time of recovery from the incident in the incident response report. CC ID 17296 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: where applicable, the date and time when the financial entitkground-color:#B2E2E3;" class="term_secondary-noun">y has | Establish/Maintain Documentation | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: where applicable, information about recurring ICT-related incidents. Article 4 ¶ 1(f)] | Establish/Maintain Documentation | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the erb">term_secondary-verb">following specific information: the date and time of ary-noun">occurrence of the ICT-related incident; Article 3 ¶ 1(b)] | Establish/Maintain Documentation | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: temporary actions or measures taken or | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: background-color:#B7D8ED;" class="term_primary-verb">affected functional imary-noun">areas and #F0BBBC;" class="term_primary-noun">business processes; Article 3 ¶ 1(g)] | Establish/Maintain Documentation | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: the Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: where applicable, information relevant for resolution authorities; Article 4 ¶ 1(d) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the r:#B2E2E3;" class="term_secondary-noun">ary-noun">type of submission (initial notification, intermediate report, or final report); Article 1 ¶ 1(a)] | Establish/Maintain Documentation | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: yle="background-color:#F0BBBC;" class="term_primary-noun">information about the root causes of the ICT-related incident; Article 4 ¶ 1(a) Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: where applicable, the threats and techniqueterm_secondary-verb">s tyle="background-color:#CBD0E5;" class="term_secondary-veackground-color:#B2E2E3;" class="term_secondary-noun">lor:#F0BBBC;" class="term_primary-noun">rb">usedspan> by the threat actor; Article 3 ¶ 1(f)] | Establish/Maintain Documentation | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the final report: no later than one month after either the submission of the intermediate report, or, where applicable, after the lacolor:#F0BBBC;" class="term_primary-noun">test Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the intermediate report: at the latest within 72 hours from the submission of the initial notification, even where the status or the Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the intermediate report: at the latest within 72 hours from the submission of the initial notification, even where the status or the handling of the incident have not changed as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554. Financial entities shall submit an updated intermediate report without undue delay, and in any case when the regular activities have been ackground-color:#B2E2E3;" class="term_secondary-noun">condary-verb">recovered; Article 5 1.(b)] | Communicate | Preventive | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: information on the resolution of the ICT-related incident; Article 4 ¶ 1(c)] | Actionable Reports or Measurements | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: information on the resolution of the ICT-related incident; Article 4 ¶ 1(c)] | Operational management | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Corrective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Preventive | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 [The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: general information about the olor:#B7D8ED;" class="term_primary-verb">ary-verb">7D8ED;" class="termound-color:#F0BBBC;" class="term_primary-noun">_primary-verb">notifying financial entity as set out in Article 1; Article 6 ¶ 1(a)] | Leadership and high level objectives | Preventive | |
| Communicate threat intelligence to interested personnel and affected parties. CC ID 14016 [The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: information about the status of the significant cyber threat aolor:#B7D8ED;" class="term_primary-verb">ary-verb">nd any The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following>: the date and time of color:#F0BBBC;" class="term_primary-noun">detection of the significant cyber threat and any other relevant style="background-color:#B2E2E3;" class="term_secondary-noun">timestamps related to the significant cyber threat; Article 6 ¶ 1(b) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the e="background-color:#CBD0E5;" class="term_secondary-verb">following: a description of the significant cyber threat; Article 6 ¶ 1(c) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: information about the potential impact of the solor:#B7D8ED;" class="term_primary-verb">ignificant cyber threat on the financial entity, its clients, or financial ss="term_secondary-noun">B2E2E3;" class="term_secondary-noun">counterparts; Article 6 ¶ 1(d) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following>: the classification criteria that would have triggered a major incident report laid down in Articles 1 to 8 of Delegatedary-verb"> Regulati>on (EU) 2024/1772 if the cyber threat had tyle="background-color:#CBD0E5;" class="term_secondary-verb">materialised; Article 6 ¶ 1(e) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the ary-verb">following: information about any notification of the significant cyber threat to other financial entities or ="background-color:#B2E2E3;" class="term_slass="term_secondary-noun">econdary-noun">authorities; Article 6 ¶ 1(h) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the olor:#B7D8ED;" class="term_primary-verb">ary-verb">following: where applicable, tyle="background-color:#F0BBBC;" class="term_primary-noun">information on indicators of compromise; Article 6 ¶ 1(i) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the e="background-color:#CBD0E5;" class="term_secondrimary-verb">ary-verb">following: where available, any other relevant information. Article 6 ¶ 1(j)] | Monitoring and measurement | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 [The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: where applicable, a description of the actions taken by the financial entity to | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 [Financial entities that are unable to submit the initial notification, intermediate report, or final report within the time limits set out in paragraph 1, shall inform the competent authority thereof without undue delay, but no later than the respective time limits for the submission of the notification orB7D8ED;" class="term_primary-verb"> report, and shall explain the reasons for the _secondary-noun">span style="background-color:#B7D8ED;" class="term_primary-verb"e="background-color:#F0BBBC;" class="term_primary-noun">>="term_primatyle="background-color:#F0BBBC;" class="term_primary-noun">le="background-color:#F0BBBC;" class="term_primary-noun">ry-noun">delay. Article 5 3.] | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [Where the time limit for the submission of an initial notification, intermediate report, or a final report falls on a weekend day or a bank holiday in the Member State of the reporting financial entity, the financial entity may submit the initial notification, intermediate or final reports by noon of tD;" class="term_primary-verb">he next lass="term_primary-noun">:#F0BBBC;" class="term_primary-noun">term_secondary-noun">working day. Article 5 4.] | Operational management | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the final report: no later than one month after either the submission of the intermediate report, or, where applicable, after the lacolor:#F0BBBC;" class="term_primary-noun">test Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the intermediate report: at the latest within 72 hours from the submission of the initial notification, even where the status or the Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the intermediate report: at the latest within 72 hours from the submission of the initial notification, even where the status or the handling of the incident have not changed as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554. Financial entities shall submit an updated intermediate report without undue delay, and in any case when the regular activities have been ackground-color:#B2E2E3;" class="term_secondary-noun">condary-verb">recovered; Article 5 1.(b)] | Operational management | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Corrective | |
| Report data loss event information to breach notification organizations. CC ID 01210 [Where the financial entity has not classified an ICT-related incident as major within 24 hours from the moment the financial entity has become aware of the ITC-related incident but ndary-verb">classifies that ICT-related incident as major at a later stage, the financial entity shall submit the initial notification within four hours from the classification of the ICT-related incident as a or:#B2E2E3;" class="term_secondary-noun">major incident. Article 5 2. Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the initial report: as early as poss;" class="term_primary-noun">ible, but in any case, within four hours from the | Operational management | Corrective | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Operational management | Preventive | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Preventive | |
| Include information required by law in incident response notifications. CC ID 00802 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the ="term_primary-verb">term_secondary-verb">following specific information: where available, any other relevant information. Article 2 ¶ 1(j) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the BBBC;" class="term_primary-noun">_primary-noun">type of submission (initial notification, intermediate report, or final report); Article 1 ¶ 1(a)] | Operational management | Detective | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: the criteria, laid down in Articles 1 to 8 term_secondary-verb">of Delegated Regulation (EU) 2024/1772, on the basis of which the financial entity classified the ICT-related incident as major; Article 2 ¶ 1(d)] | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information on how the ICT-related incide="term_primary-verb">term_secondary-verb">nt was | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include the incident reference code in incident response notifications. CC ID 17292 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: the incident reterm_primary-verb">ference code 0E5;" class="term_secondary-verb">assigned by the E3;" class="term_secondary-noun">financial entity; Article 2 ¶ 1(a)] | Operational management | Preventive | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Preventive | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: the date of detection, time of detection, and classification of the incident pursuant to Article 8 of Commission Delegated Regulation (EU) 2024/1772; Article 2 ¶ 1(b) Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: a description of the ICT-related incident; Article 2 ¶ 1(c) Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: where applicable, information about the reclassification of the ICT-related incident from major to non-major; Article 2 ¶ 1(i)] | Operational management | Preventive | |
| Include time information in incident response notifications. CC ID 04745 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: the date of detection, ;" class="term_primary-noun">time of detection, and classification of the incident pursuant to Article 8 of Commission Delegated Regulation (EU) 2024/1772; Article 2 ¶ 1(b)] | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: where available, information about the _primary-noun">origin of the ICT-related incident; Article 2 ¶ 1(g)] | Operational management | Preventive | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Preventive | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information about whether the financial entity has tyle="background-color:#B7D8ED;" class="term_primary-verb">activated a e="background-color:#F0BBBC;" class="term_primary-noun">business continuity plan; Article 2 ¶ 1(h)] | Operational management | Preventive | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Preventive | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the und-color:#F0BBBC;" class="term_primary-noun">names and LEI BBBC;" class="term_primary-noun">nd-color:#F0BBBC;" class="term_primary-noun">codes of all financial entities Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the name and s="term_primary-noun">identification code of the entity that e="background-color:#CBD0E5;" class="term_secondary-verb">submits the initial notification, or intermediate or final report, for the financial entity; Article 1 ¶ 1(c) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the " class="term_primary-noun">name of the financial entity, its LEI code, and the round-color:#F0BBBC;" class="term_primary-noun">-noun">type of financial entity, as referred to in Article 2(1) of Regulation (EU) 2022/2554; Article 1 ¶ 1(b) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the identification of the parent undertaking of the tyle="background-col="background-color:#F0BBBC;" class="term_primary-noun">or:#B2E2E3;" class="term_secondary-noun">group to which the financial entity belongs; Article 1 ¶ 1(f) Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: the Members States that are term_secondary-verb">background-color:#B7D8ED;" class="term_primaerm_primary-noun">ry-verb">impacted by the ICT-related incident; Article 2 ¶ 1(e)] | Operational management | Preventive | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general 2E2E3;" class="term_secondary-noun">information: where there is monetary impact, the currency the amounts are :#CBD0E5;" class="term_secondary-verb">based on. Article 1 ¶ 1(g)] | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include contact information in incident response notifications. CC ID 04739 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the contact details of the persons responsible for | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Create an incident response report. CC ID 12700 | Operational management | Preventive | |
| Include entities notified of the incident in the incident response report. CC ID 17294 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information about term_secondary-verb">-color:#B7D8ED;" class="term_primary-verb">reporting about the ICT-related incident to other tyle="background-color:#B2E2E3;" class="term_secondary-noun">authorities; Article 3 ¶ 1(j)] | Operational management | Preventive | |
| Include details of the companies and persons involved in the incident response report. CC ID 17298 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the und-color:#F0BBBC;" class="term_primary-noun">names and LEI imary-"background-color:#F0BBBC;" class="term_primary-noun">noun">codes of all financial entities Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the name and identification codean> of the entity that e="background-color:#CBD0E5;" class="term_secondary-verb">submits the initial notification, or intermediate or final report, for the financial entity; Article 1 ¶ 1(c) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the " class="term_primary-noun">name of the financial entity, its LEI code, and the " class="term_primaryround-color:#F0BBBC;" class="term_primary-noun">-noun">type of financial entity, as referred to in Article 2(1) of Regulation (EU) 2022/2554; Article 1 ¶ 1(b) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the identification of the parent undertaking of the l | Operational management | Preventive | |
| Include the incident reference code in the incident response report. CC ID 17297 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: where applicable, the incident reference coerb">term_secondary-verb">de style="background-color:#CBD0E5;" class="term_secondary-verb">provided by the E3;" class="term_secondary-noun">competent authority; Article 3 ¶ 1(a)] | Operational management | Preventive | |
| Include how the incident was discovered in the incident response report. CC ID 16987 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the -verb">term_secondary-verb">following specific information: where applicable, information on indicators of compromise. Article 3 ¶ 1(l)] | Operational management | Preventive | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the contact details of the persons responsible for | Operational management | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: information about direct and indirect BC;" class="term_primary-noun">costs and losses stemming from the ICT-related incident and information about financial recoveries; Article 4 ¶ 1(e) Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: impact on the financial interest of span style="background-color:#F0BBBC;" class="term_primary-noun">;" class="term_primary-noun">clients; Article 3 ¶ 1(i) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general 3;" class="term_secondary-noun">information: where there is monetary impact, the currency the amounts are :#CBD0E5;" class="term_secondary-verb">based on. Article 1 ¶ 1(g)] | Operational management | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: yle="background-color:#F0BBBC;" class="term_primary-noun">information about direct and indirect costs and losses stemming from the ICT-related incident and information about financial recoveries; Article 4 ¶ 1(e)] | Operational management | Preventive | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 [{ICT-related incident} Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information abo-verb">ut how the criteria laid down in Articles 1 to 8 of Delegated Regulation (EU) 2024/1772 have been fulfilled, on the basis of which the financial entity background-color:#F0BBBC;" class="term_primary-noun">tyle="background-color:#CBD0E5;" class="term_secondary-verb">classified the ITC-related incident as major; Article 3 ¶ 1(d)] | Operational management | Preventive | |
| Include information on all affected assets in the incident response report. CC ID 12718 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: background-color:#B7D8ED;" class="term_primary-verb">affected infrastructure components ss="term_secondary-verb">supporting kground-color:#B2E2E3;" class="term_secondary-noun">business processes; Article 3 ¶ 1(h)] | Operational management | Preventive | |
| Include the duration of the incident in the incident response report. CC ID 12716 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: dates and times when the ICT-related incident was -color:#B2E2E3;" class="term_secondary-noun">e="background-color:#B7D8ED;" class="term_primary-verb">resolved and the style="background-color:#F0BBBC;" class="term_primary-noun">root cause(s) ground-color:#B7D8ED;" class="term_primary-verb">addressed; Article 4 ¶ 1(b)] | Operational management | Preventive | |
| Include recovery measures in the incident response report. CC ID 17299 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: information about direct and indirect costs and losses stemming from the ICT-related incident and information about financial recoveries; Article 4 ¶ 1(e)] | Operational management | Preventive | |
| Include the date and time of recovery from the incident in the incident response report. CC ID 17296 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: where applicable, the date and time when the financial entitkground-color:#B2E2E3;" class="term_secondary-noun">y has | Operational management | Preventive | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: where applicable, information about recurring ICT-related incidents. Article 4 ¶ 1(f)] | Operational management | Preventive | |
| Include when the incident occurred in the incident response report. CC ID 12709 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the erb">term_secondary-verb">following specific information: the date and time of ary-noun">occurrence of the ICT-related incident; Article 3 ¶ 1(b)] | Operational management | Preventive | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: temporary actions or measures taken or | Operational management | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: background-color:#B7D8ED;" class="term_primary-verb">affected functional imary-noun">areas and #F0BBBC;" class="term_primary-noun">business processes; Article 3 ¶ 1(g)] | Operational management | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: the Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: where applicable, information relevant for resolution authorities; Article 4 ¶ 1(d) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the r:#B2E2E3;" class="term_secondary-noun">ary-noun">type of submission (initial notification, intermediate report, or final report); Article 1 ¶ 1(a)] | Operational management | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: yle="background-color:#F0BBBC;" class="term_primary-noun">information about the root causes of the ICT-related incident; Article 4 ¶ 1(a) Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: where applicable, the threats and techniqueterm_secondary-verb">s tyle="background-color:#CBD0E5;" class="term_secondary-veackground-color:#B2E2E3;" class="term_secondary-noun">lor:#F0BBBC;" class="term_primary-noun">rb">usedspan> by the threat actor; Article 3 ¶ 1(f)] | Operational management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Monitoring and measurement | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Share incident information with interested personnel and affected parties. CC ID 01212 | Operational management | Data and Information Management | |
| Report data loss event information to breach notification organizations. CC ID 01210 [Where the financial entity has not classified an ICT-related incident as major within 24 hours from the moment the financial entity has become aware of the ITC-related incident but ndary-verb">classifies that ICT-related incident as major at a later stage, the financial entity shall submit the initial notification within four hours from the classification of the ICT-related incident as a or:#B2E2E3;" class="term_secondary-noun">major incident. Article 5 2. Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the initial report: as early as poss;" class="term_primary-noun">ible, but in any case, within four hours from the | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 | Operational management | Behavior | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Include information required by law in incident response notifications. CC ID 00802 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the ="term_primary-verb">term_secondary-verb">following specific information: where available, any other relevant information. Article 2 ¶ 1(j) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the BBBC;" class="term_primary-noun">_primary-noun">type of submission (initial notification, intermediate report, or final report); Article 1 ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Communicate | |
| Provide identifying information about the organization to the responsible party. CC ID 16715 [The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: general information about the olor:#B7D8ED;" class="term_primary-verb">ary-verb">7D8ED;" class="termound-color:#F0BBBC;" class="term_primary-noun">_primary-verb">notifying financial entity as set out in Article 1; Article 6 ¶ 1(a)] | Leadership and high level objectives | Communicate | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a Technical Surveillance Countermeasures program. CC ID 11401 | Monitoring and measurement | Technical Security | |
| Communicate threat intelligence to interested personnel and affected parties. CC ID 14016 [The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: information about the status of the significant cyber threat aolor:#B7D8ED;" class="term_primary-verb">ary-verb">nd any The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following>: the date and time of color:#F0BBBC;" class="term_primary-noun">detection of the significant cyber threat and any other relevant style="background-color:#B2E2E3;" class="term_secondary-noun">timestamps related to the significant cyber threat; Article 6 ¶ 1(b) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the e="background-color:#CBD0E5;" class="term_secondary-verb">following: a description of the significant cyber threat; Article 6 ¶ 1(c) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: information about the potential impact of the solor:#B7D8ED;" class="term_primary-verb">ignificant cyber threat on the financial entity, its clients, or financial ss="term_secondary-noun">B2E2E3;" class="term_secondary-noun">counterparts; Article 6 ¶ 1(d) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following>: the classification criteria that would have triggered a major incident report laid down in Articles 1 to 8 of Delegatedary-verb"> Regulati>on (EU) 2024/1772 if the cyber threat had tyle="background-color:#CBD0E5;" class="term_secondary-verb">materialised; Article 6 ¶ 1(e) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the ary-verb">following: information about any notification of the significant cyber threat to other financial entities or ="background-color:#B2E2E3;" class="term_slass="term_secondary-noun">econdary-noun">authorities; Article 6 ¶ 1(h) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the olor:#B7D8ED;" class="term_primary-verb">ary-verb">following: where applicable, tyle="background-color:#F0BBBC;" class="term_primary-noun">information on indicators of compromise; Article 6 ¶ 1(i) The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the e="background-color:#CBD0E5;" class="term_secondrimary-verb">ary-verb">following: where available, any other relevant information. Article 6 ¶ 1(j)] | Monitoring and measurement | Communicate | |
| Share security information with interested personnel and affected parties. CC ID 11732 [The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following: where applicable, a description of the actions taken by the financial entity to | Operational management | Communicate | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 [Financial entities that are unable to submit the initial notification, intermediate report, or final report within the time limits set out in paragraph 1, shall inform the competent authority thereof without undue delay, but no later than the respective time limits for the submission of the notification orB7D8ED;" class="term_primary-verb"> report, and shall explain the reasons for the _secondary-noun">span style="background-color:#B7D8ED;" class="term_primary-verb"e="background-color:#F0BBBC;" class="term_primary-noun">>="term_primatyle="background-color:#F0BBBC;" class="term_primary-noun">le="background-color:#F0BBBC;" class="term_primary-noun">ry-noun">delay. Article 5 3.] | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Include data loss event notifications in the Incident Response program. CC ID 00364 | Operational management | Establish/Maintain Documentation | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: the criteria, laid down in Articles 1 to 8 term_secondary-verb">of Delegated Regulation (EU) 2024/1772, on the basis of which the financial entity classified the ICT-related incident as major; Article 2 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information on how the ICT-related incide="term_primary-verb">term_secondary-verb">nt was | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include the incident reference code in incident response notifications. CC ID 17292 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: the incident reterm_primary-verb">ference code 0E5;" class="term_secondary-verb">assigned by the E3;" class="term_secondary-noun">financial entity; Article 2 ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
| Include a "What Happened" heading in breach notifications. CC ID 12978 | Operational management | Establish/Maintain Documentation | |
| Include a general description of the data loss event in incident response notifications. CC ID 04734 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: the date of detection, time of detection, and classification of the incident pursuant to Article 8 of Commission Delegated Regulation (EU) 2024/1772; Article 2 ¶ 1(b) Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: a description of the ICT-related incident; Article 2 ¶ 1(c) Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: where applicable, information about the reclassification of the ICT-related incident from major to non-major; Article 2 ¶ 1(i)] | Operational management | Establish/Maintain Documentation | |
| Include time information in incident response notifications. CC ID 04745 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: the date of detection, ;" class="term_primary-noun">time of detection, and classification of the incident pursuant to Article 8 of Commission Delegated Regulation (EU) 2024/1772; Article 2 ¶ 1(b)] | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: where available, information about the _primary-noun">origin of the ICT-related incident; Article 2 ¶ 1(g)] | Operational management | Establish/Maintain Documentation | |
| Include a "What We Are Doing" heading in the breach notification. CC ID 12982 | Operational management | Establish/Maintain Documentation | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 [Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information about whether the financial entity has tyle="background-color:#B7D8ED;" class="term_primary-verb">activated a e="background-color:#F0BBBC;" class="term_primary-noun">business continuity plan; Article 2 ¶ 1(h)] | Operational management | Establish/Maintain Documentation | |
| Include a "For More Information" heading in breach notifications. CC ID 12981 | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in incident response notifications. CC ID 12295 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the und-color:#F0BBBC;" class="term_primary-noun">names and LEI BBBC;" class="term_primary-noun">nd-color:#F0BBBC;" class="term_primary-noun">codes of all financial entities Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the name and s="term_primary-noun">identification code of the entity that e="background-color:#CBD0E5;" class="term_secondary-verb">submits the initial notification, or intermediate or final report, for the financial entity; Article 1 ¶ 1(c) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the " class="term_primary-noun">name of the financial entity, its LEI code, and the round-color:#F0BBBC;" class="term_primary-noun">-noun">type of financial entity, as referred to in Article 2(1) of Regulation (EU) 2022/2554; Article 1 ¶ 1(b) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the identification of the parent undertaking of the tyle="background-col="background-color:#F0BBBC;" class="term_primary-noun">or:#B2E2E3;" class="term_secondary-noun">group to which the financial entity belongs; Article 1 ¶ 1(f) Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: the Members States that are term_secondary-verb">background-color:#B7D8ED;" class="term_primaerm_primary-noun">ry-verb">impacted by the ICT-related incident; Article 2 ¶ 1(e)] | Operational management | Establish/Maintain Documentation | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general 2E2E3;" class="term_secondary-noun">information: where there is monetary impact, the currency the amounts are :#CBD0E5;" class="term_secondary-verb">based on. Article 1 ¶ 1(g)] | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include contact information in incident response notifications. CC ID 04739 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the contact details of the persons responsible for | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [Where the time limit for the submission of an initial notification, intermediate report, or a final report falls on a weekend day or a bank holiday in the Member State of the reporting financial entity, the financial entity may submit the initial notification, intermediate or final reports by noon of tD;" class="term_primary-verb">he next lass="term_primary-noun">:#F0BBBC;" class="term_primary-noun">term_secondary-noun">working day. Article 5 4.] | Operational management | Communicate | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Create an incident response report. CC ID 12700 | Operational management | Establish/Maintain Documentation | |
| Include entities notified of the incident in the incident response report. CC ID 17294 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information about term_secondary-verb">-color:#B7D8ED;" class="term_primary-verb">reporting about the ICT-related incident to other tyle="background-color:#B2E2E3;" class="term_secondary-noun">authorities; Article 3 ¶ 1(j)] | Operational management | Establish/Maintain Documentation | |
| Include details of the companies and persons involved in the incident response report. CC ID 17298 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the und-color:#F0BBBC;" class="term_primary-noun">names and LEI imary-"background-color:#F0BBBC;" class="term_primary-noun">noun">codes of all financial entities Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the name and identification codean> of the entity that e="background-color:#CBD0E5;" class="term_secondary-verb">submits the initial notification, or intermediate or final report, for the financial entity; Article 1 ¶ 1(c) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the " class="term_primary-noun">name of the financial entity, its LEI code, and the " class="term_primaryround-color:#F0BBBC;" class="term_primary-noun">-noun">type of financial entity, as referred to in Article 2(1) of Regulation (EU) 2022/2554; Article 1 ¶ 1(b) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: where applicable, the identification of the parent undertaking of the l | Operational management | Establish/Maintain Documentation | |
| Include the incident reference code in the incident response report. CC ID 17297 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: where applicable, the incident reference coerb">term_secondary-verb">de style="background-color:#CBD0E5;" class="term_secondary-verb">provided by the E3;" class="term_secondary-noun">competent authority; Article 3 ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
| Include how the incident was discovered in the incident response report. CC ID 16987 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the -verb">term_secondary-verb">following specific information: where applicable, information on indicators of compromise. Article 3 ¶ 1(l)] | Operational management | Establish/Maintain Documentation | |
| Include the persons responsible for the incident in the incident response report. CC ID 16808 [Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the contact details of the persons responsible for | Operational management | Establish/Maintain Documentation | |
| Include costs associated with the incident in the incident response report. CC ID 12725 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: information about direct and indirect BC;" class="term_primary-noun">costs and losses stemming from the ICT-related incident and information about financial recoveries; Article 4 ¶ 1(e) Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: impact on the financial interest of span style="background-color:#F0BBBC;" class="term_primary-noun">;" class="term_primary-noun">clients; Article 3 ¶ 1(i) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general 3;" class="term_secondary-noun">information: where there is monetary impact, the currency the amounts are :#CBD0E5;" class="term_secondary-verb">based on. Article 1 ¶ 1(g)] | Operational management | Establish/Maintain Documentation | |
| Include losses due to the incident in the incident response report. CC ID 12724 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: yle="background-color:#F0BBBC;" class="term_primary-noun">information about direct and indirect costs and losses stemming from the ICT-related incident and information about financial recoveries; Article 4 ¶ 1(e)] | Operational management | Establish/Maintain Documentation | |
| Include the magnitude of the incident in the incident response report. CC ID 12722 [{ICT-related incident} Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: information abo-verb">ut how the criteria laid down in Articles 1 to 8 of Delegated Regulation (EU) 2024/1772 have been fulfilled, on the basis of which the financial entity background-color:#F0BBBC;" class="term_primary-noun">tyle="background-color:#CBD0E5;" class="term_secondary-verb">classified the ITC-related incident as major; Article 3 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
| Include information on all affected assets in the incident response report. CC ID 12718 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: background-color:#B7D8ED;" class="term_primary-verb">affected infrastructure components ss="term_secondary-verb">supporting kground-color:#B2E2E3;" class="term_secondary-noun">business processes; Article 3 ¶ 1(h)] | Operational management | Establish/Maintain Documentation | |
| Include the duration of the incident in the incident response report. CC ID 12716 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: dates and times when the ICT-related incident was -color:#B2E2E3;" class="term_secondary-noun">e="background-color:#B7D8ED;" class="term_primary-verb">resolved and the style="background-color:#F0BBBC;" class="term_primary-noun">root cause(s) ground-color:#B7D8ED;" class="term_primary-verb">addressed; Article 4 ¶ 1(b)] | Operational management | Establish/Maintain Documentation | |
| Include recovery measures in the incident response report. CC ID 17299 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: information about direct and indirect costs and losses stemming from the ICT-related incident and information about financial recoveries; Article 4 ¶ 1(e)] | Operational management | Establish/Maintain Documentation | |
| Include the date and time of recovery from the incident in the incident response report. CC ID 17296 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: where applicable, the date and time when the financial entitkground-color:#B2E2E3;" class="term_secondary-noun">y has | Operational management | Establish/Maintain Documentation | |
| Include the frequency of similar incidents occurring in the incident response report. CC ID 12712 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: where applicable, information about recurring ICT-related incidents. Article 4 ¶ 1(f)] | Operational management | Establish/Maintain Documentation | |
| Include when the incident occurred in the incident response report. CC ID 12709 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the erb">term_secondary-verb">following specific information: the date and time of ary-noun">occurrence of the ICT-related incident; Article 3 ¶ 1(b)] | Operational management | Establish/Maintain Documentation | |
| Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: temporary actions or measures taken or | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: background-color:#B7D8ED;" class="term_primary-verb">affected functional imary-noun">areas and #F0BBBC;" class="term_primary-noun">business processes; Article 3 ¶ 1(g)] | Operational management | Establish/Maintain Documentation | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 [Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the term_secondary-verb">following specific information: the Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: where applicable, information relevant for resolution authorities; Article 4 ¶ 1(d) Financial entities shall include in the initial notification, the intermediate report, and the final report, as referred to in Article 19(4) of Regulation (EU) 2022/2554, the following general information: the r:#B2E2E3;" class="term_secondary-noun">ary-noun">type of submission (initial notification, intermediate report, or final report); Article 1 ¶ 1(a)] | Operational management | Establish/Maintain Documentation | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the ndary-verb">following specific information: yle="background-color:#F0BBBC;" class="term_primary-noun">information about the root causes of the ICT-related incident; Article 4 ¶ 1(a) Intermediate reports as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information: where applicable, the threats and techniqueterm_secondary-verb">s tyle="background-color:#CBD0E5;" class="term_secondary-veackground-color:#B2E2E3;" class="term_secondary-noun">lor:#F0BBBC;" class="term_primary-noun">rb">usedspan> by the threat actor; Article 3 ¶ 1(f)] | Operational management | Establish/Maintain Documentation | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the final report: no later than one month after either the submission of the intermediate report, or, where applicable, after the lacolor:#F0BBBC;" class="term_primary-noun">test Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the intermediate report: at the latest within 72 hours from the submission of the initial notification, even where the status or the Financial entities shall submit the initial notification and the intermediate and final reports as referred to in Article 19(4), points (a), (b) and (c), of Regulation (EU) 2022/2554 within the following time limits: for the intermediate report: at the latest within 72 hours from the submission of the initial notification, even where the status or the handling of the incident have not changed as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554. Financial entities shall submit an updated intermediate report without undue delay, and in any case when the regular activities have been ackground-color:#B2E2E3;" class="term_secondary-noun">condary-verb">recovered; Article 5 1.(b)] | Operational management | Communicate | |
| Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306 [Final reports as referred to in Article 19(4), point (c), of Regulation (EU) 2022/2554 shall contain all of the -verb">ndary-verb">following specific information: information on the resolution of the ICT-related incident; Article 4 ¶ 1(c)] | Operational management | Actionable Reports or Measurements | |