ITS on templates for incident reporting

To ensure accurate and up to-date information, the reporting template should enable financial entitiesas defined in Article 2, points (a) to (t), when submitting the intermediate and final report, to update any information that was submitted previously, and where necessary reclassify major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; as non-major.

The legal identification of entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should be aligned with the identifiers specified in the implementing technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554.

Where financial entitiesas defined in Article 2, points (a) to (t) outsource the major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; reporting obligations to a third party, competent authoritiesas defined in Article 46 should be aware of the identity of the third-party reporting on behalf of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; prior to the submission of the first notification or reporting, in order to verify the legitimacy of the reporting third party.

To identify easily the impact of an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; that occurred at, or was caused by a third-party provider, and that affects multiple financial entitiesas defined in Article 2, points (a) to (t) within a single Member State, and to reduce the reporting effort for financial entitiesas defined in Article 2, points (a) to (t), the reporting template should allow for the submission of an aggregated report covering aggregated information about the impact of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; on all impacted financial entitiesas defined in Article 2, points (a) to (t) that have classified the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; as major.

The reporting template should be designed in a technology neutral way to allow for its implementation into various incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reporting solutions that already exist or that may be developed for the implementation of the requirements of Regulation (EU) 2022/2554.

The design of the reporting template and data fields should facilitate the reporting of major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; by third parties to whom financial entitiesas defined in Article 2, points (a) to (t) outsourced their reporting obligation in accordance with Article 19(5) of Regulation (EU) 2022/2554.

This Regulation is based on the draft implementing technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). submitted to the Commission by the European Supervisory Authorities.

The European Supervisory Authorities have conducted open public consultations on the draft implementing technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Banking Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulations (EU) No 1093/2010(³)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj)., (EU) No 1094/2010(⁴)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj)., (EU) No 1095/2010(⁵)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj). of the European Parliament and of the Council.

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(⁶)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj). and delivered a positive opinion on 22 July 2024. Any processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; within the scope of this Regulation should be performed in accordance with the applicable data protection principles and provisions set out in Regulation (EU) 2018/1725,