Source: OJ L, 2025/301, 20.2.2025
ENRTS on incident reporting
Commission Delegated Regulation (EU) 2025/301
of 23 October 2024
supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council
with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011(1)OJ L 333, 27.12.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2554/oj., and in particular Article 20, third subparagraph thereof,
Whereas:
Recital 1 Reporting time limits
To ensure the harmonisation and simplication of the notification and reporting requirements for major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; referred to in Article 19(4) of Regulation (EU) 2022/2554, the time limits for reporting major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; should follow a consistent approach for all types of financial entitiesas defined in Article 2, points (a) to (t). For these reasons, the time limits should also, to the greatest extent possible, follow a consistent approach with, and at least be equivalent in effect to, the requirements set out in Directive (EU) 2022/2555 of the European Parliament and of the Council(2)Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80, ELI: http://data.europa.eu/eli/dir/2022/2555/oj)..
Recital 2 Time limit for the initial notification
To avoid imposing an undue reporting burden on financial entitiesas defined in Article 2, points (a) to (t) at a time when they are handling the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, the content of the initial notification should be limited to the most significant information. To be able to take proper supervisory action, competent authoritiesas defined in Article 46 need to receive information about major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; as quickly as possible after the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; has classified an ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; as major. Consequently, the time limit for submitting an initial notification as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 should be as short as possible after an ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; has been classified as major, whilst still allowing for flexibility, especially for service business models that are not particularly time-critical, in case financial entitiesas defined in Article 2, points (a) to (t) need more time to handle the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; after becoming aware of it.
Recital 3 The intermediate and final reports
After having received the initial notification, competent authoritiesas defined in Article 46 should receive more detailed information about the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; in the intermediate report and all relevant information in the final report. The information in those reports should enable competent authoritiesas defined in Article 46 to further assess the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and evaluate supervisory actions they may want to take.
Recital 4 Balance of time limits
The reporting time limits referred to in Article 20, first paragraph, point (a)(ii), of Regulation (EU) 2022/2554 should therefore balance the need for competent authoritiesas defined in Article 46 to receive the information quickly, with the need to provide financial entitiesas defined in Article 2, points (a) to (t) with sufficient time to obtain complete and accurate information.
Recital 5 Microenterprises and to other financial entities that are not significant
Taking into account the criteria set out in Article 20, first paragraph, point (a), of Regulation (EU) 2022/2554, the reporting timelines should not pose a disproportionate burden to microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; and to other financial entitiesas defined in Article 2, points (a) to (t) that are not significant. In addition, to avoid a disproportional burden on financial entitiesas defined in Article 2, points (a) to (t), the reporting time limits should take into account weekends and bank holidays.
Recital 6 Reporting significant cyber threats
Since significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; are to be notified on a voluntary basis, the content of such notifications should not impose a burden on financial entitiesas defined in Article 2, points (a) to (t) and should be more limited than the information requested for major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;.
Recital 7 Draft regulatory technical standards from ESAs
This Regulation is based on the draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). submitted to the Commission by the European Supervisory Authorities.
Recital 8 Open public consultations
The European Supervisory Authorities have conducted open public consultations on the draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Stakeholders Groups means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulations (EU) No 1093/2010(3)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj)., (EU) No 1094/2010(4)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj). and (EU) No 1095/2010(5)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj). of the European Parliament and of the Council.
Recital 9 Processing of personal data
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(6)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj). and delivered a positive opinion on 22 July 2024. Any processing of personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; within the scope of this Regulation should be performed in accordance with the applicable data protection principles and provisions from Regulation (EU) 2018/1725,
HAS ADOPTED THIS REGULATION:
- Article 1General information to be provided in initial notifications and intermediate and final reports on major ICT-related incidents
- Article 2Specific information to be provided in initial notifications
- Article 3Specific information to be provided in intermediate reports
- Article 4Article Specific information to be provided in final reports
- Article 5Time limits for the initial notification, and for the intermediate and final reports
- Article 6Content of the voluntary notification of significant cyber threats
- Article 7Entry into force
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 23 October 2024.
For the Commission
The President
Ursula VON DER LEYEN