ANNEX II - General information about the financial entity
Info
🔗 Back to Summary. 🇫🇷 French Version: 2025R0302_FR.II. Back to Summary of LVL1. Link to the PDF. Direct link to EUR-LEX.
Article I – General information about the financial entity ⬅️ | ➡️ Article III –
Data field
Description
Mandatory for initial notification
Mandatory for intermediate report
Mandatory for final report
Field type
General information about the financial entity
1.1.
Type of submission
Indicate the type of incident notification or report being submitted to the competent authority.
Yes
Yes
Yes
Choice:
—
initial notification;
—
intermediate report;
—
final report;
—
major incident reclassified as non-major.
1.2.
Name of the entity submitting the report
Full legal name of the entity submitting the report.
Yes
Yes
Yes
Alphanumeric
1.3.
Identification code of the entity submitting the report
Identification code of the entity submitting the report.
Where financial entities submit the notification/report, the identification code shall be a Legal Entity Identifier (LEI), which is a unique 20 alphanumeric character code, based on ISO 17442-1:2020.
A third-party provider that submits a report for a financial entity can use an identification code as specified in the implementing technical standards adopted pursuant to 2022.
Yes
Yes
Yes
Alphanumeric
1.4.
Type of the affected financial entity
Type of the entity as referred to in Article 2(1), points (a) to (t), of Regulation (EU) 2022/2554 for whom the report is submitted.
In case of aggregated reporting as referred to in Article 7 of this Regulation, the different types of financial entities covered in the aggregated report to be selected.
Yes
Yes
Yes
Choice (multiselect):
—
credit institution;
—
payment institution;
—
exempted payment institution;
—
account information service provider;
—
electronic money institution;
—
exempted electronic money institution;
—
investment firm;
—
crypto-asset service provider;
—
issuer of asset-referenced tokens;
—
central securities depository;
—
central counterparty;
—
trading venue;
—
trade repository;
—
manager of alternative investment fund;
—
management company;
—
data reporting service provider;
—
insurance and reinsurance undertaking;
—
insurance intermediary, reinsurance intermediary and ancillary insurance intermediary;
—
institution for occupational retirement provision;
—
credit rating agency;
—
administrator of critical benchmarks;
—
crowdfunding service provider;
—
securitisation repository.
1.5.
Name of the financial entity affected
Full legal name of the financial entity affected by the major ICT-related incident and required to report the major incident to its competent authority under 2022.
In case of aggregated reporting:
(a)
list of all names of the financial entities affected by the major ICT-related incident, separated by a semicolon;
(b)
the third-party provider submitting a major incident notification or report in an aggregated manner as referred to in Article 7 of this Regulation, to list the names of all financial entities impacted by the incident, separated by a semicolon.
Yes, if the financial entity affected by the incident is different from the entity submitting the report and in case of aggregated reporting
Yes, if the financial entity affected by the incident is different from the entity submitting the report and in case of aggregated reporting
Yes, if the financial entity affected by the incident is different from the entity submitting the report and in case of aggregated reporting
Alphanumeric
1.6.
LEI code of the financial entity affected
Legal Entity Identifier (LEI) of the financial entity affected by the major ICT-related incident assigned in accordance with the International Organisation for Standardisation.
In case of aggregated reporting:
(a)
a list of all LEI codes of the financial entities affected by the major ICT-related incident, separated by a semicolon.
(b)
the third-party provider submitting a major incident notification or report in an aggregated manner as referred to in Article 7 of this Regulation to list the LEI codes of all financial entities impacted by the incident, separated by a semicolon.
The order of appearance of LEI codes and financial entities names shall be identical.
Yes, if the financial entity affected by the major ICT-related incident is different from the entity submitting the report and in case of aggregated reporting
Yes, if the financial entity affected by the major ICT-related incident is different from the entity submitting the report and in case of aggregated reporting
Yes, if the financial entity affected by the major ICT-related incident is different from the entity submitting the report and in case of aggregated reporting
Unique 20 alphanumeric character code, based on ISO 17442-1:2020
1.7.
Primary contact person name
Name and surname of the primary contact person of the financial entity.
In case of aggregated reporting as referred to in Article 7 of this Regulation, the name of the primary contact person in the entity submitting the aggregated report.
Yes
Yes
Yes
Alphanumeric
1.8.
Primary contact person email
Email address of the primary contact person that can be used by the competent authority for follow-up communication.
In case of aggregated reporting as referred to in Article 7 of this Regulation, the email of the primary contact person in the entity submitting the aggregated report.
Yes
Yes
Yes
Alphanumeric
1.9.
Primary contact person telephone
The telephone number of the primary contact person that can be used by the competent authority for follow-up communication.
In case of aggregated reporting as referred to in Article 7 of this Regulation, the telephone number of the primary contact person in the entity submitting the aggregated report.
The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX)
Yes
Yes
Yes
Alphanumeric 1.10.
Second contact person name
Name and surname of the second contact person or the name of the responsible team of the financial entity or an entity submitting the report on behalf of the financial entity
Yes
Yes
Yes
Alphanumeric 1.11.
Second contact person email
Email address of the second contact person or a functional email address of the team that can be used by the competent authority for follow-up communication.
Yes
Yes
Yes
Alphanumeric 1.12.
Second contact person telephone
The telephone number of the second contact person, or of a team, that can be used by the competent authority for follow-up communication.
The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX)
Yes
Yes
Yes
Alphanumeric 1.13.
Name of the ultimate parent undertaking
Name of the ultimate parent undertaking of the group to which the affected financial entity belongs, where applicable.
Yes, if the FE belongs to a group
Yes, if the FE belongs to a group
Yes, if the FE belongs to a group
Alphanumeric 1.14.
LEI code of the ultimate parent undertaking
LEI of the ultimate parent undertaking of the group to which the affected financial entity belongs, where applicable. Assigned in accordance with the International Organisation for Standardisation.
Yes, if the FE belongs to a group
Yes, if the FE belongs to a group
Yes, if the FE belongs to a group
Unique 20 alphanumeric character code, based on ISO 17442-1:2020 1.15.
Reporting currency
Currency used for the incident reporting
Yes
Yes
Yes
Choice populated by using ISO 4217 currency codes
Content of the initial notification
2.1.
Incident reference code assigned by the financial entity
Unique reference code issued by the financial entity unequivocally identifying the major ICT-related incident.
In case of aggregated reporting as referred to in Article 7 of this Regulation, the incident reference code assigned by the third-party provider.
Yes
Yes
Yes
Alphanumeric
2.2.
Date and time of detection of the ICT-related incident
Date and time at which the financial entity has become aware of the ICT-related incident.
For recurring incidents, the date and the time at which the last ICT-related incident was detected.
Yes
Yes
Yes
ISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)
2.3.
Date and time of classification of the incident as major
Date and time when the ICT-related incident was classified as major according to the classification criteria established in Delegated Regulation (EU) 2024/1772
Yes
Yes
Yes
ISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)
2.4.
Description of the ICT-related incident
Description of the most relevant aspects of the major ICT-related incident.
Financial entities shall provide a high-level overview of the following information such as possible causes, immediate impacts, systems affected, and others. Financial entities, shall include, where known or reasonably expected, whether the incident impacts third-party providers or other financial entities, the type of provider or financial entity, their name, their respective identification codes and type of the identification code (e.g. LEI or EUID).
In subsequent reports, the field content can evolve over time to reflect the ongoing understanding of the ICT-related incident and describe any other relevant information about the ICT-related incident not captured by the data fields, including the internal severity assessment by the financial entity (e.g. very low, low, medium, high, very high) and an indication of the level and name of most senior decision structures that has been involved in response to the ICT-related incident.
Yes
Yes
Yes
Alphanumeric
2.5.
Classification criteria that triggered the incident report
Classification criteria under Delegated Regulation (EU) 2024/1772 that have triggered determination of the ICT-related incident as major and subsequent notification and reporting.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, the classification criteria that have triggered determination of the ICT-related incident as major for at least one or more financial entities.
Yes
Yes
Yes
Choice (multiple):
—
clients, financial counterparts and transactions affected;
—
reputational impact;
—
duration and service downtime;
—
geographical spread;
—
data losses;
—
critical services affected;
—
economic impact.
2.6.
Materiality thresholds for the classification criterion ‘Geographical spread’
EEA Member States impacted by the major ICT-related incident
When assessing the impact of the major ICT-related incident in other Member States, financial entities shall take into account Articles 4 and 12 of Delegated Regulation 2024/1772.
Yes, if ‘Geographical spread’ threshold is met
Yes, if ‘Geographical spread’ threshold is met
Yes, if ‘Geographical spread’ threshold is met
Choice (multiple) populated by using ISO 3166 ALPHA-2 of the affected countries
2.7.
Discovery of the major ICT-related incident
Indication of how the major ICT-related incident has been discovered.
Yes
Yes
Yes
Choice:
—
IT Security;
—
staff;
—
internal audit;
—
external audit;
—
clients;
—
financial counterparts;
—
third-party provider;
—
attacker;
—
monitoring systems;
—
authority/agency/ law enforcement body;
—
other.
2.8.
Indication whether the incident originates from a third-party provider or another financial entity
Indication whether the major ICT-related incident originates from a third-party provider or another financial entity.
Financial entities shall indicate whether the major ICT-related incident originates from a third-party provider or another financial entity (including financial entities belonging to the same group as the reporting entity) and the name, identification code of the third-party provider or financial entity and type of the identification code (e.g. LEI or EUID).
Yes, if the incident originates from a third-party provider or another financial entity
Yes, if the incident originates from a third-party provider or another financial entity
Yes, if the incident originates from a third-party provider or another financial entity
Alphanumeric
2.9.
Activation of business continuity plan, if activated
Indication of whether there has been a formal activation of the business continuity response measures of the financial entity.
Yes
Yes
Yes
Boolean (Yes or No) 2.10.
Other relevant information
Any further information not covered in the template.
Financial entities that have reclassified a major ICT-related incident as non-major shall describe the reasons why the ICT-related incident does not fulfil, and is not expected to fulfil, the criteria to be considered as a major ICT-related incident.
Yes, if there is other information not covered in the template or if the major ICT-related incident has been reclassified as non-major.
Yes, if there is other information not covered in the template or if the major ICT-related incident has been reclassified as non-major
Yes, if there is other information not covered in the template or if the major ICT-related incident has been reclassified as non-major
Alphanumeric
Content of the intermediate report
3.1.
Incident reference code provided by the competent authority
Unique reference code assigned by the competent authority at the time of receipt of the initial notification to unequivocally identify the major ICT-related incident.
No
Yes, if applicable
Yes, if applicable
Alphanumeric
3.2.
Date and time of occurrence of the incident
Date and time at which the major ICT-related incident has occurred, if different from the time the financial entity has become aware of the major ICT-related incident.
For recurring major ICT-related incidents, the date and the time at which the last major ICT-related incident has occurred.
No
Yes
Yes
ISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)
3.3.
Date and time when services, activities or operations have been recovered
Information on the date and time of the recovery of the services, activities or operations affected by the major ICT-related incident.
No
Yes, if data field 3.16. ‘Service downtime’ has been populated
Yes, if data field 3.16. ‘Service downtime’ has been populated
ISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)
3.4.
Number of clients affected
Number of clients affected by the major ICT-related incident that use the service provided by the financial entity.
When assessing the number of clients affected, financial entities shall take into account Articles 1(1) and 9(1), point (b), of Delegated Regulation (EU) 2024/1772 in their assessment. A financial entity that cannot determine the actual number of clients impacted shall use estimates based on available data from comparable reference periods.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, the total number of clients affected across all financial entities.
No
Yes
Yes
Numerical integer
3.5.
Percentage of clients affected
Percentage of clients affected by the major ICT-related incident in relation to the total number of clients that make use of the affected service provided by the financial entity. In case of more than one service affected, the services shall be provided in an aggregated manner.
Financial entities shall take into account Article 1(1) and Article 9(1), point (a), of Delegated Regulation (EU) 2024/1772 in their assessment.
A financial entity that cannot determine the actual percentage of clients impacted shall use estimates based on available data from comparable reference periods.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, a financial entity shall divide the sum of all affected clients by the total number of clients of all impacted financial entities.
No
Yes
Yes
Expressed as percentage – any value up to 5 numeric characters including up to 1 decimal place expressed as percentage (e.g. 2,4 instead of 2,4 %). If the value has more than 1 digit after the decimal, reporting counterparties shall round half-up
3.6.
Number of financial counterparts affected
Number of financial counterparts affected by the major ICT-related incident that have concluded a contract with the financial entity.
When assessing the number of financial counterparts affected, financial entities shall take into account Article 1(2) of Delegated Regulation (EU) 2024/1772 in their assessment. A financial entity that cannot determine the actual number of financial counterparts impacted shall use estimates based on available data from comparable reference periods.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, the total number of financial counterparts affected across all financial entities.
No
Yes
Yes
Numerical integer
3.7.
Percentage of financial counterparts affected
Percentage of financial counterparts affected by the major ICT-related incident in relation to the total number of financial counterparts that have concluded a contract with the financial entity.
When assessing the percentage of financial counterparts affected, financial entities shall take into account Articles 1(1) and 9(1), point (c) of Delegated Regulation (EU) 2024/1772 in their assessment.
A financial entity that cannot determine the actual percentage of financial counterparts impacted shall use estimates based on available data from comparable reference periods.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, indicate the sum of all affected financial counterparts divided by the total number of financial counterparts of all impacted financial entities.
No
Yes
Yes
Expressed as percentage – any value up to 5 numeric characters including up to 1 decimal place expressed as percentage (e.g. 2,4 instead of 2,4 %). If the value has more than 1 digit after the decimal, reporting counterparties shall round half-up
3.8.
Impact on relevant clients or financial counterparts
Any identified impact on relevant clients or financial counterpart as referred to in Article 1(3) and Article 9(1), point (f), of Delegated Regulation (EU) 2024/1772.
No
Yes, if ‘Relevance of clients and financial counterparts’ threshold is met
Yes, if ‘Relevance of clients and financial counterparts’ threshold is met
Boolean (Yes or No)
3.9.
Number of affected transactions
Number of transactions affected by the major ICT-related incident.
When assessing the impact on transactions, financial entities shall take into account Article 1(4) of Delegated Regulation (EU) 2024/1772, including all affected domestic and cross-border transactions containing a monetary amount that have at least one part of the transaction carried out in the Union.
A financial entity that cannot determine the actual number of transactions impacted shall use estimates based on available data from comparable reference periods.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, indicate the total number of transactions affected across all financial entities.
No
Yes, if any transaction has been affected by the incident
Yes, if any transaction has been affected by the incident
Numerical integer 3.10.
Percentage of affected transactions
Percentage of affected transactions in relation to the daily average number of domestic and cross-border transactions carried out by the financial entity related to the affected service.
Financial entities shall take into account Article 1(4) and Article 9(1), point (d), of Delegated Regulation (EU) 2024/1772.
A financial entity that cannot determine the actual percentage of transactions impacted shall use estimates.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, a financial entity shall sum the number of all affected transactions and divide the sum by the total number of transactions of all impacted financial entities.
No
Yes, if any transaction has been affected by the incident
Yes, if any transaction has been affected by the incident
Expressed as percentage – any value up to 5 numeric characters including up to 1 decimal place expressed as percentage (e.g. 2,4 instead of 2,4 %). If the value has more than 1 digit after the decimal, reporting counterparties shall round half-up 3.11.
Value of affected transactions
Total value of the transactions affected by the major ICT-related incident shall be assessed in accordance with Article 1(4) and Article 9(1), point (e) of Delegated Regulation (EU) 2024/1772.
A financial entity that cannot determine the actual value of transactions impacted shall use estimates based on available data from comparable reference periods.
A financial entity shall report the monetary amount as a positive value.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, the total value of the transactions affected across all financial entities.
No
Yes, if any transactions have been affected by the incident
Yes, if any transaction has been affected by the incident
Monetary
Financial entities shall report the data point in units using a minimum precision equivalent to thousands of units (e.g. 2,5 instead of EUR 2 500 ). 3.12.
Information on whether the numbers are actual or estimates, or whether there has not been any impact
Information on whether the values reported in the data fields 3.4 to 3.11 are actual or estimates, or whether there has not been any impact.
No
Yes
Yes
Choice (multiple):
—
actual figures for clients affected;
—
actual figures for financial counterparts affected;
—
actual figures for transactions affected;
—
estimates for clients affected;
—
estimates for financial counterparts affected;
—
estimates for transactions affected;
—
no impact on clients;
—
no impact on financial counterparts;
—
no impact on transactions. 3.13.
Reputational impact
Information about the reputational impact resulting from the major ICT-related incident as referred to in Articles 2 and 10 of Delegated Regulation (EU) 2024/1772.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, the reputational impact categories that apply to at least one financial entity.
No
Yes, if ‘Reputational impact’ criterion met
Yes, if ‘Reputational impact’ criterion met
Choice (multiple):
—
the major ICT-related incident has been reflected in the media;
—
the major ICT-related incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships
—
the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the major ICT-related incident;
—
the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the major ICT-related incident. 3.14.
Contextual information about the reputational impact
Information describing how the major ICT-related incident has affected or could affect the reputation of the financial entity, including infringements of law, regulatory requirements not met, number of client complaints, and other.
The contextual information shall include the type of media (e.g. traditional and digital media, blogs, streaming platforms) and media coverage, including reach of the media (local, national, international). Media coverage in this context shall not mean a few negative comments by followers or users of social networks.
The financial entity shall also indicate whether the media coverage highlighted significant risks for its clients in relation to the major ICT-related incident, including the risk of the financial entity’s insolvency or the risk of losing funds.
Financial entities shall also indicate whether they have provided information to the media that served to reliably inform the public about the major ICT-related incident and its consequences.
Financial entities may also indicate whether there was false information in the media in relation to the ICT-related incident, including information based on deliberate misinformation spread by threat actors, or information relating to or illustrating defacement of the financial entity’s website.
No
Yes, if ‘Reputational impact’ criterion met.
Yes, if ‘Reputational impact’ criterion met.
Alphanumeric 3.15.
Duration of the incident
Financial entities shall measure the duration of the major ICT-related incident from the moment the major ICT-related incident occurred until the moment the incident was resolved.
Financial entities that are unable to determine the moment when the major ICT-related incident has occurred shall measure the duration of the major ICT-related incident from the earlier between the moment the financial entity detected the incident and the moment when the financial entity recorded the incident in network or system logs or other data sources. Financial entities that do not yet know the moment when the major ICT-related incident will be resolved shall apply estimates. The value shall be expressed in days, hours, and minutes.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall measure the longest duration of the major ICT-related incident in case of differences between financial entities.
No
Yes
Yes
DD:HH:MM 3.16.
Service downtime
Service downtime measured from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users, until the moment when regular activities or operations have been restored to the level of service that was provided prior to the major ICT-related incident.
Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, financial entities shall measure the downtime from the start of the major ICT-related incident until the moment when that delayed service is provided. Financial entities that are unable to determine the moment when the service downtime has started, shall measure the service downtime from the earlier between the moment the incident was detected and the moment when it has been recorded.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall measure the longest duration of the service downtime in case of differences between financial entities.
No
Yes, if the incident has caused a service downtime
Yes, if the incident has caused a service downtime
DD:HH:MM 3.17.
Information on whether the numbers for duration and service downtime are actual or estimates
Information on whether the values reported in data fields 3.15 and 3.16 are actual or estimates.
No
Yes, if ‘Duration and service downtime’ criterion met
Yes, if ‘Duration and service downtime’ criterion met
Choice:
—
Actual figures;
—
Estimates;
—
Actual figures and estimates;
—
No information available. 3.18.
Types of impact in the Member States
Type of impact in the respective EEA Member States.
Indication of whether the major ICT-related incident has had an impact in other EEA Member States (other than the Member State of the competent authority to which the incident is directly reported), in accordance with Article 4 of Delegated Regulation (EU) 2024/1772, and in particular with regard to the significance of the impact in relation to:
(a)
clients and financial counterparts affected in other Member States; or
(b)
branches or other financial entities within the group carrying out activities in other Member States; or
(c)
financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services.
No
Yes, if ‘Geographical spread’ threshold is met
Yes, if ‘Geographical spread’ threshold is met
Choice (multiple):
—
clients;
—
financial counterparts;
—
branch of the financial entity;
—
financial entities within the group carrying out activities in the respective Member State;
—
financial market infrastructure;
—
third-party providers that may be common to other financial entities. 3.19.
Description of how the incident has an impact in other Member States
Description of the impact and severity of the major ICT-related incident in each affected Member State, including an assessment of the impact and severity on:
(a)
clients;
(b)
financial counterparts;
(c)
branches of the financial entity;
(d)
other financial entities within the group carrying out activities in the respective Member State;
(e)
financial market infrastructures;
(f)
third-party providers that may be common to other financial entities as applicable in other Member State(s).
No
Yes, if ‘Geographical spread’ threshold is met
Yes, if ‘Geographical spread’ threshold is met
Alphanumeric 3.20.
Materiality thresholds for the classification criterion ‘Data losses’
Type of data losses that the major ICT-related incident entails in relation to availability, authenticity, integrity, and confidentiality of data.
Financial entities shall take into account Articles 5 and 13 of Delegated Regulation (EU) 2024/1772 in their assessment.
In case of aggregated reporting as referred to in Article 7 of this Regulation, the data losses affecting at least one financial entity.
No
Yes, if ‘Data losses’ criterion is met
Yes, if ‘Data losses’ criterion is met
Choice (multiple):
—
availability;
—
authenticity;
—
integrity;
—
confidentiality. 3.21.
Description of the data losses
Description of the impact of the major ICT-related incident on availability, authenticity, integrity, and confidentiality of critical data in accordance with Articles 5 and 13 of Delegated Regulation (EU) 2024/1772.
Information about the impact on the implementation of the business objectives of the financial entity or on meeting regulatory requirements.
As part of the information provided, financial entities shall indicate whether the data affected are client data, other entities’ data (e.g. financial counterparts), or data of the financial entity itself.
The financial entity may also indicate the type of data involved in the incident – in particular, whether the data is confidential and what type of confidentiality was involved (e.g. commercial/business confidentiality, personal data, professional secrecy: banking secrecy, insurance secrecy, payment services secrecy, etc.).
The information may also include possible risks associated with the data losses, such as whether the data affected by the incident can be used to identify individuals and could be used by the threat actor to obtain credit or loans without their consent, to conduct spear phishing attacks, to disclose information publicly.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, a general description of the impact of the incident on the affected financial entities. Where there are differences of the impact, the description of the impact shall clearly indicate the specific impact on the different financial entities.
No
Yes, if ‘Data losses’ criterion is met
Yes, if ‘Data losses’ criterion is met
Alphanumeric 3.22.
Classification criterion ‘Critical services affected’
Information related to the criterion ‘Critical services affected’.
Financial entities shall take into account Articles 6 of Delegated Regulation (EU) 2024/1772 in their assessment, including information about:
—
the affected services or activities that require authorisation, registration or that are supervised by competent authorities; or
—
the ICT services or network and information systems that support critical or important functions of the financial entity; and
—
the nature of the malicious and unauthorised access to the network and information systems of the financial entity.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, the impact on critical services that apply to at least one financial entity.
No
Yes
Yes
Alphanumeric 3.23.
Type of the incident
Classification of incidents by type.
No
Yes
Yes
Choice (multiple):
—
Cybersecurity-related;
—
Process failure;
—
System failure;
—
External event;
—
Payment-related;
—
Other (please specify). 3.24.
Other types of incidents
Other types of ICT-related incidents: financial entities that have selected ‘other’ type of incidents in the data field 3.23, shall specify the type of ICT-related incident.
No
Yes, if ‘other’ type of incidents is selected in data field 3.23
Yes, if ‘other’ type of incidents is selected in data field 3.23
Alphanumeric 3.25.
Threats and techniques used by the threat actor
Indicate the threats and techniques used by the threat actor, including:
(a)
social engineering, including phishing;
(b)
(c)
identity theft;
(d)
data encryption for impact, including ransomware;
(e)
resource hijacking;
(f)
data exfiltration and manipulation, excluding identity theft;
(g)
data destruction;
(h)
defacement;
(i)
supply-chain attack;
(j)
other (please specify).
No
Yes, if the type of the ICT-related incident is ‘cybersecurity-related’ in field 3.23
Yes, if the type of the ICT-related incident is ‘cybersecurity-related’ in field 3.23
Choice (multiple):
—
Social engineering (including phishing);
— —
Identity theft;
—
Data encryption for impact, including ransomware;
—
Resource hijacking;
—
Data exfiltration and manipulation, including identity theft;
—
Data destruction;
—
Defacement;
—
Supply-chain attack;
—
Other (please specify). 3.26.
Other types of techniques
Other types of techniques
Financial entities that have selected ‘other’ type of techniques in data field 3.25 shall specify the type of technique.
No
Yes, if other’ type of techniques is selected in data field 3.25
Yes, if other’ type of techniques is selected in data field 3.25
Alphanumeric 3.27.
Information about affected functional areas and business processes
Indication of the functional areas and business processes that are affected by the incident, including products and services.
The functional areas shall include but are not limited to:
(a)
marketing and business development;
(b)
customer service;
(c)
product management;
(d)
regulatory compliance;
(e)
risk management;
(f)
finance and accounting;
(g)
HR and general services;
(h)
information Technology.
The business processes shall include but are not limited to:
—
account information;
—
actuarial services;
—
acquiring of payment transactions;
—
authentication/authorization;
—
authority;
—
client on-boarding;
—
benefit administration;
—
benefit payment management;
—
buying and selling packaged insurances policies between insurances;
—
card payments;
—
cash management;
—
cash placement or withdrawals;
—
insurance claim management;
—
claim process insurance;
—
clearing;
—
corporate loans conglomerates;
—
collective insurances;
—
credit transfers;
—
custody and asset safekeeping;
—
customer onboarding;
—
data ingestion;
—
data processing;
—
direct debits;
—
export insurances;
—
finalizing trades/deals;
—
financial instruments placing;
—
fund accounting;
—
FX money;
—
investment advice;
—
investment management;
—
issuing of payment instruments;
—
lending management;
—
life insurance payments process;
—
money remittance;
—
net asset calculation;
—
order;
—
payment initiation;
—
insurance underwriting;
—
portfolio management;
—
premium collection;
—
reception/transmission/execution;
—
reinsurance;
—
settlement;
—
transaction monitoring.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, the affected functional areas and business processes in at least one financial entity.
No
Yes
Yes
Alphanumeric 3.28.
Affected infrastructure components supporting business processes
Information on whether infrastructure components (servers, operating systems, software, application servers, middleware, network components, others) supporting business processes have been affected by the major ICT-related incident.
No
Yes
Yes
Choice:
—
Yes;
—
No;
—
Information not available. 3.29.
Information about affected infrastructure components supporting business processes
Description on the impact of the major ICT-related incident on infrastructure components supporting business processes including hardware and software.
Hardware includes servers, computers, data centres, switches, routers, hubs. Software includes operating systems, applications, databases, security tools, network components, others please specify. The descriptions shall describe or name affected infrastructure components or systems, and, where available:
(a)
version information;
(b)
internal infrastructure/partially outsourced/fully outsourced – third-party provider name;
(c)
whether the infrastructure is used or shared across multiple business functions;
(d)
relevant resilience/continuity/recovery/ substitutability arrangements in place.
No
Yes, if the incident has affected infrastructure components supporting business processes
Yes, if the incident has affected infrastructure components supporting business processes
Alphanumeric 3.30.
Impact on the financial interest of clients
Information on whether the major ICT-related incident has impacted the financial interest of clients.
No
Yes
Yes
Choice:
—
Yes;
—
No;
—
Information not available. 3.31.
Reporting to other authorities
Specification of which authorities were informed about the major ICT-related incident.
Taking into account the differences resulting from the national legislation of the Member States, the concept of law enforcement authorities shall be understood by financial entities broadly to include public authorities empowered to prosecute cybercrime, including police, law enforcement agencies, and public prosecutors.
No
Yes
Yes
Choice (multiple):
—
Police/Law Enforcement;
—
CSIRT;
—
Data Protection Authority;
—
National Cybersecurity Agency;
—
None;
—
Other (please specify). 3.32.
Specification of ‘other’ authorities
Specification of ‘other’ types of authorities informed about the major ICT-related incident.
If selected in Data field 3.31 ‘Other’, the description shall include more detailed information about the authority to which the financial entity has submitted information about the major ICT-related incident.
No
Yes, if ‘other’ type of authorities have been informed by the financial entity about the major ICT-related incident.
Yes, if ‘other’ type of authorities have been informed by the financial entity about the major ICT-related incident
Alphanumeric 3.33.
Temporary actions/measures taken or planned to be taken to recover from the incident
Indication of whether financial entity has implemented (or plan to implement) any temporary actions that have been taken (or planned to be taken) to recover from the major ICT-related incident.
No
Yes
Yes
Boolean (Yes or No) 3.34.
Description of any temporary actions and measures taken or planned to be taken to recover from the incident
The information shall describe the immediate actions taken, including the isolation of the incident at the network level, workaround procedures activated, USB ports blocked, Disaster Recovery site activated, any other additional security controls temporarily put in place.
Financial entities shall indicate the date and the time of the implementation of the temporary actions and the expected date of return to the primary site. For any temporary actions that have not been implemented but are still planned, indication of the date by when their implementation is expected.
If no temporary actions/measures have been taken, please indicate the reason.
No
Yes, if temporary actions/measures have been taken or are planned to be taken (data field 3.33)
Yes, if temporary actions/measures have been taken or are planned to be taken (data field 3.33)
Alphanumeric 3.35.
Indicators of compromise
Information related to the major ICT-related incident that may help identify malicious activity within a network or information system (Indicators of Compromise, or IoC), where applicable.
The field applies only to those financial entities that fall within the scope of Directive (EU) 2022/2555 of the European Parliament and of the Council
and those financial entities financial entities identified as essential or important entities pursuant to national rules transposing 2022, where relevant.
The IoC provided by the financial entity shall include the following categories of data:
(a)
IP addresses;
(b)
URL addresses;
(c)
domains;
(d)
file hashes;
(e)
malware data (malware name, file names and their locations, specific registry keys associated with malware activity);
(f)
network activity data (ports, protocols, addresses, referrers, user agents, headers, specific logs or distinctive patterns in network traffic);
(g)
email message data (sender, recipient, subject, header, content);
(h)
DNS requests and registry configurations;
(i)
user account activities (logins, privileged user account activity, privilege escalation);
(j)
database traffic (read/write), requests to the same file.
In practice, this type of information may include data relating to, inter alia, indicators describing patterns in network traffic corresponding to known attacks/botnet communications, IP addresses of machines infected with malware (bots), data relating to ‘command and control’ servers used by malware (usually domains or IP addresses), and URLs relating to phishing sites or websites observed hosting malware or exploit kits.
No
Yes, if cybersecurity-related is selected as a type of incident in data field 3.23
Yes, if cybersecurity-related is selected as a type of incident in data field 3.23
Alphanumeric
Content of the final report
4.1.
High-level classification of root causes of the incident
High-level classification of root cause of the major ICT-related incident under the incident types, including the following high-level categories:
(a)
malicious actions;
(b)
process failure;
(c)
system failure/malfunction;
(d)
human error;
(e)
external event.
No
No
Yes
Choice (multiple):
—
malicious actions;
—
process failure;
—
system failure / malfunction;
—
human error;
—
external event.
4.2.
Detailed classification of root causes of the incident
Detailed classification of root causes of the major ICT-related incident under the incident types, including the following detailed categories linked to the high-level categories that are reported in data field 4.1:
1.
Malicious actions
(if selected, choose one or more the following):
(a)
deliberate internal actions;
(b)
deliberate physical damage/manipulation/theft;
(c)
fraudulent actions.
2.
Process failure
(if selected, choose one or more the following):
(a)
insufficient monitoring or failure of monitoring and control;
(b)
insufficient/unclear roles and responsibilities;
(c)
ICT risk management process failure;
(d)
insufficient or failure of ICT operations and ICT security operations;
(e)
insufficient or failure of ICT project management;
(f)
inadequate internal policies, procedures and documentation;
(g)
inadequate ICT systems acquisition, development, or maintenance;
(h)
other (please specify).
3.
System failure/malfunction
(if selected, choose one or more the following):
(a)
hardware capacity and performance: major ICT-related incidents caused by hardware resources which prove inadequate in terms of capacity or performance to fulfil the applicable legislative requirements;
(b)
hardware maintenance: major ICT-related incidents resulting from inadequate or insufficient maintenance of hardware components, other than ‘Hardware obsolescence/ageing’;
(c)
hardware obsolescence/ageing: this root cause type involves major ICT-related incidents resulting from outdated or aging hardware components;
(d)
software compatibility/configuration: major ICT-related incidents caused by software components that are incompatible with other software or system configurations, including major ICT-related incidents resulting from software conflicts, incorrect settings, or misconfigured parameters that impact the overall system functionality;
(e)
software performance: major ICT-related incidents resulting from software components that exhibit poor performance or inefficiencies, for reasons other than those specified under ‘Software compatibility/configuration’, including major ICT-related incidents caused by slow response times, excessive resource consumption, or inefficient query execution impacting the performance of the software or system;
(f)
network configuration: major ICT-related incidents resulting from incorrect or misconfigured network settings or infrastructure, including major ICT-related incidents caused by network configuration errors, routing issues, firewall misconfigurations, or other network-related problems affecting connectivity or communication;
(g)
physical damage: major ICT-related incidents caused by physical damage to ICT infrastructure which lead to system failures;
(h)
other (please specify).
4.
Human error
(if selected, choose one or more the following):
(a)
omission (unintentional);
(b)
mistake;
(c)
skills & knowledge: major ICT-related incidents resulting from a lack of expertise or proficiency in handling ICT systems or processes that may be caused by inadequate training, insufficient knowledge, or gaps in skills required to perform specific tasks or address technical challenges;
(d)
inadequate human resources: major ICT-related incidents caused by a lack of necessary resources, including hardware, software, infrastructure, or personnel, and including situations where insufficient resources lead to operational inefficiencies, system failures, or an inability to meet business demands;
(e)
miscommunication;
(f)
other (please specify).
5.
External event
(if selected, choose one or more the following):
(a)
natural disasters/force majeure;
(b)
third-party failures;
(c)
other (please specify).
Financial entities shall consider that for recurring major ICT-related incidents, the specific apparent root cause of the incident is taken into account and not the broad categories included in this field.
No
No
Yes
Choice (multiple):
—
malicious actions: deliberate internal actions;
—
malicious actions: deliberate physical damage/manipulation/theft;
—
malicious actions: fraudulent actions;
—
process failure: insufficient monitoring or failure of monitoring and control;
—
process failure:
i
nsufficient/unclear roles and responsibilities;
—
process failure: ICT risk management process failure;
—
process failure: insufficient or failure of ICT operations and ICT security operations;
—
process failure: insufficient or failure of ICT project management;
—
process failure: inadequacy of internal policies, procedures and documentation;
—
Process failure: inadequate ICT systems acquisition, development, and maintenance;
—
process failure: other (please specify);
—
system failure: hardware capacity and performance;
—
system failure: hardware maintenance;
—
system failure: hardware obsolescence/ageing;
—
system failure: software compatibility/configuration;
—
system failure: software performance;
—
system failure: network configuration;
—
system failure: physical damage;
—
system failure: other (please specify);
—
human error: omission;
—
human error: mistake;
—
human error: skills & knowledge;
—
human error: inadequate human resources;
—
human error miscommunication;
—
human error: other (please specify);
—
external event: natural disasters/force majeure;
—
external event: third-party failures;
—
external event: other (please specify).
4.3.
Additional classification of root causes of the incident
Additional classification of root causes of the major ICT-related incident under the incident type, including the following additional classification categories linked to the detailed categories that are to be reported in data field 4.2.
The field is mandatory for the final report if specific categories that require further granularity are reported in data field 4.2.
2(a)
Insufficient or failure of monitoring and control:
(a)
monitoring of policy adherence;
(b)
monitoring of third-party service providers;
(c)
monitoring and verification of remediation of vulnerabilities;
(d)
identity and access management;
(e)
encryption and cryptography;
(f)
logging.
2(c)
ICT risk management process failure:
(a)
failure in specifying accurate risk tolerance levels;
(b)
insufficient vulnerability and threat assessments;
(c)
inadequate risk treatment measures;
(d)
poor management of residual ICT risks.
2(d)
Insufficient or failure of ICT operations and ICT security operations:
(a)
vulnerability and patch management;
(b)
change management;
(c)
capacity and performance management;
(d)
ICT asset management and information classification;
(e)
backup and restore;
(f)
error handling.
2(g)
Inadequate ICT Systems acquisition, development, and maintenance:
(a)
inadequate ICT Systems acquisition, development, and maintenance;
(b)
insufficient software testing or failure of software testing.
No
No
Yes
Choice (multiple):
—
monitoring of policy adherence;
—
monitoring of third-party service providers;
—
monitoring and verification of remediation of vulnerabilities;
—
identity and access management;
—
encryption and cryptography;
—
logging;
—
failure in specifying accurate risk tolerance levels;
—
insufficient vulnerability and threat assessments;
—
inadequate risk treatment measures;
—
poor management of residual ICT risks;
—
vulnerability and patch management;
—
change management;
—
capacity and performance management;
—
ICT asset management and information classification;
—
backup and restore;
—
error handling;
—
inadequate ICT systems acquisition, development, and maintenance;
—
insufficient or failure of software testing.
4.4.
Other types of root cause types
Financial entities that have selected ‘other’ type of root cause in data field 4.2 shall specify other types of root cause types
No
No
Yes, if ‘other’ type of root causes is selected in data field 4.2.
Alphanumeric
4.5.
Information about the root causes of the incident
Description of the sequence of events that led to the major ICT-related incident and description of how the major ICT-related incident has a similar apparent root cause if that incident is classified as a recurring incident, including a concise description of all underlying reasons and primary factors that contributed to the occurrence of the major ICT-related incident.
Where there were malicious actions, description of the modus operandi of the malicious action, including the tactics, techniques and procedures used, as well as the entry vector of the major ICT-related incident, including a description of the investigations and analysis that led to the identification of the root causes, if applicable.
No
No
Yes
Alphanumeric
4.6.
Incident resolution
Additional information regarding the actions/measures taken/planned to permanently resolve the major ICT-related incident and to prevent that incident from happening again.
Lessons learnt from the major ICT-related incident.
The description shall contain the following points:
1.
Resolution actions description
(a)
Actions taken to permanently resolve the major ICT-related incident (excluding any temporary actions);
(b)
for each action taken, indicate the potential involvement of a third-party provider and of the financial entity;
(c)
indicate whether procedures have been adapted following the major ICT-related incident;
(d)
indicate any additional controls that were put in place or that are planned with related implementation timeline.
Potential issues identified regarding the robustness of the IT systems impacted /or in terms of the procedures or controls in place, if applicable.
Financial entities shall clearly indicate how the envisaged remediation actions will address the identified root causes and when the major ICT-related incident is expected to be resolved permanently.
2.
Lessons learnt
Financial entities shall describe findings from the post-incident review.
No
No
Yes
Alphanumeric
4.7.
Date and time when the incident root cause was addressed
Date and time when the incident root cause was addressed.
No
No
Yes
ISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)
4.8.
Date and time when the incident was resolved
Date and time when the incident was resolved.
No
No
Yes
ISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)
4.9.
Information if the permanent resolution date of the incidents differs from the initially planned implementation date
Descriptions of the reason why the permanent resolution date of the major ICT-related incidents is different from the initially planned implementation date, where applicable.
No
No
Yes
Alphanumeric 4.10.
Assessment of risk to critical functions for resolution purposes
Assessment of whether the major ICT-related incident poses a risk to critical functions within the meaning of Article 2(1), point (35), of Directive 2014/59/EU of the European Parliament and of the Council
.
Entities as referred to in EU shall indicate whether the incident poses a risk to the critical functions within the meaning of Article 2(1), point (35), of Directive 2014/59/EU, and as reported in Template Z07.01 of Commission Implementing Regulation (EU) 2018/1624
and mapped to the specific entity in Template Z07.02.
No
No
Yes, if the incident poses a risk to critical functions of financial entities under Article 2(1), point 35, of Directive 2014/59/EU
Alphanumeric 4.11.
Information relevant for resolution authorities
Description of whether and, if so, how the major ICT-related incident has affected the resolvability of the entity or the group.
Entities as referred to in EU shall provide information on whether and, if so, how the major ICT-related incident has affected the resolvability of the entity or the group.
Those entities shall also indicate whether the major ICT-related incident affects the solvency or liquidity of the financial entity and the potential quantification of the impact.
Those entities shall also provide information on the impact on operational continuity, impact on resolvability of the entity, any additional impact on the costs and losses from the major ICT-related incident, including on the financial entity’s capital position, and whether the contractual arrangements on the use of ICT services are still robust and fully enforceable in the event of resolution of the entity.
No
No
Yes, if the incident has affected the resolvability of the entity or the group
Alphanumeric 4.12.
Materiality threshold for the classification criterion ‘Economic impact’
Detailed information about thresholds eventually reached by the major ICT-related incident in relation to the criterion ‘Economic impact’ referred to in Articles 7 and 14 of the Delegated Regulation (EU) 2024/1772.
No
No
Yes
Alphanumeric 4.13.
Amount of gross direct and indirect costs and losses
Total amount of gross direct and indirect costs and losses incurred by the financial entity stemming from the major ICT-related incident, including:
(a)
the amount of expropriated funds or financial assets for which the financial entity is liable;
(b)
the amount of replacement or relocation costs of software, hardware or infrastructure;
(c)
the amount of staff costs, including costs associated to replacing or relocating staff, hiring extra staff, remuneration of overtime and recovering lost or impaired skills of staff;
(d)
the amount of fees due to non-compliance with contractual obligations;
(e)
the amount of customer redress and compensation costs;
(f)
the amount of losses due to forgone revenues;
(g)
the amount of costs associated with internal and external communication;
(h)
the amount of advisory costs, including costs associated with legal counselling, forensic and remediation services;
(i)
the amount other costs and losses, including:
(i)
direct charges, including impairments and settlement charges, to the profit and loss account and write-downs due to the major ICT-related incident;
(ii)
provisions or reserves accounted for in the profit and loss account against probable losses related to the major ICT-related incident;
(iii)
pending losses, in the form of losses stemming from the major ICT-related incident, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the profit and loss which are planned to be included within a time period commensurate to the size and age of the pending item;
(iv)
material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the major ICT-related incident, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time;
(v)
timing losses, where they span more than one financial accounting year and give rise to legal risk.
Financial entities shall take into account in their assessment Article 7(1) and (2) of Delegated Regulation (EU) 2024/1772. Financial entities shall not include in this figure financial recoveries of any type.
Financial entities shall report the monetary amount as a positive value.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall take into account the total amount of costs and losses across all financial entities.
Financial entities shall report the data point in units using a minimum precision equivalent to thousands of units.
No
No
Yes
Monetary 4.14.
Amount of financial recoveries
Total amount of financial recoveries.
Financial recoveries shall relate to the original loss caused by the incident, independently from the time when the financial recoveries in the form of funds or inflows of economic benefits are received.
Financial entities shall report the monetary amount as a positive value.
In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall take into account the total amount of financial recoveries across all financial entities.
No
No
Yes
Monetary
Financial entities shall report the data point in units using a minimum precision equivalent to thousands of units 4.15.
Information on whether the non-major incidents have been recurring
Information on whether more than one non-major ICT-related incident have been recurring and are together considered to be a major incident within the meaning of Article 8(2) of Delegated Regulation (EU) 2024/1772.
Financial entities shall indicate whether the non-major ICT-related incidents have been recurring and are together considered as one major ICT-related incident.
Financial entities shall also indicate the number of occurrences of these non-major ICT-related incidents.
No
No
Yes, if the major incident comprises more than one non-major recurring incidents.
Alphanumeric 4.16.
Date and time of occurrence of recurring incidents
Where financial entities report recurring ICT-related incidents, date and time at which the first ICT-related incident has occurred.
No
No
Yes, for recurring incidents
ISO 8601 standard UTC (YYYY-MM-DD Thh: mm:ss)
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
http://data.europa.eu/eli/dir/2022/2555/oj
).
Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council
http://data.europa.eu/eli/dir/2014/59/oj
).
Commission Implementing Regulation (EU) 2018/1624 of 23 October 2018 laying down implementing technical standards with regard to procedures and standard forms and templates for the provision of information for the purposes of resolution plans for credit institutions and investment firms pursuant to Directive 2014/59/EU of the European Parliament and of the Council, and repealing Commission Implementing Regulation (EU) 2016/1066
http://data.europa.eu/eli/reg_impl/2018/1624/oj
| Number of field | Data field | |
|---|---|---|
| General information about the financial entity | ||
| 1.1 | Type of submission | |
| 1.2 | Name of the entity submitting the report | |
| 1.3 | Identification code of the entity submitting the report | |
| 1.4 | Type of financial entity affected | |
| 1.5 | Name of the financial entity affected | |
| 1.6 | LEI code of the financial entity affected | |
| 1.7 | Primary contact person name | |
| 1.8 | Primary contact person email | |
| 1.9 | Primary contact person telephone | |
| 1.10 | Second contact person name | |
| 1.11 | Second contact person email | |
| 1.12 | Second contact person telephone | |
| 1.13 | Name of the ultimate parent undertaking | |
| 1.14 | LEI code of the ultimate parent undertaking | |
| 1.15 | Reporting currency | |
| Content of the initial notification | ||
| 2.1 | Incident reference code assigned by the financial entity | |
| 2.2 | Date and time of detection of the major ICT-related incident | |
| 2.3 | Date and time of classification of the ICT-related incident as major | |
| 2.4 | Description of the major ICT-related incident | |
| 2.5 | Classification criteria that triggered the incident report | |
| 2.6 | Materiality thresholds for the classification criterion ‘Geographical spread’ | |
| 2.7 | Discovery of the major ICT-related incident | |
| 2.8 | Indication whether the major ICT-related incident originates from a third-party provider or another financial entity | |
| 2.9 | Activation of business continuity plan, if activated | |
| 2.10 | Other relevant information | |
| Content of the intermediate report | ||
| 3.1 | Incident reference code provided by the competent authority | |
| 3.2 | Date and time of occurrence of the major ICT-related incident | |
| 3.3 | Date and time when services, activities or operations have been recovered | |
| 3.4 | Number of clients affected | |
| 3.5 | Percentage of clients affected | |
| 3.6 | Number of financial counterparts affected | |
| 3.7 | Percentage of financial counterparts affected | |
| 3.8 | Impact on relevant clients or financial counterparts | |
| 3.9 | Number of affected transactions | |
| 3.10 | Percentage of affected transactions | |
| 3.11 | Value of affected transactions | |
| 3.12 | Information on whether the numbers are actual or estimates, or whether there has not been any impact | |
| 3.13 | Reputational impact | |
| 3.14 | Contextual information about the reputational impact | |
| 3.15 | Duration of the major ICT-related incident | |
| 3.16 | Service downtime | |
| 3.17 | Information on whether the numbers for duration and service downtime are actual or estimates. | |
| 3.18 | Types of impact in the Member States | |
| 3.19 | Description of how the major ICT-related incident has an impact in other Member States | |
| 3.20 | Materiality thresholds for the classification criterion ‘Data losses’ | |
| 3.21 | Description of the data losses | |
| 3.22 | Classification criterion ‘Critical services affected’ | |
| 3.23 | Type of the major ICT-related incident | |
| 3.24 | Other types of incidents | |
| 3.25 | Threats and techniques used by the threat actor | |
| 3.26 | Other types of techniques | |
| 3.27 | Information about affected functional areas and business processes | |
| 3.28 | Affected infrastructure components supporting business processes | |
| 3.29 | Information about affected infrastructure components supporting business processes | |
| 3.30 | Impact on the financial interest of clients | |
| 3.31 | Reporting to other authorities | |
| 3.32 | Specification of ‘other’ authorities | |
| 3.33 | Temporary actions/measures taken or planned to be taken to recover from the incident | |
| 3.34 | Description of any temporary actions and measures taken or planned to be taken to recover from the incident | |
| 3.35 | Indicators of compromise | |
| Content of the final report | ||
| 4.1 | High-level classification of root causes of the incident | |
| 4.2 | Detailed classification of root causes of the incident | |
| 4.3 | Additional classification of root causes of the incident | |
| 4.4 | Other types of root cause types | |
| 4.5 | Information about the root causes of the incident | |
| 4.6 | Incident resolution summary | |
| 4.7 | Date and time when the incident root cause was addressed | |
| 4.8 | Date and time when the incident was resolved | |
| 4.9 | Information if the permanent resolution date of the incident differs from the initially planned implementation date | |
| 4.10 | Assessment of risk to critical functions for resolution purposes | |
| 4.11 | Information relevant for resolution authorities | |
| 4.12 | Materiality threshold for the classification criterion ‘Economic impact’ | |
| 4.13 | Amount of gross direct and indirect costs and losses | |
| 4.14 | Amount of financial recoveries | |
| 4.15 | Information on whether the non-major incidents have been recurring | |
| 4.16 | Date and time of occurrence of recurring incidents |
Table 1 in anx_II
| Data field | Description | Mandatory for initial notification | Mandatory for intermediate report | Mandatory for final report | Field type |
|---|---|---|---|---|---|
| General information about the financial entity | |||||
| 1.1.Type of submission | 1.1. | Type of submission | Indicate the type of incident notification or report being submitted to the competent authority. | Yes | Yes |
| 1.1. | Type of submission | ||||
| — | initial notification; | ||||
| — | intermediate report; | ||||
| — | final report; | ||||
| — | major incident reclassified as non-major. | ||||
| 1.2.Name of the entity submitting the report | 1.2. | Name of the entity submitting the report | Full legal name of the entity submitting the report. | Yes | Yes |
| 1.2. | Name of the entity submitting the report | ||||
| 1.3.Identification code of the entity submitting the report | 1.3. | Identification code of the entity submitting the report | Identification code of the entity submitting the report.Where financial entities submit the notification/report, the identification code shall be a Legal Entity Identifier (LEI), which is a unique 20 alphanumeric character code, based on ISO 17442-1:2020.A third-party provider that submits a report for a financial entity can use an identification code as specified in the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554. | Yes | Yes |
| 1.3. | Identification code of the entity submitting the report | ||||
| 1.4.Type of the affected financial entity | 1.4. | Type of the affected financial entity | Type of the entity as referred to in Article 2(1), points (a) to (t), of Regulation (EU) 2022/2554 for whom the report is submitted.In case of aggregated reporting as referred to in Article 7 of this Regulation, the different types of financial entities covered in the aggregated report to be selected. | Yes | Yes |
| 1.4. | Type of the affected financial entity | ||||
| — | credit institution; | ||||
| — | payment institution; | ||||
| — | exempted payment institution; | ||||
| — | account information service provider; | ||||
| — | electronic money institution; | ||||
| — | exempted electronic money institution; | ||||
| — | investment firm; | ||||
| — | crypto-asset service provider; | ||||
| — | issuer of asset-referenced tokens; | ||||
| — | central securities depository; | ||||
| — | central counterparty; | ||||
| — | trading venue; | ||||
| — | trade repository; | ||||
| — | manager of alternative investment fund; | ||||
| — | management company; | ||||
| — | data reporting service provider; | ||||
| — | insurance and reinsurance undertaking; | ||||
| — | insurance intermediary, reinsurance intermediary and ancillary insurance intermediary; | ||||
| — | institution for occupational retirement provision; | ||||
| — | credit rating agency; | ||||
| — | administrator of critical benchmarks; | ||||
| — | crowdfunding service provider; | ||||
| — | securitisation repository. | ||||
| 1.5.Name of the financial entity affected | 1.5. | Name of the financial entity affected | Full legal name of the financial entity affected by the major ICT-related incident and required to report the major incident to its competent authority under Article 19 of Regulation (EU) 2022/2554.In case of aggregated reporting:(a)list of all names of the financial entities affected by the major ICT-related incident, separated by a semicolon;(b)the third-party provider submitting a major incident notification or report in an aggregated manner as referred to in Article 7 of this Regulation, to list the names of all financial entities impacted by the incident, separated by a semicolon. | (a) | list of all names of the financial entities affected by the major ICT-related incident, separated by a semicolon; |
| 1.5. | Name of the financial entity affected | ||||
| (a) | list of all names of the financial entities affected by the major ICT-related incident, separated by a semicolon; | ||||
| (b) | the third-party provider submitting a major incident notification or report in an aggregated manner as referred to in Article 7 of this Regulation, to list the names of all financial entities impacted by the incident, separated by a semicolon. | ||||
| 1.6.LEI code of the financial entity affected | 1.6. | LEI code of the financial entity affected | Legal Entity Identifier (LEI) of the financial entity affected by the major ICT-related incident assigned in accordance with the International Organisation for Standardisation.In case of aggregated reporting:(a)a list of all LEI codes of the financial entities affected by the major ICT-related incident, separated by a semicolon.(b)the third-party provider submitting a major incident notification or report in an aggregated manner as referred to in Article 7 of this Regulation to list the LEI codes of all financial entities impacted by the incident, separated by a semicolon.The order of appearance of LEI codes and financial entities names shall be identical. | (a) | a list of all LEI codes of the financial entities affected by the major ICT-related incident, separated by a semicolon. |
| 1.6. | LEI code of the financial entity affected | ||||
| (a) | a list of all LEI codes of the financial entities affected by the major ICT-related incident, separated by a semicolon. | ||||
| (b) | the third-party provider submitting a major incident notification or report in an aggregated manner as referred to in Article 7 of this Regulation to list the LEI codes of all financial entities impacted by the incident, separated by a semicolon. | ||||
| 1.7.Primary contact person name | 1.7. | Primary contact person name | Name and surname of the primary contact person of the financial entity.In case of aggregated reporting as referred to in Article 7 of this Regulation, the name of the primary contact person in the entity submitting the aggregated report. | Yes | Yes |
| 1.7. | Primary contact person name | ||||
| 1.8.Primary contact person email | 1.8. | Primary contact person email | Email address of the primary contact person that can be used by the competent authority for follow-up communication.In case of aggregated reporting as referred to in Article 7 of this Regulation, the email of the primary contact person in the entity submitting the aggregated report. | Yes | Yes |
| 1.8. | Primary contact person email | ||||
| 1.9.Primary contact person telephone | 1.9. | Primary contact person telephone | The telephone number of the primary contact person that can be used by the competent authority for follow-up communication.In case of aggregated reporting as referred to in Article 7 of this Regulation, the telephone number of the primary contact person in the entity submitting the aggregated report.The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX) | Yes | Yes |
| 1.9. | Primary contact person telephone | ||||
| 1.10.Second contact person name | 1.10. | Second contact person name | Name and surname of the second contact person or the name of the responsible team of the financial entity or an entity submitting the report on behalf of the financial entity | Yes | Yes |
| 1.10. | Second contact person name | ||||
| 1.11.Second contact person email | 1.11. | Second contact person email | Email address of the second contact person or a functional email address of the team that can be used by the competent authority for follow-up communication. | Yes | Yes |
| 1.11. | Second contact person email | ||||
| 1.12.Second contact person telephone | 1.12. | Second contact person telephone | The telephone number of the second contact person, or of a team, that can be used by the competent authority for follow-up communication.The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX) | Yes | Yes |
| 1.12. | Second contact person telephone | ||||
| 1.13.Name of the ultimate parent undertaking | 1.13. | Name of the ultimate parent undertaking | Name of the ultimate parent undertaking of the group to which the affected financial entity belongs, where applicable. | Yes, if the FE belongs to a group | Yes, if the FE belongs to a group |
| 1.13. | Name of the ultimate parent undertaking | ||||
| 1.14.LEI code of the ultimate parent undertaking | 1.14. | LEI code of the ultimate parent undertaking | LEI of the ultimate parent undertaking of the group to which the affected financial entity belongs, where applicable. Assigned in accordance with the International Organisation for Standardisation. | Yes, if the FE belongs to a group | Yes, if the FE belongs to a group |
| 1.14. | LEI code of the ultimate parent undertaking | ||||
| 1.15.Reporting currency | 1.15. | Reporting currency | Currency used for the incident reporting | Yes | Yes |
| 1.15. | Reporting currency | ||||
| Content of the initial notification | |||||
| 2.1.Incident reference code assigned by the financial entity | 2.1. | Incident reference code assigned by the financial entity | Unique reference code issued by the financial entity unequivocally identifying the major ICT-related incident.In case of aggregated reporting as referred to in Article 7 of this Regulation, the incident reference code assigned by the third-party provider. | Yes | Yes |
| 2.1. | Incident reference code assigned by the financial entity | ||||
| 2.2.Date and time of detection of the ICT-related incident | 2.2. | Date and time of detection of the ICT-related incident | Date and time at which the financial entity has become aware of the ICT-related incident.For recurring incidents, the date and the time at which the last ICT-related incident was detected. | Yes | Yes |
| 2.2. | Date and time of detection of the ICT-related incident | ||||
| 2.3.Date and time of classification of the incident as major | 2.3. | Date and time of classification of the incident as major | Date and time when the ICT-related incident was classified as major according to the classification criteria established in Delegated Regulation (EU) 2024/1772 | Yes | Yes |
| 2.3. | Date and time of classification of the incident as major | ||||
| 2.4.Description of the ICT-related incident | 2.4. | Description of the ICT-related incident | Description of the most relevant aspects of the major ICT-related incident.Financial entities shall provide a high-level overview of the following information such as possible causes, immediate impacts, systems affected, and others. Financial entities, shall include, where known or reasonably expected, whether the incident impacts third-party providers or other financial entities, the type of provider or financial entity, their name, their respective identification codes and type of the identification code (e.g. LEI or EUID).In subsequent reports, the field content can evolve over time to reflect the ongoing understanding of the ICT-related incident and describe any other relevant information about the ICT-related incident not captured by the data fields, including the internal severity assessment by the financial entity (e.g. very low, low, medium, high, very high) and an indication of the level and name of most senior decision structures that has been involved in response to the ICT-related incident. | Yes | Yes |
| 2.4. | Description of the ICT-related incident | ||||
| 2.5.Classification criteria that triggered the incident report | 2.5. | Classification criteria that triggered the incident report | Classification criteria under Delegated Regulation (EU) 2024/1772 that have triggered determination of the ICT-related incident as major and subsequent notification and reporting.In the case of aggregated reporting as referred to in Article 7 of this Regulation, the classification criteria that have triggered determination of the ICT-related incident as major for at least one or more financial entities. | Yes | Yes |
| 2.5. | Classification criteria that triggered the incident report | ||||
| — | clients, financial counterparts and transactions affected; | ||||
| — | reputational impact; | ||||
| — | duration and service downtime; | ||||
| — | geographical spread; | ||||
| — | data losses; | ||||
| — | critical services affected; | ||||
| — | economic impact. | ||||
| 2.6.Materiality thresholds for the classification criterion ‘Geographical spread’ | 2.6. | Materiality thresholds for the classification criterion ‘Geographical spread’ | EEA Member States impacted by the major ICT-related incidentWhen assessing the impact of the major ICT-related incident in other Member States, financial entities shall take into account Articles 4 and 12 of Delegated Regulation 2024/1772. | Yes, if ‘Geographical spread’ threshold is met | Yes, if ‘Geographical spread’ threshold is met |
| 2.6. | Materiality thresholds for the classification criterion ‘Geographical spread’ | ||||
| 2.7.Discovery of the major ICT-related incident | 2.7. | Discovery of the major ICT-related incident | Indication of how the major ICT-related incident has been discovered. | Yes | Yes |
| 2.7. | Discovery of the major ICT-related incident | ||||
| — | IT Security; | ||||
| — | staff; | ||||
| — | internal audit; | ||||
| — | external audit; | ||||
| — | clients; | ||||
| — | financial counterparts; | ||||
| — | third-party provider; | ||||
| — | attacker; | ||||
| — | monitoring systems; | ||||
| — | authority/agency/ law enforcement body; | ||||
| — | other. | ||||
| 2.8.Indication whether the incident originates from a third-party provider or another financial entity | 2.8. | Indication whether the incident originates from a third-party provider or another financial entity | Indication whether the major ICT-related incident originates from a third-party provider or another financial entity.Financial entities shall indicate whether the major ICT-related incident originates from a third-party provider or another financial entity (including financial entities belonging to the same group as the reporting entity) and the name, identification code of the third-party provider or financial entity and type of the identification code (e.g. LEI or EUID). | Yes, if the incident originates from a third-party provider or another financial entity | Yes, if the incident originates from a third-party provider or another financial entity |
| 2.8. | Indication whether the incident originates from a third-party provider or another financial entity | ||||
| 2.9.Activation of business continuity plan, if activated | 2.9. | Activation of business continuity plan, if activated | Indication of whether there has been a formal activation of the business continuity response measures of the financial entity. | Yes | Yes |
| 2.9. | Activation of business continuity plan, if activated | ||||
| 2.10.Other relevant information | 2.10. | Other relevant information | Any further information not covered in the template.Financial entities that have reclassified a major ICT-related incident as non-major shall describe the reasons why the ICT-related incident does not fulfil, and is not expected to fulfil, the criteria to be considered as a major ICT-related incident. | Yes, if there is other information not covered in the template or if the major ICT-related incident has been reclassified as non-major. | Yes, if there is other information not covered in the template or if the major ICT-related incident has been reclassified as non-major |
| 2.10. | Other relevant information | ||||
| Content of the intermediate report | |||||
| 3.1.Incident reference code provided by the competent authority | 3.1. | Incident reference code provided by the competent authority | Unique reference code assigned by the competent authority at the time of receipt of the initial notification to unequivocally identify the major ICT-related incident. | No | Yes, if applicable |
| 3.1. | Incident reference code provided by the competent authority | ||||
| 3.2.Date and time of occurrence of the incident | 3.2. | Date and time of occurrence of the incident | Date and time at which the major ICT-related incident has occurred, if different from the time the financial entity has become aware of the major ICT-related incident.For recurring major ICT-related incidents, the date and the time at which the last major ICT-related incident has occurred. | No | Yes |
| 3.2. | Date and time of occurrence of the incident | ||||
| 3.3.Date and time when services, activities or operations have been recovered | 3.3. | Date and time when services, activities or operations have been recovered | Information on the date and time of the recovery of the services, activities or operations affected by the major ICT-related incident. | No | Yes, if data field 3.16. ‘Service downtime’ has been populated |
| 3.3. | Date and time when services, activities or operations have been recovered | ||||
| 3.4.Number of clients affected | 3.4. | Number of clients affected | Number of clients affected by the major ICT-related incident that use the service provided by the financial entity.When assessing the number of clients affected, financial entities shall take into account Articles 1(1) and 9(1), point (b), of Delegated Regulation (EU) 2024/1772 in their assessment. A financial entity that cannot determine the actual number of clients impacted shall use estimates based on available data from comparable reference periods.In the case of aggregated reporting as referred to in Article 7 of this Regulation, the total number of clients affected across all financial entities. | No | Yes |
| 3.4. | Number of clients affected | ||||
| 3.5.Percentage of clients affected | 3.5. | Percentage of clients affected | Percentage of clients affected by the major ICT-related incident in relation to the total number of clients that make use of the affected service provided by the financial entity. In case of more than one service affected, the services shall be provided in an aggregated manner.Financial entities shall take into account Article 1(1) and Article 9(1), point (a), of Delegated Regulation (EU) 2024/1772 in their assessment.A financial entity that cannot determine the actual percentage of clients impacted shall use estimates based on available data from comparable reference periods.In the case of aggregated reporting as referred to in Article 7 of this Regulation, a financial entity shall divide the sum of all affected clients by the total number of clients of all impacted financial entities. | No | Yes |
| 3.5. | Percentage of clients affected | ||||
| 3.6.Number of financial counterparts affected | 3.6. | Number of financial counterparts affected | Number of financial counterparts affected by the major ICT-related incident that have concluded a contract with the financial entity.When assessing the number of financial counterparts affected, financial entities shall take into account Article 1(2) of Delegated Regulation (EU) 2024/1772 in their assessment. A financial entity that cannot determine the actual number of financial counterparts impacted shall use estimates based on available data from comparable reference periods.In the case of aggregated reporting as referred to in Article 7 of this Regulation, the total number of financial counterparts affected across all financial entities. | No | Yes |
| 3.6. | Number of financial counterparts affected | ||||
| 3.7.Percentage of financial counterparts affected | 3.7. | Percentage of financial counterparts affected | Percentage of financial counterparts affected by the major ICT-related incident in relation to the total number of financial counterparts that have concluded a contract with the financial entity.When assessing the percentage of financial counterparts affected, financial entities shall take into account Articles 1(1) and 9(1), point (c) of Delegated Regulation (EU) 2024/1772 in their assessment.A financial entity that cannot determine the actual percentage of financial counterparts impacted shall use estimates based on available data from comparable reference periods.In the case of aggregated reporting as referred to in Article 7 of this Regulation, indicate the sum of all affected financial counterparts divided by the total number of financial counterparts of all impacted financial entities. | No | Yes |
| 3.7. | Percentage of financial counterparts affected | ||||
| 3.8.Impact on relevant clients or financial counterparts | 3.8. | Impact on relevant clients or financial counterparts | Any identified impact on relevant clients or financial counterpart as referred to in Article 1(3) and Article 9(1), point (f), of Delegated Regulation (EU) 2024/1772. | No | Yes, if ‘Relevance of clients and financial counterparts’ threshold is met |
| 3.8. | Impact on relevant clients or financial counterparts | ||||
| 3.9.Number of affected transactions | 3.9. | Number of affected transactions | Number of transactions affected by the major ICT-related incident.When assessing the impact on transactions, financial entities shall take into account Article 1(4) of Delegated Regulation (EU) 2024/1772, including all affected domestic and cross-border transactions containing a monetary amount that have at least one part of the transaction carried out in the Union.A financial entity that cannot determine the actual number of transactions impacted shall use estimates based on available data from comparable reference periods.In the case of aggregated reporting as referred to in Article 7 of this Regulation, indicate the total number of transactions affected across all financial entities. | No | Yes, if any transaction has been affected by the incident |
| 3.9. | Number of affected transactions | ||||
| 3.10.Percentage of affected transactions | 3.10. | Percentage of affected transactions | Percentage of affected transactions in relation to the daily average number of domestic and cross-border transactions carried out by the financial entity related to the affected service.Financial entities shall take into account Article 1(4) and Article 9(1), point (d), of Delegated Regulation (EU) 2024/1772.A financial entity that cannot determine the actual percentage of transactions impacted shall use estimates.In the case of aggregated reporting as referred to in Article 7 of this Regulation, a financial entity shall sum the number of all affected transactions and divide the sum by the total number of transactions of all impacted financial entities. | No | Yes, if any transaction has been affected by the incident |
| 3.10. | Percentage of affected transactions | ||||
| 3.11.Value of affected transactions | 3.11. | Value of affected transactions | Total value of the transactions affected by the major ICT-related incident shall be assessed in accordance with Article 1(4) and Article 9(1), point (e) of Delegated Regulation (EU) 2024/1772.A financial entity that cannot determine the actual value of transactions impacted shall use estimates based on available data from comparable reference periods.A financial entity shall report the monetary amount as a positive value.In the case of aggregated reporting as referred to in Article 7 of this Regulation, the total value of the transactions affected across all financial entities. | No | Yes, if any transactions have been affected by the incident |
| 3.11. | Value of affected transactions | ||||
| 3.12.Information on whether the numbers are actual or estimates, or whether there has not been any impact | 3.12. | Information on whether the numbers are actual or estimates, or whether there has not been any impact | Information on whether the values reported in the data fields 3.4 to 3.11 are actual or estimates, or whether there has not been any impact. | No | Yes |
| 3.12. | Information on whether the numbers are actual or estimates, or whether there has not been any impact | ||||
| — | actual figures for clients affected; | ||||
| — | actual figures for financial counterparts affected; | ||||
| — | actual figures for transactions affected; | ||||
| — | estimates for clients affected; | ||||
| — | estimates for financial counterparts affected; | ||||
| — | estimates for transactions affected; | ||||
| — | no impact on clients; | ||||
| — | no impact on financial counterparts; | ||||
| — | no impact on transactions. | ||||
| 3.13.Reputational impact | 3.13. | Reputational impact | Information about the reputational impact resulting from the major ICT-related incident as referred to in Articles 2 and 10 of Delegated Regulation (EU) 2024/1772.In the case of aggregated reporting as referred to in Article 7 of this Regulation, the reputational impact categories that apply to at least one financial entity. | No | Yes, if ‘Reputational impact’ criterion met |
| 3.13. | Reputational impact | ||||
| — | the major ICT-related incident has been reflected in the media; | ||||
| — | the major ICT-related incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships | ||||
| — | the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the major ICT-related incident; | ||||
| — | the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the major ICT-related incident. | ||||
| 3.14.Contextual information about the reputational impact | 3.14. | Contextual information about the reputational impact | Information describing how the major ICT-related incident has affected or could affect the reputation of the financial entity, including infringements of law, regulatory requirements not met, number of client complaints, and other.The contextual information shall include the type of media (e.g. traditional and digital media, blogs, streaming platforms) and media coverage, including reach of the media (local, national, international). Media coverage in this context shall not mean a few negative comments by followers or users of social networks.The financial entity shall also indicate whether the media coverage highlighted significant risks for its clients in relation to the major ICT-related incident, including the risk of the financial entity’s insolvency or the risk of losing funds.Financial entities shall also indicate whether they have provided information to the media that served to reliably inform the public about the major ICT-related incident and its consequences.Financial entities may also indicate whether there was false information in the media in relation to the ICT-related incident, including information based on deliberate misinformation spread by threat actors, or information relating to or illustrating defacement of the financial entity’s website. | No | Yes, if ‘Reputational impact’ criterion met. |
| 3.14. | Contextual information about the reputational impact | ||||
| 3.15.Duration of the incident | 3.15. | Duration of the incident | Financial entities shall measure the duration of the major ICT-related incident from the moment the major ICT-related incident occurred until the moment the incident was resolved.Financial entities that are unable to determine the moment when the major ICT-related incident has occurred shall measure the duration of the major ICT-related incident from the earlier between the moment the financial entity detected the incident and the moment when the financial entity recorded the incident in network or system logs or other data sources. Financial entities that do not yet know the moment when the major ICT-related incident will be resolved shall apply estimates. The value shall be expressed in days, hours, and minutes.In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall measure the longest duration of the major ICT-related incident in case of differences between financial entities. | No | Yes |
| 3.15. | Duration of the incident | ||||
| 3.16.Service downtime | 3.16. | Service downtime | Service downtime measured from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users, until the moment when regular activities or operations have been restored to the level of service that was provided prior to the major ICT-related incident.Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, financial entities shall measure the downtime from the start of the major ICT-related incident until the moment when that delayed service is provided. Financial entities that are unable to determine the moment when the service downtime has started, shall measure the service downtime from the earlier between the moment the incident was detected and the moment when it has been recorded.In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall measure the longest duration of the service downtime in case of differences between financial entities. | No | Yes, if the incident has caused a service downtime |
| 3.16. | Service downtime | ||||
| 3.17.Information on whether the numbers for duration and service downtime are actual or estimates | 3.17. | Information on whether the numbers for duration and service downtime are actual or estimates | Information on whether the values reported in data fields 3.15 and 3.16 are actual or estimates. | No | Yes, if ‘Duration and service downtime’ criterion met |
| 3.17. | Information on whether the numbers for duration and service downtime are actual or estimates | ||||
| — | Actual figures; | ||||
| — | Estimates; | ||||
| — | Actual figures and estimates; | ||||
| — | No information available. | ||||
| 3.18.Types of impact in the Member States | 3.18. | Types of impact in the Member States | Type of impact in the respective EEA Member States.Indication of whether the major ICT-related incident has had an impact in other EEA Member States (other than the Member State of the competent authority to which the incident is directly reported), in accordance with Article 4 of Delegated Regulation (EU) 2024/1772, and in particular with regard to the significance of the impact in relation to:(a)clients and financial counterparts affected in other Member States; or(b)branches or other financial entities within the group carrying out activities in other Member States; or(c)financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services. | (a) | clients and financial counterparts affected in other Member States; or |
| 3.18. | Types of impact in the Member States | ||||
| (a) | clients and financial counterparts affected in other Member States; or | ||||
| (b) | branches or other financial entities within the group carrying out activities in other Member States; or | ||||
| (c) | financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services. | ||||
| — | clients; | ||||
| — | financial counterparts; | ||||
| — | branch of the financial entity; | ||||
| — | financial entities within the group carrying out activities in the respective Member State; | ||||
| — | financial market infrastructure; | ||||
| — | third-party providers that may be common to other financial entities. | ||||
| 3.19.Description of how the incident has an impact in other Member States | 3.19. | Description of how the incident has an impact in other Member States | Description of the impact and severity of the major ICT-related incident in each affected Member State, including an assessment of the impact and severity on:(a)clients;(b)financial counterparts;(c)branches of the financial entity;(d)other financial entities within the group carrying out activities in the respective Member State;(e)financial market infrastructures;(f)third-party providers that may be common to other financial entities as applicable in other Member State(s). | (a) | clients; |
| 3.19. | Description of how the incident has an impact in other Member States | ||||
| (a) | clients; | ||||
| (b) | financial counterparts; | ||||
| (c) | branches of the financial entity; | ||||
| (d) | other financial entities within the group carrying out activities in the respective Member State; | ||||
| (e) | financial market infrastructures; | ||||
| (f) | third-party providers that may be common to other financial entities as applicable in other Member State(s). | ||||
| 3.20.Materiality thresholds for the classification criterion ‘Data losses’ | 3.20. | Materiality thresholds for the classification criterion ‘Data losses’ | Type of data losses that the major ICT-related incident entails in relation to availability, authenticity, integrity, and confidentiality of data.Financial entities shall take into account Articles 5 and 13 of Delegated Regulation (EU) 2024/1772 in their assessment.In case of aggregated reporting as referred to in Article 7 of this Regulation, the data losses affecting at least one financial entity. | No | Yes, if ‘Data losses’ criterion is met |
| 3.20. | Materiality thresholds for the classification criterion ‘Data losses’ | ||||
| — | availability; | ||||
| — | authenticity; | ||||
| — | integrity; | ||||
| — | confidentiality. | ||||
| 3.21.Description of the data losses | 3.21. | Description of the data losses | Description of the impact of the major ICT-related incident on availability, authenticity, integrity, and confidentiality of critical data in accordance with Articles 5 and 13 of Delegated Regulation (EU) 2024/1772.Information about the impact on the implementation of the business objectives of the financial entity or on meeting regulatory requirements.As part of the information provided, financial entities shall indicate whether the data affected are client data, other entities’ data (e.g. financial counterparts), or data of the financial entity itself.The financial entity may also indicate the type of data involved in the incident – in particular, whether the data is confidential and what type of confidentiality was involved (e.g. commercial/business confidentiality, personal data, professional secrecy: banking secrecy, insurance secrecy, payment services secrecy, etc.).The information may also include possible risks associated with the data losses, such as whether the data affected by the incident can be used to identify individuals and could be used by the threat actor to obtain credit or loans without their consent, to conduct spear phishing attacks, to disclose information publicly.In the case of aggregated reporting as referred to in Article 7 of this Regulation, a general description of the impact of the incident on the affected financial entities. Where there are differences of the impact, the description of the impact shall clearly indicate the specific impact on the different financial entities. | No | Yes, if ‘Data losses’ criterion is met |
| 3.21. | Description of the data losses | ||||
| 3.22.Classification criterion ‘Critical services affected’ | 3.22. | Classification criterion ‘Critical services affected’ | Information related to the criterion ‘Critical services affected’.Financial entities shall take into account Articles 6 of Delegated Regulation (EU) 2024/1772 in their assessment, including information about:—the affected services or activities that require authorisation, registration or that are supervised by competent authorities; or—the ICT services or network and information systems that support critical or important functions of the financial entity; and—the nature of the malicious and unauthorised access to the network and information systems of the financial entity.In the case of aggregated reporting as referred to in Article 7 of this Regulation, the impact on critical services that apply to at least one financial entity. | — | the affected services or activities that require authorisation, registration or that are supervised by competent authorities; or |
| 3.22. | Classification criterion ‘Critical services affected’ | ||||
| — | the affected services or activities that require authorisation, registration or that are supervised by competent authorities; or | ||||
| — | the ICT services or network and information systems that support critical or important functions of the financial entity; and | ||||
| — | the nature of the malicious and unauthorised access to the network and information systems of the financial entity. | ||||
| 3.23.Type of the incident | 3.23. | Type of the incident | Classification of incidents by type. | No | Yes |
| 3.23. | Type of the incident | ||||
| — | Cybersecurity-related; | ||||
| — | Process failure; | ||||
| — | System failure; | ||||
| — | External event; | ||||
| — | Payment-related; | ||||
| — | Other (please specify). | ||||
| 3.24.Other types of incidents | 3.24. | Other types of incidents | Other types of ICT-related incidents: financial entities that have selected ‘other’ type of incidents in the data field 3.23, shall specify the type of ICT-related incident. | No | Yes, if ‘other’ type of incidents is selected in data field 3.23 |
| 3.24. | Other types of incidents | ||||
| 3.25.Threats and techniques used by the threat actor | 3.25. | Threats and techniques used by the threat actor | Indicate the threats and techniques used by the threat actor, including:(a)social engineering, including phishing;(b)(D)DoS;(c)identity theft;(d)data encryption for impact, including ransomware;(e)resource hijacking;(f)data exfiltration and manipulation, excluding identity theft;(g)data destruction;(h)defacement;(i)supply-chain attack;(j)other (please specify). | (a) | social engineering, including phishing; |
| 3.25. | Threats and techniques used by the threat actor | ||||
| (a) | social engineering, including phishing; | ||||
| (b) | (D)DoS; | ||||
| (c) | identity theft; | ||||
| (d) | data encryption for impact, including ransomware; | ||||
| (e) | resource hijacking; | ||||
| (f) | data exfiltration and manipulation, excluding identity theft; | ||||
| (g) | data destruction; | ||||
| (h) | defacement; | ||||
| (i) | supply-chain attack; | ||||
| (j) | other (please specify). | ||||
| — | Social engineering (including phishing); | ||||
| — | (D)DoS; | ||||
| — | Identity theft; | ||||
| — | Data encryption for impact, including ransomware; | ||||
| — | Resource hijacking; | ||||
| — | Data exfiltration and manipulation, including identity theft; | ||||
| — | Data destruction; | ||||
| — | Defacement; | ||||
| — | Supply-chain attack; | ||||
| — | Other (please specify). | ||||
| 3.26.Other types of techniques | 3.26. | Other types of techniques | Other types of techniquesFinancial entities that have selected ‘other’ type of techniques in data field 3.25 shall specify the type of technique. | No | Yes, if other’ type of techniques is selected in data field 3.25 |
| 3.26. | Other types of techniques | ||||
| 3.27.Information about affected functional areas and business processes | 3.27. | Information about affected functional areas and business processes | Indication of the functional areas and business processes that are affected by the incident, including products and services.The functional areas shall include but are not limited to:(a)marketing and business development;(b)customer service;(c)product management;(d)regulatory compliance;(e)risk management;(f)finance and accounting;(g)HR and general services;(h)information Technology.The business processes shall include but are not limited to:—account information;—actuarial services;—acquiring of payment transactions;—authentication/authorization;—authority;—client on-boarding;—benefit administration;—benefit payment management;—buying and selling packaged insurances policies between insurances;—card payments;—cash management;—cash placement or withdrawals;—insurance claim management;—claim process insurance;—clearing;—corporate loans conglomerates;—collective insurances;—credit transfers;—custody and asset safekeeping;—customer onboarding;—data ingestion;—data processing;—direct debits;—export insurances;—finalizing trades/deals;—financial instruments placing;—fund accounting;—FX money;—investment advice;—investment management;—issuing of payment instruments;—lending management;—life insurance payments process;—money remittance;—net asset calculation;—order;—payment initiation;—insurance underwriting;—portfolio management;—premium collection;—reception/transmission/execution;—reinsurance;—settlement;—transaction monitoring.In the case of aggregated reporting as referred to in Article 7 of this Regulation, the affected functional areas and business processes in at least one financial entity. | (a) | marketing and business development; |
| 3.27. | Information about affected functional areas and business processes | ||||
| (a) | marketing and business development; | ||||
| (b) | customer service; | ||||
| (c) | product management; | ||||
| (d) | regulatory compliance; | ||||
| (e) | risk management; | ||||
| (f) | finance and accounting; | ||||
| (g) | HR and general services; | ||||
| (h) | information Technology. | ||||
| — | account information; | ||||
| — | actuarial services; | ||||
| — | acquiring of payment transactions; | ||||
| — | authentication/authorization; | ||||
| — | authority; | ||||
| — | client on-boarding; | ||||
| — | benefit administration; | ||||
| — | benefit payment management; | ||||
| — | buying and selling packaged insurances policies between insurances; | ||||
| — | card payments; | ||||
| — | cash management; | ||||
| — | cash placement or withdrawals; | ||||
| — | insurance claim management; | ||||
| — | claim process insurance; | ||||
| — | clearing; | ||||
| — | corporate loans conglomerates; | ||||
| — | collective insurances; | ||||
| — | credit transfers; | ||||
| — | custody and asset safekeeping; | ||||
| — | customer onboarding; | ||||
| — | data ingestion; | ||||
| — | data processing; | ||||
| — | direct debits; | ||||
| — | export insurances; | ||||
| — | finalizing trades/deals; | ||||
| — | financial instruments placing; | ||||
| — | fund accounting; | ||||
| — | FX money; | ||||
| — | investment advice; | ||||
| — | investment management; | ||||
| — | issuing of payment instruments; | ||||
| — | lending management; | ||||
| — | life insurance payments process; | ||||
| — | money remittance; | ||||
| — | net asset calculation; | ||||
| — | order; | ||||
| — | payment initiation; | ||||
| — | insurance underwriting; | ||||
| — | portfolio management; | ||||
| — | premium collection; | ||||
| — | reception/transmission/execution; | ||||
| — | reinsurance; | ||||
| — | settlement; | ||||
| — | transaction monitoring. | ||||
| 3.28.Affected infrastructure components supporting business processes | 3.28. | Affected infrastructure components supporting business processes | Information on whether infrastructure components (servers, operating systems, software, application servers, middleware, network components, others) supporting business processes have been affected by the major ICT-related incident. | No | Yes |
| 3.28. | Affected infrastructure components supporting business processes | ||||
| — | Yes; | ||||
| — | No; | ||||
| — | Information not available. | ||||
| 3.29.Information about affected infrastructure components supporting business processes | 3.29. | Information about affected infrastructure components supporting business processes | Description on the impact of the major ICT-related incident on infrastructure components supporting business processes including hardware and software.Hardware includes servers, computers, data centres, switches, routers, hubs. Software includes operating systems, applications, databases, security tools, network components, others please specify. The descriptions shall describe or name affected infrastructure components or systems, and, where available:(a)version information;(b)internal infrastructure/partially outsourced/fully outsourced – third-party provider name;(c)whether the infrastructure is used or shared across multiple business functions;(d)relevant resilience/continuity/recovery/ substitutability arrangements in place. | (a) | version information; |
| 3.29. | Information about affected infrastructure components supporting business processes | ||||
| (a) | version information; | ||||
| (b) | internal infrastructure/partially outsourced/fully outsourced – third-party provider name; | ||||
| (c) | whether the infrastructure is used or shared across multiple business functions; | ||||
| (d) | relevant resilience/continuity/recovery/ substitutability arrangements in place. | ||||
| 3.30.Impact on the financial interest of clients | 3.30. | Impact on the financial interest of clients | Information on whether the major ICT-related incident has impacted the financial interest of clients. | No | Yes |
| 3.30. | Impact on the financial interest of clients | ||||
| — | Yes; | ||||
| — | No; | ||||
| — | Information not available. | ||||
| 3.31.Reporting to other authorities | 3.31. | Reporting to other authorities | Specification of which authorities were informed about the major ICT-related incident.Taking into account the differences resulting from the national legislation of the Member States, the concept of law enforcement authorities shall be understood by financial entities broadly to include public authorities empowered to prosecute cybercrime, including police, law enforcement agencies, and public prosecutors. | No | Yes |
| 3.31. | Reporting to other authorities | ||||
| — | Police/Law Enforcement; | ||||
| — | CSIRT; | ||||
| — | Data Protection Authority; | ||||
| — | National Cybersecurity Agency; | ||||
| — | None; | ||||
| — | Other (please specify). | ||||
| 3.32.Specification of ‘other’ authorities | 3.32. | Specification of ‘other’ authorities | Specification of ‘other’ types of authorities informed about the major ICT-related incident.If selected in Data field 3.31 ‘Other’, the description shall include more detailed information about the authority to which the financial entity has submitted information about the major ICT-related incident. | No | Yes, if ‘other’ type of authorities have been informed by the financial entity about the major ICT-related incident. |
| 3.32. | Specification of ‘other’ authorities | ||||
| 3.33.Temporary actions/measures taken or planned to be taken to recover from the incident | 3.33. | Temporary actions/measures taken or planned to be taken to recover from the incident | Indication of whether financial entity has implemented (or plan to implement) any temporary actions that have been taken (or planned to be taken) to recover from the major ICT-related incident. | No | Yes |
| 3.33. | Temporary actions/measures taken or planned to be taken to recover from the incident | ||||
| 3.34.Description of any temporary actions and measures taken or planned to be taken to recover from the incident | 3.34. | Description of any temporary actions and measures taken or planned to be taken to recover from the incident | The information shall describe the immediate actions taken, including the isolation of the incident at the network level, workaround procedures activated, USB ports blocked, Disaster Recovery site activated, any other additional security controls temporarily put in place.Financial entities shall indicate the date and the time of the implementation of the temporary actions and the expected date of return to the primary site. For any temporary actions that have not been implemented but are still planned, indication of the date by when their implementation is expected.If no temporary actions/measures have been taken, please indicate the reason. | No | Yes, if temporary actions/measures have been taken or are planned to be taken (data field 3.33) |
| 3.34. | Description of any temporary actions and measures taken or planned to be taken to recover from the incident | ||||
| 3.35.Indicators of compromise | 3.35. | Indicators of compromise | Information related to the major ICT-related incident that may help identify malicious activity within a network or information system (Indicators of Compromise, or IoC), where applicable.The field applies only to those financial entities that fall within the scope of Directive (EU) 2022/2555 of the European Parliament and of the Council(1)and those financial entities financial entities identified as essential or important entities pursuant to national rules transposing Article 3 of Directive (EU) 2022/2555, where relevant.The IoC provided by the financial entity shall include the following categories of data:(a)IP addresses;(b)URL addresses;(c)domains;(d)file hashes;(e)malware data (malware name, file names and their locations, specific registry keys associated with malware activity);(f)network activity data (ports, protocols, addresses, referrers, user agents, headers, specific logs or distinctive patterns in network traffic);(g)email message data (sender, recipient, subject, header, content);(h)DNS requests and registry configurations;(i)user account activities (logins, privileged user account activity, privilege escalation);(j)database traffic (read/write), requests to the same file.In practice, this type of information may include data relating to, inter alia, indicators describing patterns in network traffic corresponding to known attacks/botnet communications, IP addresses of machines infected with malware (bots), data relating to ‘command and control’ servers used by malware (usually domains or IP addresses), and URLs relating to phishing sites or websites observed hosting malware or exploit kits. | (a) | IP addresses; |
| 3.35. | Indicators of compromise | ||||
| (a) | IP addresses; | ||||
| (b) | URL addresses; | ||||
| (c) | domains; | ||||
| (d) | file hashes; | ||||
| (e) | malware data (malware name, file names and their locations, specific registry keys associated with malware activity); | ||||
| (f) | network activity data (ports, protocols, addresses, referrers, user agents, headers, specific logs or distinctive patterns in network traffic); | ||||
| (g) | email message data (sender, recipient, subject, header, content); | ||||
| (h) | DNS requests and registry configurations; | ||||
| (i) | user account activities (logins, privileged user account activity, privilege escalation); | ||||
| (j) | database traffic (read/write), requests to the same file. | ||||
| Content of the final report | |||||
| 4.1.High-level classification of root causes of the incident | 4.1. | High-level classification of root causes of the incident | High-level classification of root cause of the major ICT-related incident under the incident types, including the following high-level categories:(a)malicious actions;(b)process failure;(c)system failure/malfunction;(d)human error;(e)external event. | (a) | malicious actions; |
| 4.1. | High-level classification of root causes of the incident | ||||
| (a) | malicious actions; | ||||
| (b) | process failure; | ||||
| (c) | system failure/malfunction; | ||||
| (d) | human error; | ||||
| (e) | external event. | ||||
| — | malicious actions; | ||||
| — | process failure; | ||||
| — | system failure / malfunction; | ||||
| — | human error; | ||||
| — | external event. | ||||
| 4.2.Detailed classification of root causes of the incident | 4.2. | Detailed classification of root causes of the incident | Detailed classification of root causes of the major ICT-related incident under the incident types, including the following detailed categories linked to the high-level categories that are reported in data field 4.1:1.Malicious actions(if selected, choose one or more the following):(a)deliberate internal actions;(b)deliberate physical damage/manipulation/theft;(c)fraudulent actions.2.Process failure(if selected, choose one or more the following):(a)insufficient monitoring or failure of monitoring and control;(b)insufficient/unclear roles and responsibilities;(c)ICT risk management process failure;(d)insufficient or failure of ICT operations and ICT security operations;(e)insufficient or failure of ICT project management;(f)inadequate internal policies, procedures and documentation;(g)inadequate ICT systems acquisition, development, or maintenance;(h)other (please specify).3.System failure/malfunction(if selected, choose one or more the following):(a)hardware capacity and performance: major ICT-related incidents caused by hardware resources which prove inadequate in terms of capacity or performance to fulfil the applicable legislative requirements;(b)hardware maintenance: major ICT-related incidents resulting from inadequate or insufficient maintenance of hardware components, other than ‘Hardware obsolescence/ageing’;(c)hardware obsolescence/ageing: this root cause type involves major ICT-related incidents resulting from outdated or aging hardware components;(d)software compatibility/configuration: major ICT-related incidents caused by software components that are incompatible with other software or system configurations, including major ICT-related incidents resulting from software conflicts, incorrect settings, or misconfigured parameters that impact the overall system functionality;(e)software performance: major ICT-related incidents resulting from software components that exhibit poor performance or inefficiencies, for reasons other than those specified under ‘Software compatibility/configuration’, including major ICT-related incidents caused by slow response times, excessive resource consumption, or inefficient query execution impacting the performance of the software or system;(f)network configuration: major ICT-related incidents resulting from incorrect or misconfigured network settings or infrastructure, including major ICT-related incidents caused by network configuration errors, routing issues, firewall misconfigurations, or other network-related problems affecting connectivity or communication;(g)physical damage: major ICT-related incidents caused by physical damage to ICT infrastructure which lead to system failures;(h)other (please specify).4.Human error(if selected, choose one or more the following):(a)omission (unintentional);(b)mistake;(c)skills & knowledge: major ICT-related incidents resulting from a lack of expertise or proficiency in handling ICT systems or processes that may be caused by inadequate training, insufficient knowledge, or gaps in skills required to perform specific tasks or address technical challenges;(d)inadequate human resources: major ICT-related incidents caused by a lack of necessary resources, including hardware, software, infrastructure, or personnel, and including situations where insufficient resources lead to operational inefficiencies, system failures, or an inability to meet business demands;(e)miscommunication;(f)other (please specify).5.External event(if selected, choose one or more the following):(a)natural disasters/force majeure;(b)third-party failures;(c)other (please specify).Financial entities shall consider that for recurring major ICT-related incidents, the specific apparent root cause of the incident is taken into account and not the broad categories included in this field. | 1. | Malicious actions(if selected, choose one or more the following):(a)deliberate internal actions;(b)deliberate physical damage/manipulation/theft;(c)fraudulent actions. |
| 4.2. | Detailed classification of root causes of the incident | ||||
| 1. | Malicious actions(if selected, choose one or more the following):(a)deliberate internal actions;(b)deliberate physical damage/manipulation/theft;(c)fraudulent actions. | (a) | deliberate internal actions; | (b) | deliberate physical damage/manipulation/theft; |
| (a) | deliberate internal actions; | ||||
| (b) | deliberate physical damage/manipulation/theft; | ||||
| (c) | fraudulent actions. | ||||
| 2. | Process failure(if selected, choose one or more the following):(a)insufficient monitoring or failure of monitoring and control;(b)insufficient/unclear roles and responsibilities;(c)ICT risk management process failure;(d)insufficient or failure of ICT operations and ICT security operations;(e)insufficient or failure of ICT project management;(f)inadequate internal policies, procedures and documentation;(g)inadequate ICT systems acquisition, development, or maintenance;(h)other (please specify). | (a) | insufficient monitoring or failure of monitoring and control; | (b) | insufficient/unclear roles and responsibilities; |
| (a) | insufficient monitoring or failure of monitoring and control; | ||||
| (b) | insufficient/unclear roles and responsibilities; | ||||
| (c) | ICT risk management process failure; | ||||
| (d) | insufficient or failure of ICT operations and ICT security operations; | ||||
| (e) | insufficient or failure of ICT project management; | ||||
| (f) | inadequate internal policies, procedures and documentation; | ||||
| (g) | inadequate ICT systems acquisition, development, or maintenance; | ||||
| (h) | other (please specify). | ||||
| 3. | System failure/malfunction(if selected, choose one or more the following):(a)hardware capacity and performance: major ICT-related incidents caused by hardware resources which prove inadequate in terms of capacity or performance to fulfil the applicable legislative requirements;(b)hardware maintenance: major ICT-related incidents resulting from inadequate or insufficient maintenance of hardware components, other than ‘Hardware obsolescence/ageing’;(c)hardware obsolescence/ageing: this root cause type involves major ICT-related incidents resulting from outdated or aging hardware components;(d)software compatibility/configuration: major ICT-related incidents caused by software components that are incompatible with other software or system configurations, including major ICT-related incidents resulting from software conflicts, incorrect settings, or misconfigured parameters that impact the overall system functionality;(e)software performance: major ICT-related incidents resulting from software components that exhibit poor performance or inefficiencies, for reasons other than those specified under ‘Software compatibility/configuration’, including major ICT-related incidents caused by slow response times, excessive resource consumption, or inefficient query execution impacting the performance of the software or system;(f)network configuration: major ICT-related incidents resulting from incorrect or misconfigured network settings or infrastructure, including major ICT-related incidents caused by network configuration errors, routing issues, firewall misconfigurations, or other network-related problems affecting connectivity or communication;(g)physical damage: major ICT-related incidents caused by physical damage to ICT infrastructure which lead to system failures;(h)other (please specify). | (a) | hardware capacity and performance: major ICT-related incidents caused by hardware resources which prove inadequate in terms of capacity or performance to fulfil the applicable legislative requirements; | (b) | hardware maintenance: major ICT-related incidents resulting from inadequate or insufficient maintenance of hardware components, other than ‘Hardware obsolescence/ageing’; |
| (a) | hardware capacity and performance: major ICT-related incidents caused by hardware resources which prove inadequate in terms of capacity or performance to fulfil the applicable legislative requirements; | ||||
| (b) | hardware maintenance: major ICT-related incidents resulting from inadequate or insufficient maintenance of hardware components, other than ‘Hardware obsolescence/ageing’; | ||||
| (c) | hardware obsolescence/ageing: this root cause type involves major ICT-related incidents resulting from outdated or aging hardware components; | ||||
| (d) | software compatibility/configuration: major ICT-related incidents caused by software components that are incompatible with other software or system configurations, including major ICT-related incidents resulting from software conflicts, incorrect settings, or misconfigured parameters that impact the overall system functionality; | ||||
| (e) | software performance: major ICT-related incidents resulting from software components that exhibit poor performance or inefficiencies, for reasons other than those specified under ‘Software compatibility/configuration’, including major ICT-related incidents caused by slow response times, excessive resource consumption, or inefficient query execution impacting the performance of the software or system; | ||||
| (f) | network configuration: major ICT-related incidents resulting from incorrect or misconfigured network settings or infrastructure, including major ICT-related incidents caused by network configuration errors, routing issues, firewall misconfigurations, or other network-related problems affecting connectivity or communication; | ||||
| (g) | physical damage: major ICT-related incidents caused by physical damage to ICT infrastructure which lead to system failures; | ||||
| (h) | other (please specify). | ||||
| 4. | Human error(if selected, choose one or more the following):(a)omission (unintentional);(b)mistake;(c)skills & knowledge: major ICT-related incidents resulting from a lack of expertise or proficiency in handling ICT systems or processes that may be caused by inadequate training, insufficient knowledge, or gaps in skills required to perform specific tasks or address technical challenges;(d)inadequate human resources: major ICT-related incidents caused by a lack of necessary resources, including hardware, software, infrastructure, or personnel, and including situations where insufficient resources lead to operational inefficiencies, system failures, or an inability to meet business demands;(e)miscommunication;(f)other (please specify). | (a) | omission (unintentional); | (b) | mistake; |
| (a) | omission (unintentional); | ||||
| (b) | mistake; | ||||
| (c) | skills & knowledge: major ICT-related incidents resulting from a lack of expertise or proficiency in handling ICT systems or processes that may be caused by inadequate training, insufficient knowledge, or gaps in skills required to perform specific tasks or address technical challenges; | ||||
| (d) | inadequate human resources: major ICT-related incidents caused by a lack of necessary resources, including hardware, software, infrastructure, or personnel, and including situations where insufficient resources lead to operational inefficiencies, system failures, or an inability to meet business demands; | ||||
| (e) | miscommunication; | ||||
| (f) | other (please specify). | ||||
| 5. | External event(if selected, choose one or more the following):(a)natural disasters/force majeure;(b)third-party failures;(c)other (please specify). | (a) | natural disasters/force majeure; | (b) | third-party failures; |
| (a) | natural disasters/force majeure; | ||||
| (b) | third-party failures; | ||||
| (c) | other (please specify). | ||||
| — | malicious actions: deliberate internal actions; | ||||
| — | malicious actions: deliberate physical damage/manipulation/theft; | ||||
| — | malicious actions: fraudulent actions; | ||||
| — | process failure: insufficient monitoring or failure of monitoring and control; | ||||
| — | process failure:insufficient/unclear roles and responsibilities; | ||||
| — | process failure: ICT risk management process failure; | ||||
| — | process failure: insufficient or failure of ICT operations and ICT security operations; | ||||
| — | process failure: insufficient or failure of ICT project management; | ||||
| — | process failure: inadequacy of internal policies, procedures and documentation; | ||||
| — | Process failure: inadequate ICT systems acquisition, development, and maintenance; | ||||
| — | process failure: other (please specify); | ||||
| — | system failure: hardware capacity and performance; | ||||
| — | system failure: hardware maintenance; | ||||
| — | system failure: hardware obsolescence/ageing; | ||||
| — | system failure: software compatibility/configuration; | ||||
| — | system failure: software performance; | ||||
| — | system failure: network configuration; | ||||
| — | system failure: physical damage; | ||||
| — | system failure: other (please specify); | ||||
| — | human error: omission; | ||||
| — | human error: mistake; | ||||
| — | human error: skills & knowledge; | ||||
| — | human error: inadequate human resources; | ||||
| — | human error miscommunication; | ||||
| — | human error: other (please specify); | ||||
| — | external event: natural disasters/force majeure; | ||||
| — | external event: third-party failures; | ||||
| — | external event: other (please specify). | ||||
| 4.3.Additional classification of root causes of the incident | 4.3. | Additional classification of root causes of the incident | Additional classification of root causes of the major ICT-related incident under the incident type, including the following additional classification categories linked to the detailed categories that are to be reported in data field 4.2.The field is mandatory for the final report if specific categories that require further granularity are reported in data field 4.2.2(a)Insufficient or failure of monitoring and control:(a)monitoring of policy adherence;(b)monitoring of third-party service providers;(c)monitoring and verification of remediation of vulnerabilities;(d)identity and access management;(e)encryption and cryptography;(f)logging.2(c)ICT risk management process failure:(a)failure in specifying accurate risk tolerance levels;(b)insufficient vulnerability and threat assessments;(c)inadequate risk treatment measures;(d)poor management of residual ICT risks.2(d)Insufficient or failure of ICT operations and ICT security operations:(a)vulnerability and patch management;(b)change management;(c)capacity and performance management;(d)ICT asset management and information classification;(e)backup and restore;(f)error handling.2(g)Inadequate ICT Systems acquisition, development, and maintenance:(a)inadequate ICT Systems acquisition, development, and maintenance;(b)insufficient software testing or failure of software testing. | 2(a) | Insufficient or failure of monitoring and control:(a)monitoring of policy adherence;(b)monitoring of third-party service providers;(c)monitoring and verification of remediation of vulnerabilities;(d)identity and access management;(e)encryption and cryptography;(f)logging. |
| 4.3. | Additional classification of root causes of the incident | ||||
| 2(a) | Insufficient or failure of monitoring and control:(a)monitoring of policy adherence;(b)monitoring of third-party service providers;(c)monitoring and verification of remediation of vulnerabilities;(d)identity and access management;(e)encryption and cryptography;(f)logging. | (a) | monitoring of policy adherence; | (b) | monitoring of third-party service providers; |
| (a) | monitoring of policy adherence; | ||||
| (b) | monitoring of third-party service providers; | ||||
| (c) | monitoring and verification of remediation of vulnerabilities; | ||||
| (d) | identity and access management; | ||||
| (e) | encryption and cryptography; | ||||
| (f) | logging. | ||||
| 2(c) | ICT risk management process failure:(a)failure in specifying accurate risk tolerance levels;(b)insufficient vulnerability and threat assessments;(c)inadequate risk treatment measures;(d)poor management of residual ICT risks. | (a) | failure in specifying accurate risk tolerance levels; | (b) | insufficient vulnerability and threat assessments; |
| (a) | failure in specifying accurate risk tolerance levels; | ||||
| (b) | insufficient vulnerability and threat assessments; | ||||
| (c) | inadequate risk treatment measures; | ||||
| (d) | poor management of residual ICT risks. | ||||
| 2(d) | Insufficient or failure of ICT operations and ICT security operations:(a)vulnerability and patch management;(b)change management;(c)capacity and performance management;(d)ICT asset management and information classification;(e)backup and restore;(f)error handling. | (a) | vulnerability and patch management; | (b) | change management; |
| (a) | vulnerability and patch management; | ||||
| (b) | change management; | ||||
| (c) | capacity and performance management; | ||||
| (d) | ICT asset management and information classification; | ||||
| (e) | backup and restore; | ||||
| (f) | error handling. | ||||
| 2(g) | Inadequate ICT Systems acquisition, development, and maintenance:(a)inadequate ICT Systems acquisition, development, and maintenance;(b)insufficient software testing or failure of software testing. | (a) | inadequate ICT Systems acquisition, development, and maintenance; | (b) | insufficient software testing or failure of software testing. |
| (a) | inadequate ICT Systems acquisition, development, and maintenance; | ||||
| (b) | insufficient software testing or failure of software testing. | ||||
| — | monitoring of policy adherence; | ||||
| — | monitoring of third-party service providers; | ||||
| — | monitoring and verification of remediation of vulnerabilities; | ||||
| — | identity and access management; | ||||
| — | encryption and cryptography; | ||||
| — | logging; | ||||
| — | failure in specifying accurate risk tolerance levels; | ||||
| — | insufficient vulnerability and threat assessments; | ||||
| — | inadequate risk treatment measures; | ||||
| — | poor management of residual ICT risks; | ||||
| — | vulnerability and patch management; | ||||
| — | change management; | ||||
| — | capacity and performance management; | ||||
| — | ICT asset management and information classification; | ||||
| — | backup and restore; | ||||
| — | error handling; | ||||
| — | inadequate ICT systems acquisition, development, and maintenance; | ||||
| — | insufficient or failure of software testing. | ||||
| 4.4.Other types of root cause types | 4.4. | Other types of root cause types | Financial entities that have selected ‘other’ type of root cause in data field 4.2 shall specify other types of root cause types | No | No |
| 4.4. | Other types of root cause types | ||||
| 4.5.Information about the root causes of the incident | 4.5. | Information about the root causes of the incident | Description of the sequence of events that led to the major ICT-related incident and description of how the major ICT-related incident has a similar apparent root cause if that incident is classified as a recurring incident, including a concise description of all underlying reasons and primary factors that contributed to the occurrence of the major ICT-related incident.Where there were malicious actions, description of the modus operandi of the malicious action, including the tactics, techniques and procedures used, as well as the entry vector of the major ICT-related incident, including a description of the investigations and analysis that led to the identification of the root causes, if applicable. | No | No |
| 4.5. | Information about the root causes of the incident | ||||
| 4.6.Incident resolution | 4.6. | Incident resolution | Additional information regarding the actions/measures taken/planned to permanently resolve the major ICT-related incident and to prevent that incident from happening again.Lessons learnt from the major ICT-related incident.The description shall contain the following points:1.Resolution actions description(a)Actions taken to permanently resolve the major ICT-related incident (excluding any temporary actions);(b)for each action taken, indicate the potential involvement of a third-party provider and of the financial entity;(c)indicate whether procedures have been adapted following the major ICT-related incident;(d)indicate any additional controls that were put in place or that are planned with related implementation timeline.Potential issues identified regarding the robustness of the IT systems impacted /or in terms of the procedures or controls in place, if applicable.Financial entities shall clearly indicate how the envisaged remediation actions will address the identified root causes and when the major ICT-related incident is expected to be resolved permanently.2.Lessons learntFinancial entities shall describe findings from the post-incident review. | 1. | Resolution actions description(a)Actions taken to permanently resolve the major ICT-related incident (excluding any temporary actions);(b)for each action taken, indicate the potential involvement of a third-party provider and of the financial entity;(c)indicate whether procedures have been adapted following the major ICT-related incident;(d)indicate any additional controls that were put in place or that are planned with related implementation timeline.Potential issues identified regarding the robustness of the IT systems impacted /or in terms of the procedures or controls in place, if applicable.Financial entities shall clearly indicate how the envisaged remediation actions will address the identified root causes and when the major ICT-related incident is expected to be resolved permanently. |
| 4.6. | Incident resolution | ||||
| 1. | Resolution actions description(a)Actions taken to permanently resolve the major ICT-related incident (excluding any temporary actions);(b)for each action taken, indicate the potential involvement of a third-party provider and of the financial entity;(c)indicate whether procedures have been adapted following the major ICT-related incident;(d)indicate any additional controls that were put in place or that are planned with related implementation timeline.Potential issues identified regarding the robustness of the IT systems impacted /or in terms of the procedures or controls in place, if applicable.Financial entities shall clearly indicate how the envisaged remediation actions will address the identified root causes and when the major ICT-related incident is expected to be resolved permanently. | (a) | Actions taken to permanently resolve the major ICT-related incident (excluding any temporary actions); | (b) | for each action taken, indicate the potential involvement of a third-party provider and of the financial entity; |
| (a) | Actions taken to permanently resolve the major ICT-related incident (excluding any temporary actions); | ||||
| (b) | for each action taken, indicate the potential involvement of a third-party provider and of the financial entity; | ||||
| (c) | indicate whether procedures have been adapted following the major ICT-related incident; | ||||
| (d) | indicate any additional controls that were put in place or that are planned with related implementation timeline. | ||||
| 2. | Lessons learntFinancial entities shall describe findings from the post-incident review. | ||||
| 4.7.Date and time when the incident root cause was addressed | 4.7. | Date and time when the incident root cause was addressed | Date and time when the incident root cause was addressed. | No | No |
| 4.7. | Date and time when the incident root cause was addressed | ||||
| 4.8.Date and time when the incident was resolved | 4.8. | Date and time when the incident was resolved | Date and time when the incident was resolved. | No | No |
| 4.8. | Date and time when the incident was resolved | ||||
| 4.9.Information if the permanent resolution date of the incidents differs from the initially planned implementation date | 4.9. | Information if the permanent resolution date of the incidents differs from the initially planned implementation date | Descriptions of the reason why the permanent resolution date of the major ICT-related incidents is different from the initially planned implementation date, where applicable. | No | No |
| 4.9. | Information if the permanent resolution date of the incidents differs from the initially planned implementation date | ||||
| 4.10.Assessment of risk to critical functions for resolution purposes | 4.10. | Assessment of risk to critical functions for resolution purposes | Assessment of whether the major ICT-related incident poses a risk to critical functions within the meaning of Article 2(1), point (35), of Directive 2014/59/EU of the European Parliament and of the Council(2).Entities as referred to in Article 1(1) of Directive 2014/59/EU shall indicate whether the incident poses a risk to the critical functions within the meaning of Article 2(1), point (35), of Directive 2014/59/EU, and as reported in Template Z07.01 of Commission Implementing Regulation (EU) 2018/1624(3)and mapped to the specific entity in Template Z07.02. | No | No |
| 4.10. | Assessment of risk to critical functions for resolution purposes | ||||
| 4.11.Information relevant for resolution authorities | 4.11. | Information relevant for resolution authorities | Description of whether and, if so, how the major ICT-related incident has affected the resolvability of the entity or the group.Entities as referred to in Article 1(1) of Directive 2014/59/EU shall provide information on whether and, if so, how the major ICT-related incident has affected the resolvability of the entity or the group.Those entities shall also indicate whether the major ICT-related incident affects the solvency or liquidity of the financial entity and the potential quantification of the impact.Those entities shall also provide information on the impact on operational continuity, impact on resolvability of the entity, any additional impact on the costs and losses from the major ICT-related incident, including on the financial entity’s capital position, and whether the contractual arrangements on the use of ICT services are still robust and fully enforceable in the event of resolution of the entity. | No | No |
| 4.11. | Information relevant for resolution authorities | ||||
| 4.12.Materiality threshold for the classification criterion ‘Economic impact’ | 4.12. | Materiality threshold for the classification criterion ‘Economic impact’ | Detailed information about thresholds eventually reached by the major ICT-related incident in relation to the criterion ‘Economic impact’ referred to in Articles 7 and 14 of the Delegated Regulation (EU) 2024/1772. | No | No |
| 4.12. | Materiality threshold for the classification criterion ‘Economic impact’ | ||||
| 4.13.Amount of gross direct and indirect costs and losses | 4.13. | Amount of gross direct and indirect costs and losses | Total amount of gross direct and indirect costs and losses incurred by the financial entity stemming from the major ICT-related incident, including:(a)the amount of expropriated funds or financial assets for which the financial entity is liable;(b)the amount of replacement or relocation costs of software, hardware or infrastructure;(c)the amount of staff costs, including costs associated to replacing or relocating staff, hiring extra staff, remuneration of overtime and recovering lost or impaired skills of staff;(d)the amount of fees due to non-compliance with contractual obligations;(e)the amount of customer redress and compensation costs;(f)the amount of losses due to forgone revenues;(g)the amount of costs associated with internal and external communication;(h)the amount of advisory costs, including costs associated with legal counselling, forensic and remediation services;(i)the amount other costs and losses, including:(i)direct charges, including impairments and settlement charges, to the profit and loss account and write-downs due to the major ICT-related incident;(ii)provisions or reserves accounted for in the profit and loss account against probable losses related to the major ICT-related incident;(iii)pending losses, in the form of losses stemming from the major ICT-related incident, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the profit and loss which are planned to be included within a time period commensurate to the size and age of the pending item;(iv)material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the major ICT-related incident, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time;(v)timing losses, where they span more than one financial accounting year and give rise to legal risk.Financial entities shall take into account in their assessment Article 7(1) and (2) of Delegated Regulation (EU) 2024/1772. Financial entities shall not include in this figure financial recoveries of any type.Financial entities shall report the monetary amount as a positive value.In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall take into account the total amount of costs and losses across all financial entities.Financial entities shall report the data point in units using a minimum precision equivalent to thousands of units. | (a) | the amount of expropriated funds or financial assets for which the financial entity is liable; |
| 4.13. | Amount of gross direct and indirect costs and losses | ||||
| (a) | the amount of expropriated funds or financial assets for which the financial entity is liable; | ||||
| (b) | the amount of replacement or relocation costs of software, hardware or infrastructure; | ||||
| (c) | the amount of staff costs, including costs associated to replacing or relocating staff, hiring extra staff, remuneration of overtime and recovering lost or impaired skills of staff; | ||||
| (d) | the amount of fees due to non-compliance with contractual obligations; | ||||
| (e) | the amount of customer redress and compensation costs; | ||||
| (f) | the amount of losses due to forgone revenues; | ||||
| (g) | the amount of costs associated with internal and external communication; | ||||
| (h) | the amount of advisory costs, including costs associated with legal counselling, forensic and remediation services; | ||||
| (i) | the amount other costs and losses, including:(i)direct charges, including impairments and settlement charges, to the profit and loss account and write-downs due to the major ICT-related incident;(ii)provisions or reserves accounted for in the profit and loss account against probable losses related to the major ICT-related incident;(iii)pending losses, in the form of losses stemming from the major ICT-related incident, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the profit and loss which are planned to be included within a time period commensurate to the size and age of the pending item;(iv)material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the major ICT-related incident, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time;(v)timing losses, where they span more than one financial accounting year and give rise to legal risk. | (i) | direct charges, including impairments and settlement charges, to the profit and loss account and write-downs due to the major ICT-related incident; | (ii) | provisions or reserves accounted for in the profit and loss account against probable losses related to the major ICT-related incident; |
| (i) | direct charges, including impairments and settlement charges, to the profit and loss account and write-downs due to the major ICT-related incident; | ||||
| (ii) | provisions or reserves accounted for in the profit and loss account against probable losses related to the major ICT-related incident; | ||||
| (iii) | pending losses, in the form of losses stemming from the major ICT-related incident, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the profit and loss which are planned to be included within a time period commensurate to the size and age of the pending item; | ||||
| (iv) | material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the major ICT-related incident, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time; | ||||
| (v) | timing losses, where they span more than one financial accounting year and give rise to legal risk. | ||||
| 4.14.Amount of financial recoveries | 4.14. | Amount of financial recoveries | Total amount of financial recoveries.Financial recoveries shall relate to the original loss caused by the incident, independently from the time when the financial recoveries in the form of funds or inflows of economic benefits are received.Financial entities shall report the monetary amount as a positive value.In the case of aggregated reporting as referred to in Article 7 of this Regulation, financial entities shall take into account the total amount of financial recoveries across all financial entities. | No | No |
| 4.14. | Amount of financial recoveries | ||||
| 4.15.Information on whether the non-major incidents have been recurring | 4.15. | Information on whether the non-major incidents have been recurring | Information on whether more than one non-major ICT-related incident have been recurring and are together considered to be a major incident within the meaning of Article 8(2) of Delegated Regulation (EU) 2024/1772.Financial entities shall indicate whether the non-major ICT-related incidents have been recurring and are together considered as one major ICT-related incident.Financial entities shall also indicate the number of occurrences of these non-major ICT-related incidents. | No | No |
| 4.15. | Information on whether the non-major incidents have been recurring | ||||
| 4.16.Date and time of occurrence of recurring incidents | 4.16. | Date and time of occurrence of recurring incidents | Where financial entities report recurring ICT-related incidents, date and time at which the first ICT-related incident has occurred. | No | No |
| 4.16. | Date and time of occurrence of recurring incidents |
Table 2 in anx_II
| 1.1. | Type of submission |
|---|
Table 3 in anx_II
| — | initial notification; |
|---|
Table 4 in anx_II
| — | intermediate report; |
|---|
Table 5 in anx_II
| — | final report; |
|---|
Table 6 in anx_II
| — | major incident reclassified as non-major. |
|---|
Table 7 in anx_II
| 1.2. | Name of the entity submitting the report |
|---|
Table 8 in anx_II
| 1.3. | Identification code of the entity submitting the report |
|---|
Table 9 in anx_II
| 1.4. | Type of the affected financial entity |
|---|
Table 10 in anx_II
| — | credit institution; |
|---|
Table 11 in anx_II
| — | payment institution; |
|---|
Table 12 in anx_II
| — | exempted payment institution; |
|---|
Table 13 in anx_II
| — | account information service provider; |
|---|
Table 14 in anx_II
| — | electronic money institution; |
|---|
Table 15 in anx_II
| — | exempted electronic money institution; |
|---|
Table 16 in anx_II
| — | investment firm; |
|---|
Table 17 in anx_II
| — | crypto-asset service provider; |
|---|
Table 18 in anx_II
| — | issuer of asset-referenced tokens; |
|---|
Table 19 in anx_II
| — | central securities depository; |
|---|
Table 20 in anx_II
| — | central counterparty; |
|---|
Table 21 in anx_II
| — | trading venue; |
|---|
Table 22 in anx_II
| — | trade repository; |
|---|
Table 23 in anx_II
| — | manager of alternative investment fund; |
|---|
Table 24 in anx_II
| — | management company; |
|---|
Table 25 in anx_II
| — | data reporting service provider; |
|---|
Table 26 in anx_II
| — | insurance and reinsurance undertaking; |
|---|
Table 27 in anx_II
| — | insurance intermediary, reinsurance intermediary and ancillary insurance intermediary; |
|---|
Table 28 in anx_II
| — | institution for occupational retirement provision; |
|---|
Table 29 in anx_II
| — | credit rating agency; |
|---|
Table 30 in anx_II
| — | administrator of critical benchmarks; |
|---|
Table 31 in anx_II
| — | crowdfunding service provider; |
|---|
Table 32 in anx_II
| — | securitisation repository. |
|---|
Table 33 in anx_II
| 1.5. | Name of the financial entity affected |
|---|
Table 34 in anx_II
| (a) | list of all names of the financial entities affected by the major ICT-related incident, separated by a semicolon; |
|---|
Table 35 in anx_II
| (b) | the third-party provider submitting a major incident notification or report in an aggregated manner as referred to in Article 7 of this Regulation, to list the names of all financial entities impacted by the incident, separated by a semicolon. |
|---|
Table 36 in anx_II
| 1.6. | LEI code of the financial entity affected |
|---|
Table 37 in anx_II
| (a) | a list of all LEI codes of the financial entities affected by the major ICT-related incident, separated by a semicolon. |
|---|
Table 38 in anx_II
| (b) | the third-party provider submitting a major incident notification or report in an aggregated manner as referred to in Article 7 of this Regulation to list the LEI codes of all financial entities impacted by the incident, separated by a semicolon. |
|---|
Table 39 in anx_II
| 1.7. | Primary contact person name |
|---|
Table 40 in anx_II
| 1.8. | Primary contact person email |
|---|
Table 41 in anx_II
| 1.9. | Primary contact person telephone |
|---|
Table 42 in anx_II
| 1.10. | Second contact person name |
|---|
Table 43 in anx_II
| 1.11. | Second contact person email |
|---|
Table 44 in anx_II
| 1.12. | Second contact person telephone |
|---|
Table 45 in anx_II
| 1.13. | Name of the ultimate parent undertaking |
|---|
Table 46 in anx_II
| 1.14. | LEI code of the ultimate parent undertaking |
|---|
Table 47 in anx_II
| 1.15. | Reporting currency |
|---|
Table 48 in anx_II
| 2.1. | Incident reference code assigned by the financial entity |
|---|
Table 49 in anx_II
| 2.2. | Date and time of detection of the ICT-related incident |
|---|
Table 50 in anx_II
| 2.3. | Date and time of classification of the incident as major |
|---|
Table 51 in anx_II
| 2.4. | Description of the ICT-related incident |
|---|
Table 52 in anx_II
| 2.5. | Classification criteria that triggered the incident report |
|---|
Table 53 in anx_II
| — | clients, financial counterparts and transactions affected; |
|---|
Table 54 in anx_II
| — | reputational impact; |
|---|
Table 55 in anx_II
| — | duration and service downtime; |
|---|
Table 56 in anx_II
| — | geographical spread; |
|---|
Table 57 in anx_II
| — | data losses; |
|---|
Table 58 in anx_II
| — | critical services affected; |
|---|
Table 59 in anx_II
| — | economic impact. |
|---|
Table 60 in anx_II
| 2.6. | Materiality thresholds for the classification criterion ‘Geographical spread’ |
|---|
Table 61 in anx_II
| 2.7. | Discovery of the major ICT-related incident |
|---|
Table 62 in anx_II
| — | IT Security; |
|---|
Table 63 in anx_II
| — | staff; |
|---|
Table 64 in anx_II
| — | internal audit; |
|---|
Table 65 in anx_II
| — | external audit; |
|---|
Table 66 in anx_II
| — | clients; |
|---|
Table 67 in anx_II
| — | financial counterparts; |
|---|
Table 68 in anx_II
| — | third-party provider; |
|---|
Table 69 in anx_II
| — | attacker; |
|---|
Table 70 in anx_II
| — | monitoring systems; |
|---|
Table 71 in anx_II
| — | authority/agency/ law enforcement body; |
|---|
Table 72 in anx_II
| — | other. |
|---|
Table 73 in anx_II
| 2.8. | Indication whether the incident originates from a third-party provider or another financial entity |
|---|
Table 74 in anx_II
| 2.9. | Activation of business continuity plan, if activated |
|---|
Table 75 in anx_II
| 2.10. | Other relevant information |
|---|
Table 76 in anx_II
| 3.1. | Incident reference code provided by the competent authority |
|---|
Table 77 in anx_II
| 3.2. | Date and time of occurrence of the incident |
|---|
Table 78 in anx_II
| 3.3. | Date and time when services, activities or operations have been recovered |
|---|
Table 79 in anx_II
| 3.4. | Number of clients affected |
|---|
Table 80 in anx_II
| 3.5. | Percentage of clients affected |
|---|
Table 81 in anx_II
| 3.6. | Number of financial counterparts affected |
|---|
Table 82 in anx_II
| 3.7. | Percentage of financial counterparts affected |
|---|
Table 83 in anx_II
| 3.8. | Impact on relevant clients or financial counterparts |
|---|
Table 84 in anx_II
| 3.9. | Number of affected transactions |
|---|
Table 85 in anx_II
| 3.10. | Percentage of affected transactions |
|---|
Table 86 in anx_II
| 3.11. | Value of affected transactions |
|---|
Table 87 in anx_II
| 3.12. | Information on whether the numbers are actual or estimates, or whether there has not been any impact |
|---|
Table 88 in anx_II
| — | actual figures for clients affected; |
|---|
Table 89 in anx_II
| — | actual figures for financial counterparts affected; |
|---|
Table 90 in anx_II
| — | actual figures for transactions affected; |
|---|
Table 91 in anx_II
| — | estimates for clients affected; |
|---|
Table 92 in anx_II
| — | estimates for financial counterparts affected; |
|---|
Table 93 in anx_II
| — | estimates for transactions affected; |
|---|
Table 94 in anx_II
| — | no impact on clients; |
|---|
Table 95 in anx_II
| — | no impact on financial counterparts; |
|---|
Table 96 in anx_II
| — | no impact on transactions. |
|---|
Table 97 in anx_II
| 3.13. | Reputational impact |
|---|
Table 98 in anx_II
| — | the major ICT-related incident has been reflected in the media; |
|---|
Table 99 in anx_II
| — | the major ICT-related incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships |
|---|
Table 100 in anx_II
| — | the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the major ICT-related incident; |
|---|
Table 101 in anx_II
| — | the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the major ICT-related incident. |
|---|
Table 102 in anx_II
| 3.14. | Contextual information about the reputational impact |
|---|
Table 103 in anx_II
| 3.15. | Duration of the incident |
|---|
Table 104 in anx_II
| 3.16. | Service downtime |
|---|
Table 105 in anx_II
| 3.17. | Information on whether the numbers for duration and service downtime are actual or estimates |
|---|
Table 106 in anx_II
| — | Actual figures; |
|---|
Table 107 in anx_II
| — | Estimates; |
|---|
Table 108 in anx_II
| — | Actual figures and estimates; |
|---|
Table 109 in anx_II
| — | No information available. |
|---|
Table 110 in anx_II
| 3.18. | Types of impact in the Member States |
|---|
Table 111 in anx_II
| (a) | clients and financial counterparts affected in other Member States; or |
|---|
Table 112 in anx_II
| (b) | branches or other financial entities within the group carrying out activities in other Member States; or |
|---|
Table 113 in anx_II
| (c) | financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services. |
|---|
Table 114 in anx_II
| — | clients; |
|---|
Table 115 in anx_II
| — | financial counterparts; |
|---|
Table 116 in anx_II
| — | branch of the financial entity; |
|---|
Table 117 in anx_II
| — | financial entities within the group carrying out activities in the respective Member State; |
|---|
Table 118 in anx_II
| — | financial market infrastructure; |
|---|
Table 119 in anx_II
| — | third-party providers that may be common to other financial entities. |
|---|
Table 120 in anx_II
| 3.19. | Description of how the incident has an impact in other Member States |
|---|
Table 121 in anx_II
| (a) | clients; |
|---|
Table 122 in anx_II
| (b) | financial counterparts; |
|---|
Table 123 in anx_II
| (c) | branches of the financial entity; |
|---|
Table 124 in anx_II
| (d) | other financial entities within the group carrying out activities in the respective Member State; |
|---|
Table 125 in anx_II
| (e) | financial market infrastructures; |
|---|
Table 126 in anx_II
| (f) | third-party providers that may be common to other financial entities as applicable in other Member State(s). |
|---|
Table 127 in anx_II
| 3.20. | Materiality thresholds for the classification criterion ‘Data losses’ |
|---|
Table 128 in anx_II
| — | availability; |
|---|
Table 129 in anx_II
| — | authenticity; |
|---|
Table 130 in anx_II
| — | integrity; |
|---|
Table 131 in anx_II
| — | confidentiality. |
|---|
Table 132 in anx_II
| 3.21. | Description of the data losses |
|---|
Table 133 in anx_II
| 3.22. | Classification criterion ‘Critical services affected’ |
|---|
Table 134 in anx_II
| — | the affected services or activities that require authorisation, registration or that are supervised by competent authorities; or |
|---|
Table 135 in anx_II
| — | the ICT services or network and information systems that support critical or important functions of the financial entity; and |
|---|
Table 136 in anx_II
| — | the nature of the malicious and unauthorised access to the network and information systems of the financial entity. |
|---|
Table 137 in anx_II
| 3.23. | Type of the incident |
|---|
Table 138 in anx_II
| — | Cybersecurity-related; |
|---|
Table 139 in anx_II
| — | Process failure; |
|---|
Table 140 in anx_II
| — | System failure; |
|---|
Table 141 in anx_II
| — | External event; |
|---|
Table 142 in anx_II
| — | Payment-related; |
|---|
Table 143 in anx_II
| — | Other (please specify). |
|---|
Table 144 in anx_II
| 3.24. | Other types of incidents |
|---|
Table 145 in anx_II
| 3.25. | Threats and techniques used by the threat actor |
|---|
Table 146 in anx_II
| (a) | social engineering, including phishing; |
|---|
Table 147 in anx_II
| (b) | (D)DoS; |
|---|
Table 148 in anx_II
| (c) | identity theft; |
|---|
Table 149 in anx_II
| (d) | data encryption for impact, including ransomware; |
|---|
Table 150 in anx_II
| (e) | resource hijacking; |
|---|
Table 151 in anx_II
| (f) | data exfiltration and manipulation, excluding identity theft; |
|---|
Table 152 in anx_II
| (g) | data destruction; |
|---|
Table 153 in anx_II
| (h) | defacement; |
|---|
Table 154 in anx_II
| (i) | supply-chain attack; |
|---|
Table 155 in anx_II
| (j) | other (please specify). |
|---|
Table 156 in anx_II
| — | Social engineering (including phishing); |
|---|
Table 157 in anx_II
| — | (D)DoS; |
|---|
Table 158 in anx_II
| — | Identity theft; |
|---|
Table 159 in anx_II
| — | Data encryption for impact, including ransomware; |
|---|
Table 160 in anx_II
| — | Resource hijacking; |
|---|
Table 161 in anx_II
| — | Data exfiltration and manipulation, including identity theft; |
|---|
Table 162 in anx_II
| — | Data destruction; |
|---|
Table 163 in anx_II
| — | Defacement; |
|---|
Table 164 in anx_II
| — | Supply-chain attack; |
|---|
Table 165 in anx_II
| — | Other (please specify). |
|---|
Table 166 in anx_II
| 3.26. | Other types of techniques |
|---|
Table 167 in anx_II
| 3.27. | Information about affected functional areas and business processes |
|---|
Table 168 in anx_II
| (a) | marketing and business development; |
|---|
Table 169 in anx_II
| (b) | customer service; |
|---|
Table 170 in anx_II
| (c) | product management; |
|---|
Table 171 in anx_II
| (d) | regulatory compliance; |
|---|
Table 172 in anx_II
| (e) | risk management; |
|---|
Table 173 in anx_II
| (f) | finance and accounting; |
|---|
Table 174 in anx_II
| (g) | HR and general services; |
|---|
Table 175 in anx_II
| (h) | information Technology. |
|---|
Table 176 in anx_II
| — | account information; |
|---|
Table 177 in anx_II
| — | actuarial services; |
|---|
Table 178 in anx_II
| — | acquiring of payment transactions; |
|---|
Table 179 in anx_II
| — | authentication/authorization; |
|---|
Table 180 in anx_II
| — | authority; |
|---|
Table 181 in anx_II
| — | client on-boarding; |
|---|
Table 182 in anx_II
| — | benefit administration; |
|---|
Table 183 in anx_II
| — | benefit payment management; |
|---|
Table 184 in anx_II
| — | buying and selling packaged insurances policies between insurances; |
|---|
Table 185 in anx_II
| — | card payments; |
|---|
Table 186 in anx_II
| — | cash management; |
|---|
Table 187 in anx_II
| — | cash placement or withdrawals; |
|---|
Table 188 in anx_II
| — | insurance claim management; |
|---|
Table 189 in anx_II
| — | claim process insurance; |
|---|
Table 190 in anx_II
| — | clearing; |
|---|
Table 191 in anx_II
| — | corporate loans conglomerates; |
|---|
Table 192 in anx_II
| — | collective insurances; |
|---|
Table 193 in anx_II
| — | credit transfers; |
|---|
Table 194 in anx_II
| — | custody and asset safekeeping; |
|---|
Table 195 in anx_II
| — | customer onboarding; |
|---|
Table 196 in anx_II
| — | data ingestion; |
|---|
Table 197 in anx_II
| — | data processing; |
|---|
Table 198 in anx_II
| — | direct debits; |
|---|
Table 199 in anx_II
| — | export insurances; |
|---|
Table 200 in anx_II
| — | finalizing trades/deals; |
|---|
Table 201 in anx_II
| — | financial instruments placing; |
|---|
Table 202 in anx_II
| — | fund accounting; |
|---|
Table 203 in anx_II
| — | FX money; |
|---|
Table 204 in anx_II
| — | investment advice; |
|---|
Table 205 in anx_II
| — | investment management; |
|---|
Table 206 in anx_II
| — | issuing of payment instruments; |
|---|
Table 207 in anx_II
| — | lending management; |
|---|
Table 208 in anx_II
| — | life insurance payments process; |
|---|
Table 209 in anx_II
| — | money remittance; |
|---|
Table 210 in anx_II
| — | net asset calculation; |
|---|
Table 211 in anx_II
| — | order; |
|---|
Table 212 in anx_II
| — | payment initiation; |
|---|
Table 213 in anx_II
| — | insurance underwriting; |
|---|
Table 214 in anx_II
| — | portfolio management; |
|---|
Table 215 in anx_II
| — | premium collection; |
|---|
Table 216 in anx_II
| — | reception/transmission/execution; |
|---|
Table 217 in anx_II
| — | reinsurance; |
|---|
Table 218 in anx_II
| — | settlement; |
|---|
Table 219 in anx_II
| — | transaction monitoring. |
|---|
Table 220 in anx_II
| 3.28. | Affected infrastructure components supporting business processes |
|---|
Table 221 in anx_II
| — | Yes; |
|---|
Table 222 in anx_II
| — | No; |
|---|
Table 223 in anx_II
| — | Information not available. |
|---|
Table 224 in anx_II
| 3.29. | Information about affected infrastructure components supporting business processes |
|---|
Table 225 in anx_II
| (a) | version information; |
|---|
Table 226 in anx_II
| (b) | internal infrastructure/partially outsourced/fully outsourced – third-party provider name; |
|---|
Table 227 in anx_II
| (c) | whether the infrastructure is used or shared across multiple business functions; |
|---|
Table 228 in anx_II
| (d) | relevant resilience/continuity/recovery/ substitutability arrangements in place. |
|---|
Table 229 in anx_II
| 3.30. | Impact on the financial interest of clients |
|---|
Table 230 in anx_II
| — | Yes; |
|---|
Table 231 in anx_II
| — | No; |
|---|
Table 232 in anx_II
| — | Information not available. |
|---|
Table 233 in anx_II
| 3.31. | Reporting to other authorities |
|---|
Table 234 in anx_II
| — | Police/Law Enforcement; |
|---|
Table 235 in anx_II
| — | CSIRT; |
|---|
Table 236 in anx_II
| — | Data Protection Authority; |
|---|
Table 237 in anx_II
| — | National Cybersecurity Agency; |
|---|
Table 238 in anx_II
| — | None; |
|---|
Table 239 in anx_II
| — | Other (please specify). |
|---|
Table 240 in anx_II
| 3.32. | Specification of ‘other’ authorities |
|---|
Table 241 in anx_II
| 3.33. | Temporary actions/measures taken or planned to be taken to recover from the incident |
|---|
Table 242 in anx_II
| 3.34. | Description of any temporary actions and measures taken or planned to be taken to recover from the incident |
|---|
Table 243 in anx_II
| 3.35. | Indicators of compromise |
|---|
Table 244 in anx_II
| (a) | IP addresses; |
|---|
Table 245 in anx_II
| (b) | URL addresses; |
|---|
Table 246 in anx_II
| (c) | domains; |
|---|
Table 247 in anx_II
| (d) | file hashes; |
|---|
Table 248 in anx_II
| (e) | malware data (malware name, file names and their locations, specific registry keys associated with malware activity); |
|---|
Table 249 in anx_II
| (f) | network activity data (ports, protocols, addresses, referrers, user agents, headers, specific logs or distinctive patterns in network traffic); |
|---|
Table 250 in anx_II
| (g) | email message data (sender, recipient, subject, header, content); |
|---|
Table 251 in anx_II
| (h) | DNS requests and registry configurations; |
|---|
Table 252 in anx_II
| (i) | user account activities (logins, privileged user account activity, privilege escalation); |
|---|
Table 253 in anx_II
| (j) | database traffic (read/write), requests to the same file. |
|---|
Table 254 in anx_II
| 4.1. | High-level classification of root causes of the incident |
|---|
Table 255 in anx_II
| (a) | malicious actions; |
|---|
Table 256 in anx_II
| (b) | process failure; |
|---|
Table 257 in anx_II
| (c) | system failure/malfunction; |
|---|
Table 258 in anx_II
| (d) | human error; |
|---|
Table 259 in anx_II
| (e) | external event. |
|---|
Table 260 in anx_II
| — | malicious actions; |
|---|
Table 261 in anx_II
| — | process failure; |
|---|
Table 262 in anx_II
| — | system failure / malfunction; |
|---|
Table 263 in anx_II
| — | human error; |
|---|
Table 264 in anx_II
| — | external event. |
|---|
Table 265 in anx_II
| 4.2. | Detailed classification of root causes of the incident |
|---|
Table 266 in anx_II
| 1. | Malicious actions(if selected, choose one or more the following):(a)deliberate internal actions;(b)deliberate physical damage/manipulation/theft;(c)fraudulent actions. | (a) | deliberate internal actions; | (b) | deliberate physical damage/manipulation/theft; | (c) | fraudulent actions. |
|---|---|---|---|---|---|---|---|
| (a) | deliberate internal actions; | ||||||
| (b) | deliberate physical damage/manipulation/theft; | ||||||
| (c) | fraudulent actions. |
Table 267 in anx_II
| (a) | deliberate internal actions; |
|---|
Table 268 in anx_II
| (b) | deliberate physical damage/manipulation/theft; |
|---|
Table 269 in anx_II
| (c) | fraudulent actions. |
|---|
Table 270 in anx_II
| 2. | Process failure(if selected, choose one or more the following):(a)insufficient monitoring or failure of monitoring and control;(b)insufficient/unclear roles and responsibilities;(c)ICT risk management process failure;(d)insufficient or failure of ICT operations and ICT security operations;(e)insufficient or failure of ICT project management;(f)inadequate internal policies, procedures and documentation;(g)inadequate ICT systems acquisition, development, or maintenance;(h)other (please specify). | (a) | insufficient monitoring or failure of monitoring and control; | (b) | insufficient/unclear roles and responsibilities; | (c) | ICT risk management process failure; | (d) | insufficient or failure of ICT operations and ICT security operations; | (e) | insufficient or failure of ICT project management; | (f) | inadequate internal policies, procedures and documentation; | (g) | inadequate ICT systems acquisition, development, or maintenance; | (h) | other (please specify). |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| (a) | insufficient monitoring or failure of monitoring and control; | ||||||||||||||||
| (b) | insufficient/unclear roles and responsibilities; | ||||||||||||||||
| (c) | ICT risk management process failure; | ||||||||||||||||
| (d) | insufficient or failure of ICT operations and ICT security operations; | ||||||||||||||||
| (e) | insufficient or failure of ICT project management; | ||||||||||||||||
| (f) | inadequate internal policies, procedures and documentation; | ||||||||||||||||
| (g) | inadequate ICT systems acquisition, development, or maintenance; | ||||||||||||||||
| (h) | other (please specify). |
Table 271 in anx_II
| (a) | insufficient monitoring or failure of monitoring and control; |
|---|
Table 272 in anx_II
| (b) | insufficient/unclear roles and responsibilities; |
|---|
Table 273 in anx_II
| (c) | ICT risk management process failure; |
|---|
Table 274 in anx_II
| (d) | insufficient or failure of ICT operations and ICT security operations; |
|---|
Table 275 in anx_II
| (e) | insufficient or failure of ICT project management; |
|---|
Table 276 in anx_II
| (f) | inadequate internal policies, procedures and documentation; |
|---|
Table 277 in anx_II
| (g) | inadequate ICT systems acquisition, development, or maintenance; |
|---|
Table 278 in anx_II
| (h) | other (please specify). |
|---|
Table 279 in anx_II
| 3. | System failure/malfunction(if selected, choose one or more the following):(a)hardware capacity and performance: major ICT-related incidents caused by hardware resources which prove inadequate in terms of capacity or performance to fulfil the applicable legislative requirements;(b)hardware maintenance: major ICT-related incidents resulting from inadequate or insufficient maintenance of hardware components, other than ‘Hardware obsolescence/ageing’;(c)hardware obsolescence/ageing: this root cause type involves major ICT-related incidents resulting from outdated or aging hardware components;(d)software compatibility/configuration: major ICT-related incidents caused by software components that are incompatible with other software or system configurations, including major ICT-related incidents resulting from software conflicts, incorrect settings, or misconfigured parameters that impact the overall system functionality;(e)software performance: major ICT-related incidents resulting from software components that exhibit poor performance or inefficiencies, for reasons other than those specified under ‘Software compatibility/configuration’, including major ICT-related incidents caused by slow response times, excessive resource consumption, or inefficient query execution impacting the performance of the software or system;(f)network configuration: major ICT-related incidents resulting from incorrect or misconfigured network settings or infrastructure, including major ICT-related incidents caused by network configuration errors, routing issues, firewall misconfigurations, or other network-related problems affecting connectivity or communication;(g)physical damage: major ICT-related incidents caused by physical damage to ICT infrastructure which lead to system failures;(h)other (please specify). | (a) | hardware capacity and performance: major ICT-related incidents caused by hardware resources which prove inadequate in terms of capacity or performance to fulfil the applicable legislative requirements; | (b) | hardware maintenance: major ICT-related incidents resulting from inadequate or insufficient maintenance of hardware components, other than ‘Hardware obsolescence/ageing’; | (c) | hardware obsolescence/ageing: this root cause type involves major ICT-related incidents resulting from outdated or aging hardware components; | (d) | software compatibility/configuration: major ICT-related incidents caused by software components that are incompatible with other software or system configurations, including major ICT-related incidents resulting from software conflicts, incorrect settings, or misconfigured parameters that impact the overall system functionality; | (e) | software performance: major ICT-related incidents resulting from software components that exhibit poor performance or inefficiencies, for reasons other than those specified under ‘Software compatibility/configuration’, including major ICT-related incidents caused by slow response times, excessive resource consumption, or inefficient query execution impacting the performance of the software or system; | (f) | network configuration: major ICT-related incidents resulting from incorrect or misconfigured network settings or infrastructure, including major ICT-related incidents caused by network configuration errors, routing issues, firewall misconfigurations, or other network-related problems affecting connectivity or communication; | (g) | physical damage: major ICT-related incidents caused by physical damage to ICT infrastructure which lead to system failures; | (h) | other (please specify). |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| (a) | hardware capacity and performance: major ICT-related incidents caused by hardware resources which prove inadequate in terms of capacity or performance to fulfil the applicable legislative requirements; | ||||||||||||||||
| (b) | hardware maintenance: major ICT-related incidents resulting from inadequate or insufficient maintenance of hardware components, other than ‘Hardware obsolescence/ageing’; | ||||||||||||||||
| (c) | hardware obsolescence/ageing: this root cause type involves major ICT-related incidents resulting from outdated or aging hardware components; | ||||||||||||||||
| (d) | software compatibility/configuration: major ICT-related incidents caused by software components that are incompatible with other software or system configurations, including major ICT-related incidents resulting from software conflicts, incorrect settings, or misconfigured parameters that impact the overall system functionality; | ||||||||||||||||
| (e) | software performance: major ICT-related incidents resulting from software components that exhibit poor performance or inefficiencies, for reasons other than those specified under ‘Software compatibility/configuration’, including major ICT-related incidents caused by slow response times, excessive resource consumption, or inefficient query execution impacting the performance of the software or system; | ||||||||||||||||
| (f) | network configuration: major ICT-related incidents resulting from incorrect or misconfigured network settings or infrastructure, including major ICT-related incidents caused by network configuration errors, routing issues, firewall misconfigurations, or other network-related problems affecting connectivity or communication; | ||||||||||||||||
| (g) | physical damage: major ICT-related incidents caused by physical damage to ICT infrastructure which lead to system failures; | ||||||||||||||||
| (h) | other (please specify). |
Table 280 in anx_II
| (a) | hardware capacity and performance: major ICT-related incidents caused by hardware resources which prove inadequate in terms of capacity or performance to fulfil the applicable legislative requirements; |
|---|
Table 281 in anx_II
| (b) | hardware maintenance: major ICT-related incidents resulting from inadequate or insufficient maintenance of hardware components, other than ‘Hardware obsolescence/ageing’; |
|---|
Table 282 in anx_II
| (c) | hardware obsolescence/ageing: this root cause type involves major ICT-related incidents resulting from outdated or aging hardware components; |
|---|
Table 283 in anx_II
| (d) | software compatibility/configuration: major ICT-related incidents caused by software components that are incompatible with other software or system configurations, including major ICT-related incidents resulting from software conflicts, incorrect settings, or misconfigured parameters that impact the overall system functionality; |
|---|
Table 284 in anx_II
| (e) | software performance: major ICT-related incidents resulting from software components that exhibit poor performance or inefficiencies, for reasons other than those specified under ‘Software compatibility/configuration’, including major ICT-related incidents caused by slow response times, excessive resource consumption, or inefficient query execution impacting the performance of the software or system; |
|---|
Table 285 in anx_II
| (f) | network configuration: major ICT-related incidents resulting from incorrect or misconfigured network settings or infrastructure, including major ICT-related incidents caused by network configuration errors, routing issues, firewall misconfigurations, or other network-related problems affecting connectivity or communication; |
|---|
Table 286 in anx_II
| (g) | physical damage: major ICT-related incidents caused by physical damage to ICT infrastructure which lead to system failures; |
|---|
Table 287 in anx_II
| (h) | other (please specify). |
|---|
Table 288 in anx_II
| 4. | Human error(if selected, choose one or more the following):(a)omission (unintentional);(b)mistake;(c)skills & knowledge: major ICT-related incidents resulting from a lack of expertise or proficiency in handling ICT systems or processes that may be caused by inadequate training, insufficient knowledge, or gaps in skills required to perform specific tasks or address technical challenges;(d)inadequate human resources: major ICT-related incidents caused by a lack of necessary resources, including hardware, software, infrastructure, or personnel, and including situations where insufficient resources lead to operational inefficiencies, system failures, or an inability to meet business demands;(e)miscommunication;(f)other (please specify). | (a) | omission (unintentional); | (b) | mistake; | (c) | skills & knowledge: major ICT-related incidents resulting from a lack of expertise or proficiency in handling ICT systems or processes that may be caused by inadequate training, insufficient knowledge, or gaps in skills required to perform specific tasks or address technical challenges; | (d) | inadequate human resources: major ICT-related incidents caused by a lack of necessary resources, including hardware, software, infrastructure, or personnel, and including situations where insufficient resources lead to operational inefficiencies, system failures, or an inability to meet business demands; | (e) | miscommunication; | (f) | other (please specify). |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| (a) | omission (unintentional); | ||||||||||||
| (b) | mistake; | ||||||||||||
| (c) | skills & knowledge: major ICT-related incidents resulting from a lack of expertise or proficiency in handling ICT systems or processes that may be caused by inadequate training, insufficient knowledge, or gaps in skills required to perform specific tasks or address technical challenges; | ||||||||||||
| (d) | inadequate human resources: major ICT-related incidents caused by a lack of necessary resources, including hardware, software, infrastructure, or personnel, and including situations where insufficient resources lead to operational inefficiencies, system failures, or an inability to meet business demands; | ||||||||||||
| (e) | miscommunication; | ||||||||||||
| (f) | other (please specify). |
Table 289 in anx_II
| (a) | omission (unintentional); |
|---|
Table 290 in anx_II
| (b) | mistake; |
|---|
Table 291 in anx_II
| (c) | skills & knowledge: major ICT-related incidents resulting from a lack of expertise or proficiency in handling ICT systems or processes that may be caused by inadequate training, insufficient knowledge, or gaps in skills required to perform specific tasks or address technical challenges; |
|---|
Table 292 in anx_II
| (d) | inadequate human resources: major ICT-related incidents caused by a lack of necessary resources, including hardware, software, infrastructure, or personnel, and including situations where insufficient resources lead to operational inefficiencies, system failures, or an inability to meet business demands; |
|---|
Table 293 in anx_II
| (e) | miscommunication; |
|---|
Table 294 in anx_II
| (f) | other (please specify). |
|---|
Table 295 in anx_II
| 5. | External event(if selected, choose one or more the following):(a)natural disasters/force majeure;(b)third-party failures;(c)other (please specify). | (a) | natural disasters/force majeure; | (b) | third-party failures; | (c) | other (please specify). |
|---|---|---|---|---|---|---|---|
| (a) | natural disasters/force majeure; | ||||||
| (b) | third-party failures; | ||||||
| (c) | other (please specify). |
Table 296 in anx_II
| (a) | natural disasters/force majeure; |
|---|
Table 297 in anx_II
| (b) | third-party failures; |
|---|
Table 298 in anx_II
| (c) | other (please specify). |
|---|
Table 299 in anx_II
| — | malicious actions: deliberate internal actions; |
|---|
Table 300 in anx_II
| — | malicious actions: deliberate physical damage/manipulation/theft; |
|---|
Table 301 in anx_II
| — | malicious actions: fraudulent actions; |
|---|
Table 302 in anx_II
| — | process failure: insufficient monitoring or failure of monitoring and control; |
|---|
Table 303 in anx_II
| — | process failure:insufficient/unclear roles and responsibilities; |
|---|
Table 304 in anx_II
| — | process failure: ICT risk management process failure; |
|---|
Table 305 in anx_II
| — | process failure: insufficient or failure of ICT operations and ICT security operations; |
|---|
Table 306 in anx_II
| — | process failure: insufficient or failure of ICT project management; |
|---|
Table 307 in anx_II
| — | process failure: inadequacy of internal policies, procedures and documentation; |
|---|
Table 308 in anx_II
| — | Process failure: inadequate ICT systems acquisition, development, and maintenance; |
|---|
Table 309 in anx_II
| — | process failure: other (please specify); |
|---|
Table 310 in anx_II
| — | system failure: hardware capacity and performance; |
|---|
Table 311 in anx_II
| — | system failure: hardware maintenance; |
|---|
Table 312 in anx_II
| — | system failure: hardware obsolescence/ageing; |
|---|
Table 313 in anx_II
| — | system failure: software compatibility/configuration; |
|---|
Table 314 in anx_II
| — | system failure: software performance; |
|---|
Table 315 in anx_II
| — | system failure: network configuration; |
|---|
Table 316 in anx_II
| — | system failure: physical damage; |
|---|
Table 317 in anx_II
| — | system failure: other (please specify); |
|---|
Table 318 in anx_II
| — | human error: omission; |
|---|
Table 319 in anx_II
| — | human error: mistake; |
|---|
Table 320 in anx_II
| — | human error: skills & knowledge; |
|---|
Table 321 in anx_II
| — | human error: inadequate human resources; |
|---|
Table 322 in anx_II
| — | human error miscommunication; |
|---|
Table 323 in anx_II
| — | human error: other (please specify); |
|---|
Table 324 in anx_II
| — | external event: natural disasters/force majeure; |
|---|
Table 325 in anx_II
| — | external event: third-party failures; |
|---|
Table 326 in anx_II
| — | external event: other (please specify). |
|---|
Table 327 in anx_II
| 4.3. | Additional classification of root causes of the incident |
|---|
Table 328 in anx_II
| 2(a) | Insufficient or failure of monitoring and control:(a)monitoring of policy adherence;(b)monitoring of third-party service providers;(c)monitoring and verification of remediation of vulnerabilities;(d)identity and access management;(e)encryption and cryptography;(f)logging. | (a) | monitoring of policy adherence; | (b) | monitoring of third-party service providers; | (c) | monitoring and verification of remediation of vulnerabilities; | (d) | identity and access management; | (e) | encryption and cryptography; | (f) | logging. |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| (a) | monitoring of policy adherence; | ||||||||||||
| (b) | monitoring of third-party service providers; | ||||||||||||
| (c) | monitoring and verification of remediation of vulnerabilities; | ||||||||||||
| (d) | identity and access management; | ||||||||||||
| (e) | encryption and cryptography; | ||||||||||||
| (f) | logging. |
Table 329 in anx_II
| (a) | monitoring of policy adherence; |
|---|
Table 330 in anx_II
| (b) | monitoring of third-party service providers; |
|---|
Table 331 in anx_II
| (c) | monitoring and verification of remediation of vulnerabilities; |
|---|
Table 332 in anx_II
| (d) | identity and access management; |
|---|
Table 333 in anx_II
| (e) | encryption and cryptography; |
|---|
Table 334 in anx_II
| (f) | logging. |
|---|
Table 335 in anx_II
| 2(c) | ICT risk management process failure:(a)failure in specifying accurate risk tolerance levels;(b)insufficient vulnerability and threat assessments;(c)inadequate risk treatment measures;(d)poor management of residual ICT risks. | (a) | failure in specifying accurate risk tolerance levels; | (b) | insufficient vulnerability and threat assessments; | (c) | inadequate risk treatment measures; | (d) | poor management of residual ICT risks. |
|---|---|---|---|---|---|---|---|---|---|
| (a) | failure in specifying accurate risk tolerance levels; | ||||||||
| (b) | insufficient vulnerability and threat assessments; | ||||||||
| (c) | inadequate risk treatment measures; | ||||||||
| (d) | poor management of residual ICT risks. |
Table 336 in anx_II
| (a) | failure in specifying accurate risk tolerance levels; |
|---|
Table 337 in anx_II
| (b) | insufficient vulnerability and threat assessments; |
|---|
Table 338 in anx_II
| (c) | inadequate risk treatment measures; |
|---|
Table 339 in anx_II
| (d) | poor management of residual ICT risks. |
|---|
Table 340 in anx_II
| 2(d) | Insufficient or failure of ICT operations and ICT security operations:(a)vulnerability and patch management;(b)change management;(c)capacity and performance management;(d)ICT asset management and information classification;(e)backup and restore;(f)error handling. | (a) | vulnerability and patch management; | (b) | change management; | (c) | capacity and performance management; | (d) | ICT asset management and information classification; | (e) | backup and restore; | (f) | error handling. |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| (a) | vulnerability and patch management; | ||||||||||||
| (b) | change management; | ||||||||||||
| (c) | capacity and performance management; | ||||||||||||
| (d) | ICT asset management and information classification; | ||||||||||||
| (e) | backup and restore; | ||||||||||||
| (f) | error handling. |
Table 341 in anx_II
| (a) | vulnerability and patch management; |
|---|
Table 342 in anx_II
| (b) | change management; |
|---|
Table 343 in anx_II
| (c) | capacity and performance management; |
|---|
Table 344 in anx_II
| (d) | ICT asset management and information classification; |
|---|
Table 345 in anx_II
| (e) | backup and restore; |
|---|
Table 346 in anx_II
| (f) | error handling. |
|---|
Table 347 in anx_II
| 2(g) | Inadequate ICT Systems acquisition, development, and maintenance:(a)inadequate ICT Systems acquisition, development, and maintenance;(b)insufficient software testing or failure of software testing. | (a) | inadequate ICT Systems acquisition, development, and maintenance; | (b) | insufficient software testing or failure of software testing. |
|---|---|---|---|---|---|
| (a) | inadequate ICT Systems acquisition, development, and maintenance; | ||||
| (b) | insufficient software testing or failure of software testing. |
Table 348 in anx_II
| (a) | inadequate ICT Systems acquisition, development, and maintenance; |
|---|
Table 349 in anx_II
| (b) | insufficient software testing or failure of software testing. |
|---|
Table 350 in anx_II
| — | monitoring of policy adherence; |
|---|
Table 351 in anx_II
| — | monitoring of third-party service providers; |
|---|
Table 352 in anx_II
| — | monitoring and verification of remediation of vulnerabilities; |
|---|
Table 353 in anx_II
| — | identity and access management; |
|---|
Table 354 in anx_II
| — | encryption and cryptography; |
|---|
Table 355 in anx_II
| — | logging; |
|---|
Table 356 in anx_II
| — | failure in specifying accurate risk tolerance levels; |
|---|
Table 357 in anx_II
| — | insufficient vulnerability and threat assessments; |
|---|
Table 358 in anx_II
| — | inadequate risk treatment measures; |
|---|
Table 359 in anx_II
| — | poor management of residual ICT risks; |
|---|
Table 360 in anx_II
| — | vulnerability and patch management; |
|---|
Table 361 in anx_II
| — | change management; |
|---|
Table 362 in anx_II
| — | capacity and performance management; |
|---|
Table 363 in anx_II
| — | ICT asset management and information classification; |
|---|
Table 364 in anx_II
| — | backup and restore; |
|---|
Table 365 in anx_II
| — | error handling; |
|---|
Table 366 in anx_II
| — | inadequate ICT systems acquisition, development, and maintenance; |
|---|
Table 367 in anx_II
| — | insufficient or failure of software testing. |
|---|
Table 368 in anx_II
| 4.4. | Other types of root cause types |
|---|
Table 369 in anx_II
| 4.5. | Information about the root causes of the incident |
|---|
Table 370 in anx_II
| 4.6. | Incident resolution |
|---|
Table 371 in anx_II
| 1. | Resolution actions description(a)Actions taken to permanently resolve the major ICT-related incident (excluding any temporary actions);(b)for each action taken, indicate the potential involvement of a third-party provider and of the financial entity;(c)indicate whether procedures have been adapted following the major ICT-related incident;(d)indicate any additional controls that were put in place or that are planned with related implementation timeline.Potential issues identified regarding the robustness of the IT systems impacted /or in terms of the procedures or controls in place, if applicable.Financial entities shall clearly indicate how the envisaged remediation actions will address the identified root causes and when the major ICT-related incident is expected to be resolved permanently. | (a) | Actions taken to permanently resolve the major ICT-related incident (excluding any temporary actions); | (b) | for each action taken, indicate the potential involvement of a third-party provider and of the financial entity; | (c) | indicate whether procedures have been adapted following the major ICT-related incident; | (d) | indicate any additional controls that were put in place or that are planned with related implementation timeline. |
|---|---|---|---|---|---|---|---|---|---|
| (a) | Actions taken to permanently resolve the major ICT-related incident (excluding any temporary actions); | ||||||||
| (b) | for each action taken, indicate the potential involvement of a third-party provider and of the financial entity; | ||||||||
| (c) | indicate whether procedures have been adapted following the major ICT-related incident; | ||||||||
| (d) | indicate any additional controls that were put in place or that are planned with related implementation timeline. |
Table 372 in anx_II
| (a) | Actions taken to permanently resolve the major ICT-related incident (excluding any temporary actions); |
|---|
Table 373 in anx_II
| (b) | for each action taken, indicate the potential involvement of a third-party provider and of the financial entity; |
|---|
Table 374 in anx_II
| (c) | indicate whether procedures have been adapted following the major ICT-related incident; |
|---|
Table 375 in anx_II
| (d) | indicate any additional controls that were put in place or that are planned with related implementation timeline. |
|---|
Table 376 in anx_II
| 2. | Lessons learntFinancial entities shall describe findings from the post-incident review. |
|---|
Table 377 in anx_II
| 4.7. | Date and time when the incident root cause was addressed |
|---|
Table 378 in anx_II
| 4.8. | Date and time when the incident was resolved |
|---|
Table 379 in anx_II
| 4.9. | Information if the permanent resolution date of the incidents differs from the initially planned implementation date |
|---|
Table 380 in anx_II
| 4.10. | Assessment of risk to critical functions for resolution purposes |
|---|
Table 381 in anx_II
| 4.11. | Information relevant for resolution authorities |
|---|
Table 382 in anx_II
| 4.12. | Materiality threshold for the classification criterion ‘Economic impact’ |
|---|
Table 383 in anx_II
| 4.13. | Amount of gross direct and indirect costs and losses |
|---|
Table 384 in anx_II
| (a) | the amount of expropriated funds or financial assets for which the financial entity is liable; |
|---|
Table 385 in anx_II
| (b) | the amount of replacement or relocation costs of software, hardware or infrastructure; |
|---|
Table 386 in anx_II
| (c) | the amount of staff costs, including costs associated to replacing or relocating staff, hiring extra staff, remuneration of overtime and recovering lost or impaired skills of staff; |
|---|
Table 387 in anx_II
| (d) | the amount of fees due to non-compliance with contractual obligations; |
|---|
Table 388 in anx_II
| (e) | the amount of customer redress and compensation costs; |
|---|
Table 389 in anx_II
| (f) | the amount of losses due to forgone revenues; |
|---|
Table 390 in anx_II
| (g) | the amount of costs associated with internal and external communication; |
|---|
Table 391 in anx_II
| (h) | the amount of advisory costs, including costs associated with legal counselling, forensic and remediation services; |
|---|
Table 392 in anx_II
| (i) | the amount other costs and losses, including:(i)direct charges, including impairments and settlement charges, to the profit and loss account and write-downs due to the major ICT-related incident;(ii)provisions or reserves accounted for in the profit and loss account against probable losses related to the major ICT-related incident;(iii)pending losses, in the form of losses stemming from the major ICT-related incident, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the profit and loss which are planned to be included within a time period commensurate to the size and age of the pending item;(iv)material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the major ICT-related incident, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time;(v)timing losses, where they span more than one financial accounting year and give rise to legal risk. | (i) | direct charges, including impairments and settlement charges, to the profit and loss account and write-downs due to the major ICT-related incident; | (ii) | provisions or reserves accounted for in the profit and loss account against probable losses related to the major ICT-related incident; | (iii) | pending losses, in the form of losses stemming from the major ICT-related incident, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the profit and loss which are planned to be included within a time period commensurate to the size and age of the pending item; | (iv) | material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the major ICT-related incident, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time; | (v) | timing losses, where they span more than one financial accounting year and give rise to legal risk. |
|---|---|---|---|---|---|---|---|---|---|---|---|
| (i) | direct charges, including impairments and settlement charges, to the profit and loss account and write-downs due to the major ICT-related incident; | ||||||||||
| (ii) | provisions or reserves accounted for in the profit and loss account against probable losses related to the major ICT-related incident; | ||||||||||
| (iii) | pending losses, in the form of losses stemming from the major ICT-related incident, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the profit and loss which are planned to be included within a time period commensurate to the size and age of the pending item; | ||||||||||
| (iv) | material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the major ICT-related incident, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time; | ||||||||||
| (v) | timing losses, where they span more than one financial accounting year and give rise to legal risk. |
Table 393 in anx_II
| (i) | direct charges, including impairments and settlement charges, to the profit and loss account and write-downs due to the major ICT-related incident; |
|---|
Table 394 in anx_II
| (ii) | provisions or reserves accounted for in the profit and loss account against probable losses related to the major ICT-related incident; |
|---|
Table 395 in anx_II
| (iii) | pending losses, in the form of losses stemming from the major ICT-related incident, which are temporarily booked in transitory or suspense accounts and are not yet reflected in the profit and loss which are planned to be included within a time period commensurate to the size and age of the pending item; |
|---|
Table 396 in anx_II
| (iv) | material uncollected revenues, related to contractual obligations with third parties, including the decision to compensate a client following the major ICT-related incident, rather than by a reimbursement or direct payment, through a revenue adjustment waiving or reducing contractual fees for a specific future period of time; |
|---|
Table 397 in anx_II
| (v) | timing losses, where they span more than one financial accounting year and give rise to legal risk. |
|---|
Table 398 in anx_II
| 4.14. | Amount of financial recoveries |
|---|
Table 399 in anx_II
| 4.15. | Information on whether the non-major incidents have been recurring |
|---|
Table 400 in anx_II
| 4.16. | Date and time of occurrence of recurring incidents |
|---|
Table 1 in anx_III
| Number of field | Data field | |
|---|---|---|
| 1 | Name of the entity submitting the notification | |
| 2 | Identification code of the entity submitting the notification | |
| 3 | Type of the financial entity submitting the notification | |
| 4 | Name of the financial entity | |
| 5 | LEI code of the financial entity | |
| 6 | Primary contact person name | |
| 7 | Primary contact person email | |
| 8 | Primary contact person telephone | |
| 9 | Second contact person name | |
| 10 | Second contact person email | |
| 11 | Second contact person telephone | |
| 12 | Date and time of detection of the cyber threat | |
| 13 | Description of the significant cyber threat | |
| 14 | Information about potential impact | |
| 15 | Potential incident classification criteria | |
| 16 | Status of the cyber threat | |
| 17 | Actions taken to prevent materialisation | |
| 18 | Notification to other stakeholders | |
| 19 | Indicators of compromise | |
| 20 | Other relevant information |
Table 1 in anx_IV
| Data field | Description | Mandatory field | Field type |
|---|---|---|---|
| 1.Name of the entity submitting the notification | 1. | Name of the entity submitting the notification | Full legal name of the entity submitting the notification. |
| 1. | Name of the entity submitting the notification | ||
| 2.Identification code of the entity submitting the notification | 2. | Identification code of the entity submitting the notification | Identification code of the entity submitting the notification.Where financial entities submit the notification/report, the identification code shall be a Legal Entity Identifier (LEI), which is a unique 20 alphanumeric character code, based on ISO 17442-1:2020.Where a third-party provider submits a report for a financial entity, it may use an identification code as specified in the implementing technical standards adopted pursuant to Article 28(9) of Regulation (EU) 2022/2554. |
| 2. | Identification code of the entity submitting the notification | ||
| 3.Type of financial entity submitting the report | 3. | Type of financial entity submitting the report | Type of the entity referred to in Article 2(1), points (a) to (t) of Regulation (EU) 2022/2554 submitting the report. |
| 3. | Type of financial entity submitting the report | ||
| — | credit institution; | ||
| — | payment institution; | ||
| — | exempted payment institution; | ||
| — | account information service provider; | ||
| — | electronic money institution; | ||
| — | exempted electronic money institution; | ||
| — | investment firm; | ||
| — | crypto-asset service provider; | ||
| — | issuer of asset-referenced tokens; | ||
| — | central securities depository; | ||
| — | central counterparty; | ||
| — | trading venue; | ||
| — | trade repository; | ||
| — | manager of alternative investment fund; | ||
| — | management company; | ||
| — | data reporting service provider; | ||
| — | insurance and reinsurance undertaking; | ||
| — | insurance intermediary, reinsurance intermediary and ancillary insurance intermediary; | ||
| — | institution for occupational retirement provision; | ||
| — | credit rating agency; | ||
| — | administrator of critical benchmarks; | ||
| — | crowdfunding service provider; | ||
| — | securitisation repository. | ||
| 4.Name of the financial entity | 4. | Name of the financial entity | Full legal name of the financial entity notifying the significant cyber threat. |
| 4. | Name of the financial entity | ||
| 5.LEI code of the financial entity | 5. | LEI code of the financial entity | Legal Entity Identifier (LEI) of the financial entity notifying the significant cyber threat, assigned in accordance with the International Organisation for Standardisation. |
| 5. | LEI code of the financial entity | ||
| 6.Primary contact person name | 6. | Primary contact person name | Name and surname of the primary contact person of the financial entity. |
| 6. | Primary contact person name | ||
| 7.Primary contact person email | 7. | Primary contact person email | Email address of the primary contact person that can be used by the competent authority for follow-up communication. |
| 7. | Primary contact person email | ||
| 8.Primary contact person telephone | 8. | Primary contact person telephone | The telephone number of the primary contact person that can be used by the competent authority for follow-up communication.The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX) |
| 8. | Primary contact person telephone | ||
| 9.Second contact person name | 9. | Second contact person name | Name and surname of the second contact person of the financial entity or an entity submitting the notification on behalf of the financial entity, where available. |
| 9. | Second contact person name | ||
| 10.Second contact person email | 10. | Second contact person email | Email address of the second contact person or a functional email address of the team that can be used by the competent authority for follow-up communication, where available. |
| 10. | Second contact person email | ||
| 11.Second contact person telephone | 11. | Second contact person telephone | The telephone number of the second contact person that can be used by the competent authority for follow-up communication, where available.The telephone number shall be reported with all international prefixes (e.g. +33XXXXXXXXX). |
| 11. | Second contact person telephone | ||
| 12.Date and time of detection of the cyber threat | 12. | Date and time of detection of the cyber threat | Date and time at which the financial entity has become aware of the significant cyber threat. |
| 12. | Date and time of detection of the cyber threat | ||
| 13.Description of the significant cyber threat | 13. | Description of the significant cyber threat | Description of the most relevant aspects of the significant cyber threat.Financial entities shall provide:(a)a high-level overview of the most relevant aspects of the significant cyber threat;(b)the related risks arising from it, including potential vulnerabilities of the systems of the financial entity that can be exploited;(c)information about the probability of materialisation of the significant cyber threat; and(d)information about the source of information about the cyber threat. |
| 13. | Description of the significant cyber threat | ||
| (a) | a high-level overview of the most relevant aspects of the significant cyber threat; | ||
| (b) | the related risks arising from it, including potential vulnerabilities of the systems of the financial entity that can be exploited; | ||
| (c) | information about the probability of materialisation of the significant cyber threat; and | ||
| (d) | information about the source of information about the cyber threat. | ||
| 14.Information about potential impact | 14. | Information about potential impact | Information about the potential impact of the cyber threat on the financial entity, its clients or financial counterparts if the cyber threat has materialised |
| 14. | Information about potential impact | ||
| 15.Potential incident classification criteria | 15. | Potential incident classification criteria | The classification criteria that could have triggered a major incident report if the cyber threat had materialised. |
| 15. | Potential incident classification criteria | ||
| — | clients, financial counterparts and transactions affected; | ||
| — | reputational impact; | ||
| — | duration and service downtime; | ||
| — | geographical spread; | ||
| — | data losses; | ||
| — | critical services affected; | ||
| — | economic impact. | ||
| 16.Status of the cyber threat | 16. | Status of the cyber threat | Information about the status of the cyber threat for the financial entity and whether there have been any changes in the threat activity.Where the cyber threat has stopped communicating with the financial entity’s information systems, the status can be marked as inactive. If the financial entity has information that the threat remains active against other parties or the financial system as a whole, the status shall be marked as active. |
| 16. | Status of the cyber threat | ||
| — | active; | ||
| — | inactive. | ||
| 17.Actions taken to prevent materialisation | 17. | Actions taken to prevent materialisation | High-level information about the actions taken by the financial entity to prevent the materialisation of the significant cyber threats, if applicable. |
| 17. | Actions taken to prevent materialisation | ||
| 18.Notification to other stakeholders | 18. | Notification to other stakeholders | Information about notification of the cyber threat to other financial entities or authorities. |
| 18. | Notification to other stakeholders | ||
| 19.Indicators of compromise | 19. | Indicators of compromise | Information related to the significant threat that may help identify malicious activity within a network or information system (Indicators of Compromise, or IoC), where applicable.The IoC provided by the financial entity may include, but is not to be limited to, the following categories of data:(a)IP addresses;(b)URL addresses;(c)domains;(d)file hashes;(e)malware data (malware name, file names and their locations, specific registry keys associated with malware activity);(f)network activity data (ports, protocols, addresses, referrers, user agents, headers, specific logs or distinctive patterns in network traffic);(g)email message data (sender, recipient, subject, header, content);(h)DNS requests and registry configurations;(i)user account activities (logins, privileged user account activity, privilege escalation);(j)database traffic (read/write), requests to the same file.This type of information may include data relating to indicators describing patterns in network traffic corresponding to known attacks/botnet communications, IP addresses of machines infected with malware (bots), data relating to ‘command and control’ servers used by malware (usually domains or IP addresses), and URLs relating to phishing sites or websites observed hosting malware or exploit kits. |
| 19. | Indicators of compromise | ||
| (a) | IP addresses; | ||
| (b) | URL addresses; | ||
| (c) | domains; | ||
| (d) | file hashes; | ||
| (e) | malware data (malware name, file names and their locations, specific registry keys associated with malware activity); | ||
| (f) | network activity data (ports, protocols, addresses, referrers, user agents, headers, specific logs or distinctive patterns in network traffic); | ||
| (g) | email message data (sender, recipient, subject, header, content); | ||
| (h) | DNS requests and registry configurations; | ||
| (i) | user account activities (logins, privileged user account activity, privilege escalation); | ||
| (j) | database traffic (read/write), requests to the same file. | ||
| 20.Other relevant information | 20. | Other relevant information | Any other relevant information about the significant cyber threat |
| 20. | Other relevant information |
Table 2 in anx_IV
| 1. | Name of the entity submitting the notification |
|---|
Table 3 in anx_IV
| 2. | Identification code of the entity submitting the notification |
|---|
Table 4 in anx_IV
| 3. | Type of financial entity submitting the report |
|---|
Table 5 in anx_IV
| — | credit institution; |
|---|
Table 6 in anx_IV
| — | payment institution; |
|---|
Table 7 in anx_IV
| — | exempted payment institution; |
|---|
Table 8 in anx_IV
| — | account information service provider; |
|---|
Table 9 in anx_IV
| — | electronic money institution; |
|---|
Table 10 in anx_IV
| — | exempted electronic money institution; |
|---|
Table 11 in anx_IV
| — | investment firm; |
|---|
Table 12 in anx_IV
| — | crypto-asset service provider; |
|---|
Table 13 in anx_IV
| — | issuer of asset-referenced tokens; |
|---|
Table 14 in anx_IV
| — | central securities depository; |
|---|
Table 15 in anx_IV
| — | central counterparty; |
|---|
Table 16 in anx_IV
| — | trading venue; |
|---|
Table 17 in anx_IV
| — | trade repository; |
|---|
Table 18 in anx_IV
| — | manager of alternative investment fund; |
|---|
Table 19 in anx_IV
| — | management company; |
|---|
Table 20 in anx_IV
| — | data reporting service provider; |
|---|
Table 21 in anx_IV
| — | insurance and reinsurance undertaking; |
|---|
Table 22 in anx_IV
| — | insurance intermediary, reinsurance intermediary and ancillary insurance intermediary; |
|---|
Table 23 in anx_IV
| — | institution for occupational retirement provision; |
|---|
Table 24 in anx_IV
| — | credit rating agency; |
|---|
Table 25 in anx_IV
| — | administrator of critical benchmarks; |
|---|
Table 26 in anx_IV
| — | crowdfunding service provider; |
|---|
Table 27 in anx_IV
| — | securitisation repository. |
|---|
Table 28 in anx_IV
| 4. | Name of the financial entity |
|---|
Table 29 in anx_IV
| 5. | LEI code of the financial entity |
|---|
Table 30 in anx_IV
| 6. | Primary contact person name |
|---|
Table 31 in anx_IV
| 7. | Primary contact person email |
|---|
Table 32 in anx_IV
| 8. | Primary contact person telephone |
|---|
Table 33 in anx_IV
| 9. | Second contact person name |
|---|
Table 34 in anx_IV
| 10. | Second contact person email |
|---|
Table 35 in anx_IV
| 11. | Second contact person telephone |
|---|
Table 36 in anx_IV
| 12. | Date and time of detection of the cyber threat |
|---|
Table 37 in anx_IV
| 13. | Description of the significant cyber threat |
|---|
Table 38 in anx_IV
| (a) | a high-level overview of the most relevant aspects of the significant cyber threat; |
|---|
Table 39 in anx_IV
| (b) | the related risks arising from it, including potential vulnerabilities of the systems of the financial entity that can be exploited; |
|---|
Table 40 in anx_IV
| (c) | information about the probability of materialisation of the significant cyber threat; and |
|---|
Table 41 in anx_IV
| (d) | information about the source of information about the cyber threat. |
|---|
Table 42 in anx_IV
| 14. | Information about potential impact |
|---|
Table 43 in anx_IV
| 15. | Potential incident classification criteria |
|---|
Table 44 in anx_IV
| — | clients, financial counterparts and transactions affected; |
|---|
Table 45 in anx_IV
| — | reputational impact; |
|---|
Table 46 in anx_IV
| — | duration and service downtime; |
|---|
Table 47 in anx_IV
| — | geographical spread; |
|---|
Table 48 in anx_IV
| — | data losses; |
|---|
Table 49 in anx_IV
| — | critical services affected; |
|---|
Table 50 in anx_IV
| — | economic impact. |
|---|
Table 51 in anx_IV
| 16. | Status of the cyber threat |
|---|
Table 52 in anx_IV
| — | active; |
|---|
Table 53 in anx_IV
| — | inactive. |
|---|
Table 54 in anx_IV
| 17. | Actions taken to prevent materialisation |
|---|
Table 55 in anx_IV
| 18. | Notification to other stakeholders |
|---|
Table 56 in anx_IV
| 19. | Indicators of compromise |
|---|
Table 57 in anx_IV
| (a) | IP addresses; |
|---|
Table 58 in anx_IV
| (b) | URL addresses; |
|---|
Table 59 in anx_IV
| (c) | domains; |
|---|
Table 60 in anx_IV
| (d) | file hashes; |
|---|
Table 61 in anx_IV
| (e) | malware data (malware name, file names and their locations, specific registry keys associated with malware activity); |
|---|
Table 62 in anx_IV
| (f) | network activity data (ports, protocols, addresses, referrers, user agents, headers, specific logs or distinctive patterns in network traffic); |
|---|
Table 63 in anx_IV
| (g) | email message data (sender, recipient, subject, header, content); |
|---|
Table 64 in anx_IV
| (h) | DNS requests and registry configurations; |
|---|
Table 65 in anx_IV
| (i) | user account activities (logins, privileged user account activity, privilege escalation); |
|---|
Table 66 in anx_IV
| (j) | database traffic (read/write), requests to the same file. |
|---|
Table 67 in anx_IV
| 20. | Other relevant information |
|---|