Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplements Regulation (EU) 2022/2554 by establishing regulatory technical standards that specify the content and time limits for reporting major ICT-related incidents in the financial sector. It mandates financial entities to submit an initial notification, intermediate report, and final report on such incidents, ensuring that the initial notification contains the most significant information to avoid undue reporting burdens while enabling competent authorities to act promptly. The regulation harmonizes and simplifies reporting requirements across financial entities, aligning time limits with those in Directive (EU) 2022/2555, and balances the need for timely information with the practicalities of incident handling. Additionally, it sets out the content for voluntary notifications of significant cyber threats, which are less detailed to reduce burdens on financial entities. The regulation aims to facilitate supervisory oversight by providing authorities with progressively detailed information through the reporting stages while considering proportionality for smaller entities and accounting for weekends and holidays in reporting deadlines.
Publication's URL
https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/engAdditional documents on this topic
- EU Commission Implementing Regulation 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat
- EU Commission Delegated Regulation 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
- EU Commission Delegated Regulation 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
- EU Commission Delegated Regulation 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
- EU Regulation 2022/2554 Digital Operational Resilience Act (DORA)