EU Commission Delegated Regulation 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats

Commission Delegated Regulation (EU) 2025/301 of 23 October 2024 supplements Regulation (EU) 2022/2554 by establishing regulatory technical standards that specify the content and time limits for reporting major ICT-related incidents in the financial sector. It mandates financial entities to submit an initial notification, intermediate report, and final report on such incidents, ensuring that the initial notification contains the most significant information to avoid undue reporting burdens while enabling competent authorities to act promptly. The regulation harmonizes and simplifies reporting requirements across financial entities, aligning time limits with those in Directive (EU) 2022/2555, and balances the need for timely information with the practicalities of incident handling. Additionally, it sets out the content for voluntary notifications of significant cyber threats, which are less detailed to reduce burdens on financial entities. The regulation aims to facilitate supervisory oversight by providing authorities with progressively detailed information through the reporting stages while considering proportionality for smaller entities and accounting for weekends and holidays in reporting deadlines.

Publication's URL

URL: https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/eng

Publication's scorecard

Error: unable to get links from server. Please make sure that your site supports either file_get_contents() or the cURL library.