Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 establishes implementing technical standards for the application of Regulation (EU) 2022/2554 concerning digital operational resilience for the financial sector. Specifically, it sets out the standard forms, templates, and procedures that financial entities must use to report major ICT-related incidents and to notify significant cyber threats. This regulation aims to harmonize and streamline the reporting process across the EU, ensuring timely and consistent communication of critical ICT incidents and cyber threats within the financial sector. It is binding in its entirety and directly applicable in all Member States, entering into force on the twentieth day following its publication in the Official Journal of the European Union on 20 February 2025.
Publication's URL
https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj/engAdditional documents on this topic
- EU Commission Delegated Regulation 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats
- EU Commission Delegated Regulation 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
- EU Commission Delegated Regulation 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
- EU Commission Delegated Regulation 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
- EU Regulation 2022/2554 Digital Operational Resilience Act (DORA)