The financial institutions will have to communicate via multiple levels of reports to submit to ESAs- initial report, intermediate report and final report. Find a synopsis of reporting requirements from the RTS on Incident Reporting (PDF).
The initial report provided by financial institutions on incident reporting shall be “submitted as early as possible within 4 hours from the moment of classification of the incident as major, but no later than 24 hours from the moment the financial entity has become aware of the incident” and consist of (Article 3):
a) incident reference code
b) date and time of detection and classification of the incident;
c) description of the incident;
d) classification criteria that triggered the incident report as set out in [Articles 1 to 8 of Delegated Regulation [insert number once published in official journal];
e) members States impacted by the incident, where applicable;
f) information on how the incident has been discovered;
g) information about the origin of the incident, where available;
h) indication whether a business continuity plan has been activated;
i) information about the reclassification of the incident from major to non-major, where applicable; and
j) other information, where available.
The intermediate report provided by financial institutions on incident reporting “the latest within 72 hours from the submission of the initial notification even where the status or the handling of the incident have not changed as referred to in Article 19(4)(b) of Regulation (EU) 2022/2554. Financial entities shall submit without undue delay an updated intermediate report, in any case, when regular activities have been recovered” and shall consist of (Article 4):
a) incident reference code provided by the competent authority, where applicable;
b) date and time of occurrence of the incident;
c) date and time when regular activities have been restored, where applicable;
d) information about the classification criteria that triggered the incident report;
e) type of the incident;
f) threats and techniques used by the threat actor, where applicable;
g) affected functional areas and business processes;
h) affected infrastructure components supporting business processes;
i) impact on the financial interest of clients;
j) information about reporting to other authorities;
k) temporary actions/measures taken or planned to be taken to recover from the incident; and
l) information on indicators of compromise, where applicable.
The final report provided by financial institutions on incident reports shall be “submitted no later than one month from the submission of the latest updated intermediate report” and consist of (Article 5):
a) information about the root causes of the incident
b) dates and times when the incident was resolved and the root cause addressed;
c) information on the incident resolution;
d) information relevant for resolution authorities, where applicable;
e) information about direct and indirect costs and losses stemming from the incident and information about financial recoveries; and
f) information about recurring incidents, where applicable.