Joint Technical Standards on major incident reporting
- Status: Final draft RTS/ITS adopted by the EBA and submitted to the European Commission
This set of Technical Standards include:
- Regulatory Technical Standards (RTS) establishing the content of the reports for ICT-related incidents and the notification for significant cyber threats, and the time limits for financial entities (FEs) to report these incidents to competent authorities.
- Draft Implementing Technical Standards (ITS) establishing the standard forms, templates and procedures for FEs to report a major ICT-related incident or to notify a significant cyber threat.
The draft RTS set out time limits for reporting of the initial notification of 4 hours after classification and 24 hours after detection of the incident, 72 hours for reporting of the intermediate report and 1 month for the reporting of the final report. The proposed time limits have been aligned with NIS2 and have been set out in a way to be proportionate for the different types and size of FEs within the scope of DORA.
In addition, the Technical Standards set out the types of information to be collected with the notification/reports for major incidents and significant cyber threats, with detailed description of these types of information and instructions how to populate them provided in the Annex to the draft ITS.