Article 2
Specific information to be provided in initial notifications
Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information:
|
(a) |
the incident reference code assigned by the financial entity; |
|
(b) |
the date of detection, time of detection, and classification of the incident pursuant to Article 8 of Commission Delegated Regulation (EU) 2024/1772 (7); |
|
(c) |
a description of the ICT-related incident; |
|
(d) |
the criteria, laid down in Articles 1 to 8 of Delegated Regulation (EU) 2024/1772, on the basis of which the financial entity classified the ICT-related incident as major; |
|
(e) |
the Members States that are impacted by the ICT-related incident; |
|
(f) |
information on how the ICT-related incident was discovered; |
|
(g) |
where available, information about the origin of the ICT-related incident; |
|
(h) |
information about whether the financial entity has activated a business continuity plan; |
|
(i) |
where applicable, information about the reclassification of the ICT-related incident from major to non-major; |
|
(j) |
where available, any other relevant information. |
(7) Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (OJ L, 2024/1772, 25.6.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1772/oj).