RTS on ICT Incident Reporting Content & Timelines
Commission Delegated Regulation (EU) 2025/301 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats
Abstract
Regulatory Technical Standards under DORA specifying the harmonised content and reporting timelines for initial notifications, intermediate reports, and final reports of major ICT-related incidents, and defining the minimum content for voluntary notifications of significant cyber threats. Establishes strict reporting deadlines (4h/24h initial, 72h intermediate, 1 month final) and structured data requirements to enable supervisory oversight and coordinated incident response across the EU financial sector.
Key Takeaways
- Defines mandatory structured fields for initial, intermediate, and final incident reports under DORA Article 19.
- Requires initial notification within 4 hours of classification and no later than 24 hours from awareness.
- Mandates intermediate report within 72 hours and final report within one month.
- Specifies detailed information on impact, affected services, recovery status, root causes, and financial losses.
- Introduces voluntary notification framework for significant cyber threats with lighter reporting requirements.
- Harmonises supervisory reporting across all EU financial entities and aligns with NIS2 timelines.
Keywords
Need DORA-Aligned AI Architecture?
We build AI systems that satisfy DORA requirements from day one. Audit trails, governance, exit readiness - built in, not bolted on.
Schedule Architecture Reviewviktor@intellectumlab.com | Response within 24 hours