EU Regulation 2025/301: What You Need To Know

Regulation Overview

On February 20, 2025, the European Commission published EU Regulation 2025/301, which establishes regulatory technical standards detailing the content and timeframes for the initial notification, intermediate and final reports concerning major information and communication technology (ICT) incidents, as well as the content for the voluntary notification of significant cyber threats. Article 19 of the Digital Operational Resilience Act (DORA) obligates financial entities to report major ICT-related incidents and significant cyber threats to relevant competent authorities. Specification of content and reporting timelines under Regulation 2025/301 ensures that all financial entities adopt a consistent approach to their reporting obligations.

Key Provisions

A. Information Required for the Initial Notification, and the Intermediate and Final Reports

Articles 2–4 of Regulation 2025/301 specify the content of notifications and reports concerning major ICT-related incidents. Financial entities shall include at least the following general information in the initial notification, intermediate, and final reports as per Article 19(4) of DORA:

(i) Initial Notification: Includes the incident reference code, detection details, classification criteria, affected EU member states, incident discovery method, and confirmation about activation of business continuity plans.

(ii) Intermediate Report: Includes the incident reference code (if applicable), occurrence date and time, recovery details, classification criteria, type of incident, attack methods, affected business processes, and infrastructure. It also covers the impact on clients, reporting to other authorities, recovery actions, and indicators of compromise (if applicable).

(iii) Final Report: Includes details on the root causes of the incident, resolution timeline, and actions taken to address the issue. It also covers financial impact, including direct and indirect costs and losses stemming from ICT-related incidents, financial recoveries, and any relevant information for resolution authorities. If applicable, it provides insights into recurring incidents.

B. Time Limits for the Initial Notification, and the Intermediate and Final Reports

Article 5 of Regulation 2025/301 states that the initial report shall be submitted within 4 hours of classifying the ICT-related incident as major, and no later than 24 hours after the financial entity becomes aware of the incident. Where the financial entity did not classify an ICT-related incident as major within 24 hours of becoming aware of the ICT-related incident but classifies that incident as major at a later stage, the financial entity shall submit the initial notification within 4 hours from the classification of such incident as a major incident.

The intermediate report shall be submitted within 72 hours of the initial notification, with the updated intermediate report provided without delay in case the financial entity’s regular activities have been recovered. The final report shall be submitted no later than one month after the submission of the intermediate or updated intermediate report. When the time limit to submit such reports falls on a weekend or bank holiday, financial entities are allowed to submit the initial notification, intermediate, or final reports by noon of the next working day. If the financial entities are unable to submit the above-stated reports within the required timeframes, they shall inform the competent authority without undue delay, explaining the reasons for such delay.

C. Content of Voluntary Notification of Significant Cyber Threats

As per Article 6 of Regulation 2025/301, the content of the voluntary notification concerning significant cyber threats shall include the financial entity’s identification (name, type, legal entity identifier (LEI) code), primary and secondary contact information, detection date and time, a description of the threat, potential impact, classification criteria, current status, preventive actions taken, notifications to stakeholders, indicators of compromise, and any other relevant information.

Compliance Timeline

The European Commission published EU Regulation 2025/301 in the Official Journal of the European Union on February 20, 2025. It will enter into force on March 12, 2025.