Regulation Overview
On February 20, 2025, the European Commission published EU Regulation 2025/302, which sets out the technical standards for implementing the Digital Operational Resilience Act (DORA). DORA Article 19 obligates financial entities to report major ICT-related incidents and significant cyber threats to relevant competent authorities and Regulation 2025/302 provides financial entities with standardized templates for reporting major ICT-related incidents and notifying significant cyber threats. Regulation 2025/302 also includes a detailed data glossary and comprehensive instructions to guide the financial entities in reporting such incidents, ensuring consistency and clarity in incident notification and management within the financial sector.
Key Provisions
Financial entities shall submit the initial notification, intermediate report, and final report concerning the ICT-related incident as referred to in Article 19(4) of DORA per the notification template in Annex I of Regulation 2025/302. Moreover, financial entities shall follow the data glossary and instructions in Annex II when completing the template laid down in Annex I.
B. Completion of Data Fields in Notification
Financial entities shall accurately complete all data fields corresponding to the required information in ICT-related incident reports submitted at each stage of the notification process. Articles 2–4 of the EU Regulation 2025/301 specify the content of notifications and reports concerning major ICT-related incidents.
(i) Initial Notification: Includes the incident reference code, detection details, classification criteria, affected EU member states, incident discovery method, and confirmation about activation of business continuity plans.
(ii) Intermediate Report: Includes the incident reference code (if applicable), occurrence date and time, recovery details, classification criteria, type of incident, attack methods, affected business processes, and infrastructure. It also covers the impact on clients, reporting to other authorities, recovery actions, and indicators of compromise (if applicable).
(iii) Final Report: Includes details on the root causes of the incident, resolution timeline, and actions taken to address the issue. It also covers financial impact, including direct and indirect costs, financial recoveries, and any relevant information for resolution authorities. If applicable, it provides insights into recurring incidents.
Financial entities can submit the initial notification, intermediate report, and final report together if their regular activities have returned to normal or the root cause analysis is complete, as long as they meet the deadlines outlined in Article 5 of Regulation 2025/301. Article 5 states that the initial notification shall be submitted within four hours of classifying the ICT-related incident as major, and no later than 24 hours after the financial entity becomes aware of the incident. The intermediate report shall be submitted within 72 hours of the initial notification, with updates provided without delay, and the final report shall be submitted no later than one month after the intermediate or updated intermediate report.
D. Use of Secure Electronic Channels
Financial entities shall use secure electronic channels as made available by their competent authority to submit the initial notification and the intermediate and final reports.
If a financial entity determines, after further assessment, that an ICT-related incident initially reported as major did not meet the classification criteria in Article 8 of EU Regulation 2024/1772, it shall notify the competent authority of the reclassification to non-major. The entity should provide this information using the template in Annex I, specifically for the fields 'type of submission' and 'other information'.
F. Notification of Outsourcing Reporting Obligations
Financial entities outsourcing the reporting of major ICT-related incidents shall notify their competent authority once the arrangement is finalized and before the first report. Moreover, they shall provide the third party's contact details and identification code and inform the authorities if they later discontinue outsourcing.
G. Aggregated Reporting by Third-Party Service Provider
A third-party service provider handling reporting obligations under Article 19(5) of DORA may submit a single aggregated report for a major ICT-related incident affecting multiple financial entities, using the Annex I template, if all the following conditions are met:
(i) The incident originates from a third-party ICT service provider.
(ii) Third-party service providers serve multiple financial entities or a group.
(iii) Each affected financial entity classifies the incident as major.
(iv) The incident impacts financial entities within a single EU member state.
(v) The same competent authority supervises all affected financial entities.
(vi) Competent authorities explicitly permit aggregated reporting to financial entities.
However, significant credit institutions, trading venue operators, and central counterparties shall submit individual reports.
Financial entities reporting significant cyber threats under DORA Article 19(2) shall use the Regulation 2025/302 Annex III template, follow Annex IV guidelines, and ensure the report information is complete and accurate. The Annex III template requires financial entities to provide key details when reporting significant cyber threats, including financial entity’s identification (name, type, legal entity identifier (LEI) code), primary and secondary contact information, detection date and time, a description of the threat, potential impact, classification criteria, current status, preventive actions taken, notifications to stakeholders, indicators of compromise, and any other relevant information.
Compliance Timeline
The European Commission published EU Regulation 2025/302 in the Official Journal of the European Union on February 20, 2025. It will enter into force on March 12, 2025.
