Recital 51

Streamlined ICT-related incident reporting


The propagators of cyber-attacksa malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset tend to pursue financial gains directly at the source, thus exposing financial entitiesas defined in Article 2, points (a) to (t) to significant consequences. To prevent ICT systems from losing integrity or becoming unavailable, and hence to avoid data breaches and damage to physical ICT infrastructure, the reporting of major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity by financial entitiesas defined in Article 2, points (a) to (t) should be significantly improved and streamlined. ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity reporting should be harmonised through the introduction of a requirement for all financial entitiesas defined in Article 2, points (a) to (t) to report directly to their relevant competent authoritiesas defined in Article 46. Where a financial entity is subject to supervision by more than one national competent authorityas defined in Article 46, Member States should designate a single competent authorityas defined in Article 46 as the addressee of such reporting. Credit institutionsa credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council classified as significant in accordance with Article 6(4) of Council Regulation (EU) No 1024/2013 (19)Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63). should submit such reporting to the national competent authoritiesas defined in Article 46, which should subsequently transmit the report to the European Central Bank (ECB).