Article 7Note: This article is based on the final draft from the ESAs and is not yet adopted. Content of the voluntary notification of significant cyber threat
The content of the notification in relation to significant cyber threatsa cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident in accordance with Article 19(2) of Regulation (EU) 2022/2554 shall cover:
-
general information about the reporting entity as set out in Article 4;
-
date and time of detection of the significant cyber threata cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident and any other relevant timestamps related to the threat;
-
description of the significant cyber threata cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;
-
information about the potential impact of the cyber threatas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons on the financial entity, its clients and/or financial counterparts;
-
the classification criteria that would have triggered a major incident report, if the cyber threatas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons had materialised;
-
information about the status of the cyber threatas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons and any changes in the threat activity;
-
description of the actions taken by the financial entity to prevent the materialisation of the significant cyber threatsa cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident, where applicable; and
-
information about notification of the cyber threatas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons to other financial entitiesas defined in Article 2, points (a) to (t) or authorities;
-
information on indicators of compromise, where applicable; and
-
other relevant information, where available.