Initial notifications as referred to in Article 19(4), point (a), of Regulation (EU) 2022/2554 shall contain at least all of the following specific information:
- the incident reference code assigned by the financial entity;
- the date of detection, time of detection, and classification of the incident pursuant to Article 8 of Commission Delegated Regulation (EU) 2024/1772 (7)
- a description of the ICT-related incident;
- the criteria, laid down in Articles 1 to 8 of Delegated Regulation (EU) 2024/1772, on the basis of which the financial entity classified the ICT-related incident as major;
- the Members States that are impacted by the ICT-related incident;
- information on how the ICT-related incident was discovered;
- where available, information about the origin of the ICT-related incident;
- information about whether the financial entity has activated a business continuity plan;
- where applicable, information about the reclassification of the ICT-related incident from major to non-major;
- where available, any other relevant information.
(7) Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (OJ L, 2024/1772, 25.6.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1772/oj.
