Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

Article 19 establishes the reporting obligations that apply when a financial entity experiences a major ICT-related incident as classified under Article 18. This three-phase reporting framework ensures that competent authorities receive timely, actionable information while allowing the entity to focus on incident resolution before providing comprehensive analysis.

The initial notification must be submitted within a short timeframe after the incident is classified as major, providing essential information about the nature, impact, and initial response actions. This notification allows supervisors to assess whether the incident has broader systemic implications and coordinate cross-border responses if necessary.

The intermediate report follows with updated information as the entity gains better understanding of the incident's scope, impact, and causes. This report provides the detail needed for supervisory assessment and cross-sector coordination, including information about affected services, clients, and any data compromises.

The final report, due after the incident is fully resolved, must include comprehensive root cause analysis, detailed timeline, complete impact assessment, and the remediation measures implemented or planned. This report serves both supervisory purposes and the entity's own learning objectives, ensuring that the experience is translated into concrete improvements to the ICT risk management framework.

A significant innovation in Article 19 is the concept of a single EU reporting hub, which aims to eliminate the burden of duplicative reporting to multiple supervisors. Financial entities report to their primary competent authority, which then shares relevant information through established supervisory channels.