rts-incident-reporting.yaml

urn: urn:intuitem:risk:library:rts-dora-incident-reporting
locale: en
ref_id: RTS-DORA-incident-reporting
name: RTS DORA incident reporting
description: 'Article 20 of DORA mandates the European Supervisory Authorities (ESAs)
  to develop through the Joint Committee and in consultation with the European Central
  Bank and European Union Agency for Cybersecurity, Draft Regulatory Technical Standards
  (RTS) establishing the content of the reports for ICT-related incidents and the
  notification for significant cyber threats, and the time limits for FEs to report
  these incidents to competent authorities.


  Here is the link of the Second batch of policy products under DORA:

  https://www.eiopa.europa.eu/publications/second-batch-policy-products-under-dora_en


  Here is the link of the document :

  https://www.eiopa.europa.eu/document/download/0dfbccfd-97b2-4076-9644-b5cf4566fc6f_en?filename=JC%202024-33%20-%20Final%20report%20on%20the%20draft%20RTS%20and%20ITS%20on%20incident%20reporting.pdf'
copyright: ESA
version: 1
provider: ESA
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:rts-dora-incident-reporting
    ref_id: RTS-DORA-incident-reporting
    name: RTS DORA incident reporting
    description: '"Article 20 of DORA mandates the European Supervisory Authorities
      (ESAs) to develop through the Joint Committee and in consultation with the European
      Central Bank and European Union Agency for Cybersecurity, Draft Regulatory Technical
      Standards (RTS) establishing the content of the reports for ICT-related incidents
      and the notification for significant cyber threats, and the time limits for
      FEs to report these incidents to competent authorities.


      Here is the link of the Second batch of policy products under DORA:

      https://www.eiopa.europa.eu/publications/second-batch-policy-products-under-dora_en


      Here is the link of the document :

      https://www.eiopa.europa.eu/document/download/0dfbccfd-97b2-4076-9644-b5cf4566fc6f_en?filename=JC%202024-33%20-%20Final%20report%20on%20the%20draft%20RTS%20and%20ITS%20on%20incident%20reporting.pdf"'
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:recital-1
      assessable: false
      depth: 1
      ref_id: Recital 1
      description: Given that Regulation (EU) 2022/2554 aims to harmonise and streamline
        incident reporting requirements, and to ensure that competent and other relveant
        authorities receive all necessary information about the major incident in
        order to take supervisory actions and to prevent potential spill-over effects,
        the reports for major incidents submitted from financial entities to competent
        authorities should provide essential and exhaustive information about the
        incident, in a consistent and standardised manner for all financial entities
        within the scope of Regulation (EU) 2022/2554.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:recital-2
      assessable: false
      depth: 1
      ref_id: Recital 2
      description: With a view to ensure the harmonisation of the reporting requirements
        for major incidents and to maintain a consistent approach with Directive (EU)
        2022/2555, the time limits for reporting major incidents should be consistent
        for all types of financial entities. The time limits should also be consistent
        with, to the greatest extent possible, and at least equivalent in effect to
        the requirements set out in Directive (EU) 2022/2555.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:recital-3
      assessable: false
      depth: 1
      ref_id: Recital 3
      description: In order to take proper action, competent authorities need to receive
        information about the major incident at the very early stages after the incident
        has been classified as major. Consequently, the timeline for submitting the
        initial notification should be as short as possible after classification of
        the incident but also providing flexibility for financial entities, especially
        for non-time critical service business models, with a longer timeline after
        financial entities become aware of the incident in case financial entities
        require more time to handle the incident. To avoid imposing an undue reporting
        burden to the financial entity at a time when it will be handling with the
        incident, the content of such initial notification should be limited to the
        most significant information.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:recital-4
      assessable: false
      depth: 1
      ref_id: Recital 4
      description: Given that, after having received the initial notification, competent
        authorities will need more detailed information about the incident with the
        intermediate report and the full set of relevant information with the final
        report to further assess the situation and evaluate supervisory actions they
        may want to take, the reporting timelines should be such to allow competent
        authorities to receive the information timely, while ensuring financial entities
        have sufficient time to obtain complete and accurate information.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:recital-5
      assessable: false
      depth: 1
      ref_id: Recital 5
      description: In accordance with the proportionality requirement set out in Article
        20(a), second sub-paragraph of Regulation (EU) 2022/2554, the reporting timelines
        should not pose burden to microenterprises and other financial entities that
        are not significant. Therefore, the reporting timelines should take into account,
        in particular weekends and bank holidays.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:recital-6
      assessable: false
      depth: 1
      ref_id: Recital 6
      description: Since significant cyber threats are to be reported on a voluntary
        basis, the requested information should not pose burden to financial entities
        to obtain and should be more limited than the information requested for major
        incidents.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:recital-7
      assessable: false
      depth: 1
      ref_id: Recital 7
      description: This Regulation is based on the draft regulatory technical standards
        submitted to the Commission by the European Supervisory Authorities.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:recital-8
      assessable: false
      depth: 1
      ref_id: Recital 8
      description: "The European Supervisory Authorities have conducted open public\
        \ consultations on the draft regulatory technical standards on which this\
        \ Regulation is based, analysed the potential related costs and benefits and\
        \ requested the advice of the [\u2026] Stakeholder Group established in accordance\
        \ with Article 37 of Regulations (EU) No 1093/2010, 1094/2010 and 1095/2010\
        \ of the European Parliament and of the Council"
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-1
      assessable: false
      depth: 1
      ref_id: Article 1
      description: General provisions
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-1
      description: Financial entities shall provide the initial notification, the
        intermediate report or the final report with the content as set out in this
        Regulation following the description and instructions as set out in the Implementing
        Regulation [insert reference once published in OJ].
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-2
      assessable: false
      depth: 1
      ref_id: Article 2
      description: General information to be provided in the major incident initial
        notification, intermediate and final reports
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node13
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-2
      description: 'When submitting the initial notification, the intermediate report
        and the final report, financial entities shall provide the following general
        information:'
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:2.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node13
      ref_id: 2.a
      description: the type of report as referred to in Article 19(4) of Regulation
        (EU)2022/2554;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:2.b
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node13
      ref_id: 2.b
      description: name, LEI code of the financial entity and specify, which of the
        type of entities referred to in Article 2(1) of Regulation (EU)2022/2554 it
        is authorised or registered as;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:2.c
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node13
      ref_id: 2.c
      description: name and identification code of the entity submitting the report
        for the financial entity;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:2.d
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node13
      ref_id: 2.d
      description: names and LEI codes of all financial entities covered in the aggregated
        report, where applicable.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:2.e
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node13
      ref_id: 2.e
      description: contact details of the contact persons responsible for communicating
        with the competent authority;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:2.f
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node13
      ref_id: 2.f
      description: identification of the parent undertaking of the group, where applicable;
        and
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:2.g
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node13
      ref_id: 2.g
      description: reporting currency.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-3
      assessable: false
      depth: 1
      ref_id: Article 3
      description: Content of initial notifications
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node22
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-3
      description: 'Financial entities shall provide at least the following information
        about the incident in the initial notification:'
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:3.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node22
      ref_id: 3.a
      description: incident reference code
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:3.b
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node22
      ref_id: 3.b
      description: date and time of detection and classification of the incident;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:3.c
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node22
      ref_id: 3.c
      description: description of the incident;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:3.d
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node22
      ref_id: 3.d
      description: classification criteria that triggered the incident report as set
        out in [Articles 1 to 8 of Delegated Regulation [insert number once published
        in official journal];
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:3.e
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node22
      ref_id: 3.e
      description: members States impacted by the incident, where applicable;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:3.f
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node22
      ref_id: 3.f
      description: information on how the incident has been discovered;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:3.g
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node22
      ref_id: 3.g
      description: information about the origin of the incident, where available;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:3.h
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node22
      ref_id: 3.h
      description: indication whether a business continuity plan has been activated;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:3.i
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node22
      ref_id: 3.i
      description: information about the reclassification of the incident from major
        to non-major, where applicable; and
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:3.j
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node22
      ref_id: 3.j
      description: other information, where available.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-4
      assessable: false
      depth: 1
      ref_id: Article 4
      description: Content of intermediate reports
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-4
      description: 'Financial entities shall provide at least the following information
        about the incident in the intermediate report:'
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.a
      description: incident reference code provided by the competent authority, where
        applicable;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.b
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.b
      description: date and time of occurrence of the incident;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.c
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.c
      description: date and time when regular activities have been restored, where
        applicable;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.d
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.d
      description: information about the classification criteria that triggered the
        incident report;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.e
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.e
      description: type of the incident;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.f
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.f
      description: threats and techniques used by the threat actor, where applicable;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.g
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.g
      description: affected functional areas and business processes;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.h
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.h
      description: affected infrastructure components supporting business processes;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.i
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.i
      description: impact on the financial interest of clients;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.j
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.j
      description: information about reporting to other authorities;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.k
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.k
      description: temporary actions/measures taken or planned to be taken to recover
        from the incident; and
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:4.l
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node34
      ref_id: 4.l
      description: information on indicators of compromise, where applicable.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-5
      assessable: false
      depth: 1
      ref_id: Article 5
      description: Content of final reports
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node48
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-5
      description: 'Financial entities shall provide the following information about
        the incident in the final report:'
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:5.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node48
      ref_id: 5.a
      description: information about the root causes of the incident
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:5.b
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node48
      ref_id: 5.b
      description: dates and times when the incident was resolved and the root cause
        addressed;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:5.c
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node48
      ref_id: 5.c
      description: information on the incident resolution;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:5.d
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node48
      ref_id: 5.d
      description: information relevant for resolution authorities, where applicable;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:5.f
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node48
      ref_id: 5.f
      description: information about direct and indirect costs and losses stemming
        from the incident and information about financial recoveries; and
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:5.e
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node48
      ref_id: 5.e
      description: information about recurring incidents, where applicable.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-6
      assessable: false
      depth: 1
      ref_id: Article 6
      description: Time limits for the initial notification and intermediate report
        and final reports referred to in Article 19(4) of Regulation (EU)2022/2554
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:6.1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-6
      ref_id: '6.1'
      description: 'The time limits for the submission of the initial notification
        and the intermediate and final reports as referred to in Article 19(4)(a)
        to (c) of Regulation (EU)2022/2554 shall be as follows:'
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:6.1.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:6.1
      ref_id: 6.1.a
      description: the initial report shall be submitted as early as possible within
        4 hours from the moment of classification of the incident as major, but no
        later than 24 hours from the moment the financial entity has become aware
        of the incident;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:6.1.b
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:6.1
      ref_id: 6.1.b
      description: An intermediate report shall be submitted the latest within 72
        hours from the submission of the initial notification even where the status
        or the handling of the incident have not changed as referred to in Article
        19(4)(b) of Regulation (EU) 2022/2554. Financial entities shall submit without
        undue delay an updated inter- mediate report, in any case, when regular activities
        have been recovered.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:6.1.c
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:6.1
      ref_id: 6.1.c
      description: the final report shall be submitted no later than one month from
        the submission of the latest updated intermediate report.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:6.2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-6
      ref_id: '6.2'
      description: Where an incident that has not been classified as major within
        the 24 hours is classified as major at a later stage, the financial entity
        shall submit the initial notification within the four-hours after the classification
        of the incident.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:6.3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-6
      ref_id: '6.3'
      description: Where financial entities are unable to submit the initial notification,
        intermediate report or final report within the timelines as set out in paragraph
        1, financial entities shall inform the competent authority without undue delay,
        but no later than the respective time limit for submission of the notification/report,
        and shall explain the reasons for the delay.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:6.4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-6
      ref_id: '6.4'
      description: Where the time limit for submission of an initial notification,
        intermediate report or a final report falls on a weekend day or a bank holiday
        in the Member State of the reporting financial entity, the financial entity
        may submit the initial notification, intermediate or final reports by noon
        of the next working day.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:6.5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-6
      ref_id: '6.5'
      description: Paragraph 4 shall not apply for the submission of an initial notification
        and an interme- diate report by credit institutions, central counterparties,
        operators of trading venues, and other financial entities identified as essential
        or important entities pursuant to na- tional rules transposing Article 3 of
        Directive (EU) 2022/2555, or financial entities de- clared as significant
        or systemic by the competent authority. In this case, the financial entities
        shall apply the time limits set out in paragraph 1.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-7
      assessable: false
      depth: 1
      ref_id: Article 7
      description: Content of the voluntary notification of significant cyber threat
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node65
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-7
      description: 'The content of the notification in relation to significant cyber
        threats in accordance with Article 19(2) of Regulation (EU) 2022/2554 shall
        cover:'
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:7.a
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node65
      ref_id: 7.a
      description: general information about the reporting entity as set out in Article
        4;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:7.b
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node65
      ref_id: 7.b
      description: date and time of detection of the significant cyber threat and
        any other relevant timestamps related to the threat;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:7.c
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node65
      ref_id: 7.c
      description: description of the significant cyber threat;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:7.d
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node65
      ref_id: 7.d
      description: information about the potential impact of the cyber threat on the
        financial entity, its clients and/or financial counterparts;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:7.e
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node65
      ref_id: 7.e
      description: the classification criteria that would have triggered a major incident
        report, if the cyber threat had materialised;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:7.f
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node65
      ref_id: 7.f
      description: information about the status of the cyber threat and any changes
        in the threat activity;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:7.g
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node65
      ref_id: 7.g
      description: description of the actions taken by the financial entity to prevent
        the materiali- sation of the significant cyber threats, where applicable;
        and
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:7.h
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node65
      ref_id: 7.h
      description: information about notification of the cyber threat to other financial
        entities or authorities;
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:7.i
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node65
      ref_id: 7.i
      description: information on indicators of compromise, where applicable; and
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:7.j
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node65
      ref_id: 7.j
      description: other relevant information, where available.
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-8
      assessable: false
      depth: 1
      ref_id: Article 8
      description: Entry into force
    - urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:node77
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:rts-dora-incident-reporting:article-8
      description: This Regulation shall enter into force on the twentieth day following
        that of its publication in the Official Journal of the European Union.