Guidelines (Level 3)
Joint ESA Guidelines
| Identifier | Date | Topic | Binding Nature |
|---|---|---|---|
| JC/GL/2024/34 | 05.06.2024 | Estimation of aggregated costs & losses from ICT incidents | Comply-or-explain |
| JC/GL/2024/36 | 17.07.2024 | ESA cooperation and information sharing in CTPP oversight | Comply-or-explain |
JC/GL/2024/34 – Costs & Losses
Guideline on the standardised estimation of aggregated annual costs and losses from major ICT-related incidents. Relevant for the economic impact analysis in incident reporting (criterion 6).
JC/GL/2024/36 – Oversight Cooperation
Guideline on cooperation and information sharing between the ESAs and national supervisory authorities within the framework of CTPP oversight.
Other Documents
| Document | Topic |
|---|---|
| ESA Final Report JC 2024-33 | Explanation of incident reporting RTS/ITS |
| ESA Final Report TLPT | Explanation of TLPT RTS |
| Joint ESA Report | Feasibility of centralised reporting |
| ESA Guide on CTPP Oversight (July 2025) | Procedures in JETs |
| CTPP List (November 2025) | 19 designated critical ICT third-party service providers |
Comply-or-Explain
Guidelines are not legally binding, but national supervisory authorities must notify within 2 months of publication whether they comply or intend to comply with the guidelines. In practice, they are treated as binding.