RTS (EU) 2025/301 – Incident Reporting
| Property | Value |
|---|---|
| Number | Delegated Regulation (EU) 2025/301 |
| DORA Article | Art. 20(1)(a) |
| Pillar | P2 – Incident Reporting |
| Adoption | 23.10.2024 |
| Publication | 20.02.2025 |
| Applicable since | 17.01.2025 |
| EUR-Lex | Link |
Content
Defines the content and deadlines of the 3-stage reporting chain:
| Stage | Deadline | Mandatory Content |
|---|---|---|
| Initial notification | 4h after classification (max. 24h after detection) | Who, what, when, initial assessment |
| Intermediate report | 72h after initial notification | Status update, impact analysis, action plan |
| Final report | 1 month after initial notification | Root cause, lessons learned, measures |
As well as voluntary reporting of significant cyber threats.
Missing a deadline = DORA violation → sanctions per Art. 50–52 DORA in conjunction with national implementation (FinmadiG).
→ Details: P2: Incident Reporting | Incident Pipeline