The content of the voluntary notification in relation to significant cyber threats as referred to in Article 19(2) of Regulation (EU) 2022/2554 shall cover all of the following:
- general information about the notifying financial entity as set out in Article 1;
- the date and time of detection of the significant cyber threat and any other relevant timestamps related to the significant cyber threat;
- a description of the significant cyber threat;
- information about the potential impact of the significant cyber threat on the financial entity, its clients, or financial counterparts;
- the classification criteria that would have triggered a major incident report laid down in Articles 1 to 8 of Delegated Regulation (EU) 2024/1772 if the cyber threat had materialised;
- information about the status of the significant cyber threat and any changes in the threat activity;
- where applicable, a description of the actions taken by the financial entity to prevent the materialisation of the significant cyber threats;
- information about any notification of the significant cyber threat to other financial entities or authorities;
- where applicable, information on indicators of compromise;
- where available, any other relevant information.
