Helpful links

Popular Topics

Incident reporting

Published
Updated

Obligation to report major ICT-related incidents

Financial institutions report major ICT-related incidents and significant cyber threats to Latvijas Banka, using the XLSX file templates (for incidents and cyber threats) and the technical description published on Latvijas Banka’s website (without changing the order of the worksheets in either template or the placement of the tables in them).

The content of the reports, the templates and the reporting procedure are laid down in the regulatory technical standards (RTS) and implementing technical standards (ITS).

  • RTS 2024/1772 – specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents;
  • RTS 2025/301 –  specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats;
  • ITS 2024/302 – standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat.

 

 

 

The deadline for submitting the initial report is no later than 4 hours after the incident has been identified or 24 hours after the incident has been detected. 72 hours is the maximum deadline for submitting an intermediate report, and 1 month for submitting the final report.

After collecting, analysing and classifying information on the incident, financial institutions prepare an initial report, as well as a subsequent intermediate report and final report using the template (Excel file), and submit them to Latvijas Banka within the specified deadlines.

When submitting an intermediate report or a final report, the information previously provided in the initial report or the intermediate report must be retained in the template. Where necessary, the information previously submitted may be updated.

Incident report templates may be completed by financial institutions in Latvian or English.

The availability of the contact point or staff member indicated in the report must be ensured throughout the entire incident handling cycle.

If the financial institution has also sent the incident report to the National Cyber Security Centre or has consulted it on incident containment solutions, the initial report must include the relevant information.

File templates for reports can be downloaded here:

The file name format is aaa_v_nn_yyyymmdd.xlsx xls, where:

aaa – file name prefix:

"DORA_IR" – for major incident reports;

"DORA_CYB" – for significant cyber threat reports;

v – version number of the submitted incident report (for cyber threat reports, only "1" is used), where:

"1" – initial notification;

"2" – intermediate report;

"3" – final report;

nn – report sequence number, if there is more than one report on the submission day (consists of two digits, such as 01, 02, etc.);

yyyymmdd – date of submission of the initial notification of the incident, where:

yyyy – year;

mm – month;

dd – day.

Incident reports shall be submitted using the Latvijas Banka security system (FAS).

Financial institutions that do not have access to the FAS system at the time of the incident or do not use it shall submit incident reports by sending them to the e-mail address ict_incidents@bank.lv.

Incident reports may be prepared in Latvian or English.

When sending a report to Latvijas Banka’s e-mail address ict_incidents@bank.lv, the identifier "ICT incidents_bbb" must be indicated in the subject field, where:

bbb – the name of the financial institution in text form, full legal name

The CryptShare encryption tool is used to ensure the confidentiality of e-mails.

Financial market participants that have submitted reports to the Latvijas Banka on significant ICT-related incidents in accordance with Article 19(4)(c) of Regulation (EU) 2022/2554 during the reporting year must prepare, by 1 April of the following year, a report on the total annual costs and losses caused by significant ICT-related incidents that occurred during the reporting year.

This report must be submitted to the Latvijas Banka upon request.

The report shall be prepared in accordance with Article 11(10) of Regulation (EU) 2022/2554 and the Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554.

The report should include:

  • all significant ICT-related incidents for which a final report was submitted during the reporting year;
  • incidents reported in previous reporting years under Regulation (EU) 2022/2554, if they had a quantifiable financial impact in the relevant reporting year (e.g. recovery of financial resources).

Three European Supervisory Authorities – the European Banking Authority, the European Securities Market Authority and the European Insurance and Occupational Pensions Authority – are compiling questions and answers to support consistent and effective application of the European Union regulation in the area of financial services. The database of questions and answers regarding DORA is available on the website of the European Insurance and Occupational Pensions Authority (see Joint Q&As - EIOPA) and can be navigated by selecting appropriate filters.

The questions published there are the ones that market participants have most often found confusing. If you cannot find an answer to your question via the resources of the European Supervisory Authorities or Latvijas Banka, you can e-mail it to dora@bank.lv or submit your question via the EIOPA's web resource Joint Q&As – EIOPA.

How valuable was this information for you?
Not valuable Very valuable
How can we improve your experience in our site

This page is protected by Google’s reCAPTCHA and visitors are subject to Google Terms of Service and Google Privacy Policy