Implement an incident management process to detect, manage, and report ICT incidents. This includes incident response procedures to mitigate impacts and ensure timely restoration of services. Assign specific roles and responsibilities for various incident scenarios. Also, establish a list of contacts with internal functions and external stakeholders that are directly involved in ICT operations security, including on detection and monitoring cyber threats, detection of anomalous activities and vulnerability management. Establish early warning indicators for potential incidents and incident triggers upon the occurance of malicious activity, data losses, adverse impact detected on financial entity's transactions and operations, systems and network unavailability, problems reported by users of the financial entity, and incident notifications from an third-party service provider detected in the systems and networks of the third-party service provider and which may affect the financial entity. Identify, document, and address incident root causes. Conduct post-ICT-related incident reviews after major disruptions. Analyze causes, evaluate response promptness and quality, and assess incident escalation and communication effectiveness.

Develop procedures to identify, track, log, categorize, and classify ICT-related incidents based on priority, severity, and criticality of impacted services. Maintain records of all ICT-related incidents and significant cyber threats. Implement a monitoring process to track incidents and cyber threats.

Create communication plans to inform both internal (staff, senior management) and external (clients/customers, financial counterparts) stakeholders on incidents. Designate at least one person in the to be tasked with implementing the communication strategy for ICT- related incidents and fulfil the public and media function for that purpose. Inform affected customers promptly upon awareness of an incident that impacts them. Provide details on the incident and outline mitigating measures taken and planned. Report major incidents to the regulator, involving three stages: 1) initial notification upon discovering the incident (within 4 hours from the moment of classification of the incident as major, but no later than 24 hours from the time of detection of the incident) , 2) intermediate report on incident developments (within 72 hours from the submission of the initial notification even where the status or the handling of the incident have not changed, or when regular activities have been recovered), and 3) the final report with the root cause analysis and follow-up actions (no later than one month from the submission of the latest updated intermediate report). 

The reporting obligations may be outsourced to a third-party service provider. In case of such outsourcing, the financial entity remains fully responsible for the fulfilment of the incident reporting requirements.

Also provide notifications to the regulator on significant cyber threats. The incident reports and notifications on cyber threats shall follow the content guidelines defined in the corresponding RTS/ITS.