Bank of Italy prudential supervisory regulation (Circular No. 285 - First Part - Section IV - Chapter IV, 'The information system', for banks; regulatory measure of May 17 2016 'Disposizioni di vigilanza per gli istituti di pagamento e gli istituti di moneta elettronica (Supervisory measures for payment institutions and electronic money institutions)' - Chapter VI, 'Organizzazione amministrativa e contabile e controlli interni (Administrative and accounting procedures and internal checks)', for payment institutions and electronic money institutions) requires banks, payment and electronic money institutions to notify the Bank of Italy promptly of any significant operational or security incidents. To facilitate financial entities in the collection and representation of the information to be communicated, the necessary templates and instructions are provided on this page. As regards the specific information requested from the different categories of institutions, three different operative procedures and reporting templates have been established, respectively for:
- significant institutions (including subsidiaries of significant non-Italian institutions),
- less significant institutions and Italian branches of non-EU institutions (except those based in the States listed in Appendix A of the introductory provisions of Circular No.285), and
- payment institutions, electronic money institutions and Italian branches of non-EU institutions based in the States listed in Appendix A of the introductory provisions of Circular No.285.
It should be noted that the reporting procedures and templates for all intermediaries integrate the requirements of the incident reporting framework provided in the 'Revised guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2)' and that the reporting procedures and templates for significant institutions integrate the requirements of the SSM cyber incident reporting framework.