Instruction No. 2025-I-10 on Major ICT Incident Reporting and Voluntary Notification of Significant Cyber Threats to the ACPR

PRUDENTIAL CONTROL AND RESOLUTION AUTHORITY

Instruction No. 2025-I-10 on the reporting of major ICT-related incidents and voluntary notifications of significant cyber threats to the Prudential Control and Resolution Authority

The Prudential Control and Resolution Authority, Having regard to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011; Having regard in particular to Article 19 of Regulation (EU) 2022/2554 on the reporting of major ICT-related incidents and voluntary notifications of significant cyber threats to the competent authority; Having regard to Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regulatory technical standards specifying the criteria for classifying ICT-related incidents and cyber threats, setting thresholds for materiality, and specifying the details of major incident reports; Having regard to Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 defining implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council as regards the standard forms, templates and procedures enabling financial entities to notify a major ICT-related incident and to notify a significant cyber threat; Having regard to the Monetary and Financial Code, in particular Articles L. 612-2 and L. 612-24; Having regard to the Insurance Code, in particular Articles L. 310-3-1, L. 355-1, L. 356-21, L. 381-1, L. 385-6, D. 344-5, R. 355-6 and R. 385-17; Having regard to the Mutual Code, in particular Articles L. 212-1, L. 211-10, L. 214-1, L. 214-12, D. 114-11 and R. 214-5; Having regard to the Social Security Code, in particular Articles L. 931-6, L. 931-9, L. 942-1, L. 942-11, D. 931-37 and R. 942-5; Having regard to the opinion of the Prudential Affairs Consultative Commission of 5 June 2025,

DECIDES

Article 1 Subject to the exclusions mentioned in the third paragraph of Article 2 of Regulation (EU) 2022/2554, the following financial entities – hereinafter referred to as "subject entities" – are bound by this instruction:

A. In the banking, payment services and investment services sector:

1. credit institutions;
2. payment institutions;
3. account information service providers;
4. electronic money institutions;
5. investment firms as defined in Article L. 531-4 of the Monetary and Financial Code;
6. token issuers referring to one or more approved assets under Regulation (EU) 2023/1114;
7. central counterparties;

B. In the insurance sector: 8) insurance and reinsurance undertakings subject to the so-called "Solvency II" regime mentioned in Articles L. 310-3-1 of the Insurance Code, L. 211-10 of the Mutual Code and L. 931-6 of the Social Security Code; 9) insurance holding companies and mutual insurance holding companies mentioned in Articles L. 322-1-2 and L. 322-1-3 of the Insurance Code; mutual union groups mentioned in Article L. 111-4-2 of the Mutual Code; 10) social protection insurance holding companies mentioned in Article L. 931-2-2 of the Social Security Code; 11) mixed financial holding companies mentioned in Article L. 517-4 of the Monetary and Financial Code, included in group supervision within the meaning of Article L. 356-2 of the Insurance Code; 12) supplementary occupational retirement benefit bodies, namely supplementary occupational retirement funds (FRPS) mentioned in Article L. 381-1 of the Insurance Code, supplementary occupational retirement mutuals or unions (MRPS or URPS) mentioned in Article L. 214-1 of the Mutual Code and supplementary occupational retirement institutions (IRPS) mentioned in Article L. 942-1 of the Social Security Code, in accordance with the provisions of Regulation (EU) 2022/2554 in its Article 2, paragraph 3(c)); 13) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries that are not microenterprises or small and medium-sized enterprises in accordance with point (e) of Article 2(3) of Regulation (EU) 2022/2554.

Article 2 Under the conditions set out in Article 4 of this instruction, subject entities shall report major ICT-related incidents to the Prudential Control and Resolution Authority in accordance with the provisions of Article 19 of Regulation (EU) 2022/2554 and the details specified in Delegated Regulation (EU) 2024/1772 and Implementing Regulation (EU) 2025/302.

Article 3 Subject entities may, furthermore, on a voluntary basis, notify significant cyber threats to the Prudential Control and Resolution Authority when they consider the threat to be relevant to the financial system, service users or clients.

Article 4 The technical and methodological procedures for submission are defined by the current ACPR instructions. In particular, reports of major incidents or significant cyber threats are addressed to the General Secretariat of the Prudential Control and Resolution Authority via teletransmission in JSON format according to the technical specifications necessary for their processing as defined by the General Secretariat of the Prudential Control and Resolution Authority.

Article 5 This instruction shall enter into force on 1 July 2025.

Paris, 23 June 2025 The President, François VILLEROY de GALHAU