{ "schema": "actproof.act_profile.v3", "act_type_id": "op:eu.dora.ict_incident_notification_initial.v1", "claim_type": "ict_incident_notification_initial", "display_name": "DORA major ICT-related incident initial notification (Article 19(4))", "regulatory_citation": { "instrument": "Regulation (EU) 2022/2554", "article": "19(4)", "jurisdiction": "EU", "in_force_from": "2025-01-17" }, "required_claim_fields": [ "entity_legal_identifier", "entity_legal_name", "financial_entity_type", "submission_type", "incident_reference_code", "detection_datetime_utc", "classification_datetime_utc", "classification_criteria_triggered", "affected_member_states", "incident_discovery_method", "business_continuity_plan_activated", "initial_impact_description", "primary_contact_name", "primary_contact_email", "competent_authority" ], "optional_claim_fields": [ "secondary_contact_name", "secondary_contact_email", "first_disruption_datetime_utc", "affected_functions_and_services", "preliminary_estimated_clients_affected", "preliminary_estimated_financial_amount", "reporting_currency", "third_party_provider_involved", "outsourcing_arrangement_reference", "linked_threat_notification_reference", "linked_nis2_notification_reference", "linked_gdpr_breach_notification_reference" ], "required_evidence_labels": [ "classification_committee_record", "detection_system_log_excerpt" ], "eligible_issuer_roles": [ "financial_entity", "third_party_reporting_provider", "credit_institution", "trading_venue_operator", "central_counterparty" ], "recommended_witness_roles": [ "competent_authority", "internal_compliance_officer", "internal_chief_information_security_officer", "internal_legal_counsel", "external_auditor", "third_party_reporting_provider" ], "signature_policy": { "minimum": "issuer_record", "supports": [ "external_qes_artifact", "internal_attestation_record" ] }, "version": 2, "supersedes": null, "maintainer": "actproof-events", "test_vector_reference": "catalogue/acts/eu/dora/ict_incident_notification_initial.v1.test_vectors.json", "regulated_context_profile": { "allowed_context_types": [ "regulatory_filing" ], "allowed_submission_stages": [ "initial_notification", "reclassification_to_non_major", "withdrawn" ], "default_context_type": "regulatory_filing" }, "prior_receipts_profile": { "required_roles": [], "optional_roles": [ "related_voluntary_cyber_threat_notification", "linked_intermediate_or_final_report" ] }, "reliance_context": { "issuer_role": "financial entity within the scope of Regulation (EU) 2022/2554 (or a third-party service provider acting on its behalf under Article 19(5)) preparing an initial notification of a major ICT-related incident for submission to its competent authority within the time limits set out in Article 5 of Delegated Regulation (EU) 2025/301 (no later than 4 hours after classification as major and at most 24 hours after detection)", "counterparty_action": "the competent authority, on receiving the official notification through its own reporting channel, records its receipt and runs its supervisory process, including the regulatory timeline for intermediate (within 72 hours) and final (within one month) reports; the financial entity retains the receipt as cryptographic evidence that it prepared and attested the initial notification, with the cited content and classification, at the stated time; downstream verifiers (auditors, supervisors in subsequent inspections, the entity itself in audit defence) use the receipt to confirm the entity's identity, the timestamps, the classification criteria cited, and the integrity of the named evidence files, and, where secure_electronic_channel_acknowledgement evidence is included, to confirm that the notification was transmitted to the competent authority", "later_verifiers": [ "competent_authority", "european_supervisory_authority", "external_auditor", "internal_audit", "supervisory_inspector" ], "non_claims": [ "does_not_constitute_an_admission_of_liability_by_the_financial_entity", "does_not_imply_a_breach_of_contract_with_clients_or_counterparties", "does_not_replace_the_separate_notification_obligation_under_directive_eu_2022_2555_nis2", "does_not_replace_a_personal_data_breach_notification_under_regulation_eu_2016_679_gdpr_article_33", "does_not_constitute_the_final_legal_classification_of_the_incident", "does_not_predetermine_supervisory_findings_or_sanctions", "does_not_exhaust_the_intermediate_and_final_reporting_obligations_under_dora_article_19_4", "does_not_prove_the_notification_was_transmitted_to_or_received_by_the_competent_authority" ], "reliance_statement": "The named financial entity attests that an ICT-related incident was detected at the stated detection_datetime_utc, classified as a major ICT-related incident under Articles 1 to 8 of Delegated Regulation (EU) 2024/1772 at the stated classification_datetime_utc, and that it has prepared the initial notification specified in Article 19(4) of Regulation (EU) 2022/2554, with the content and within the timing required by Article 5 of Delegated Regulation (EU) 2025/301, for submission to the named competent authority. Verifiers may rely on the entity's identity (entity_legal_identifier), the timestamps, the classification criteria cited, the declared notification content, and the cryptographic integrity of the named evidence files. The baseline receipt evidences the entity's attestation and the integrity of that content as of the receipt time; it does not by itself prove that the notification was transmitted to or received by the competent authority. Where secure_electronic_channel_acknowledgement evidence is attached under the submission_evidence_policy, that evidence additionally attests the transmission. The receipt does NOT constitute admission of liability, does NOT determine the final legal classification of the incident, does NOT replace separate notification obligations under NIS2 (Directive (EU) 2022/2555) or GDPR (Regulation (EU) 2016/679) Article 33, and does NOT exhaust the entity's continuing obligations to file the intermediate report (within 72 hours of detection) and the final report (within one month) under DORA Article 19(4). The machine-readable non_claims array on this entry is the authoritative enumeration of what the receipt does not prove. Supervisory findings, sanctions, and reclassification decisions are reserved to the competent authority's own published processes." }, "disclosure_profile": { "public_fields": [ "entity_legal_identifier", "entity_legal_name", "financial_entity_type", "submission_type", "detection_datetime_utc", "classification_datetime_utc", "competent_authority", "manifest.title", "manifest.issuer.legal_name" ], "commitment_fields": [ "incident_reference_code", "classification_criteria_triggered", "affected_member_states", "incident_discovery_method", "affected_functions_and_services", "initial_impact_description", "preliminary_estimated_clients_affected", "preliminary_estimated_financial_amount", "third_party_provider_involved" ], "private_fields": [ "primary_contact_name", "primary_contact_email", "secondary_contact_name", "secondary_contact_email", "outsourcing_arrangement_reference", "linked_threat_notification_reference" ], "back_propagation_scope": { "linked_intermediate_or_final_report": [ "manifest.claim.entity_legal_identifier", "manifest.claim.incident_reference_code" ] } }, "submission_evidence_policy": { "required": false, "supports": [ "secure_electronic_channel_acknowledgement" ] }, "claim_field_types": { "entity_legal_identifier": "string", "entity_legal_name": "string", "financial_entity_type": "string", "submission_type": "string", "incident_reference_code": "string", "detection_datetime_utc": "datetime", "classification_datetime_utc": "datetime", "classification_criteria_triggered": "string_list", "affected_member_states": "string_list", "incident_discovery_method": "string", "business_continuity_plan_activated": "boolean", "initial_impact_description": "text", "primary_contact_name": "string", "primary_contact_email": "email", "competent_authority": "string", "secondary_contact_name": "string", "secondary_contact_email": "email", "first_disruption_datetime_utc": "datetime", "affected_functions_and_services": "string_list", "preliminary_estimated_clients_affected": "integer", "preliminary_estimated_financial_amount": "number", "reporting_currency": "string", "third_party_provider_involved": "boolean", "outsourcing_arrangement_reference": "string", "linked_threat_notification_reference": "string", "linked_nis2_notification_reference": "string", "linked_gdpr_breach_notification_reference": "string" }, "source_bindings": [ { "source_binding_id": "sb_dora_reg_2022_2554", "source_type": "eurlex", "authority": "European Parliament and Council of the European Union", "instrument": "Regulation (EU) 2022/2554 (Digital Operational Resilience Act)", "identifiers": { "celex": "32022R2554", "eli": "http://data.europa.eu/eli/reg/2022/2554/oj" }, "provisions": [ "Article 19" ], "artifact": { "artifact_type": "oj_pdf", "media_type": "application/pdf", "sha256": "sha256:85307f9e2a0409826dd0f54489645935816d16e929f0db4db3ef15badd11d38c", "retrieved_at": "2026-05-23T15:31:54Z", "retrieved_from": { "url": "https://publications.europa.eu/resource/celex/32022R2554", "method": "cellar-content-negotiation" } } }, { "source_binding_id": "sb_dora_reg_2025_0301", "source_type": "eurlex", "authority": "European Commission", "instrument": "Commission Delegated Regulation (EU) 2025/301", "identifiers": { "celex": "32025R0301", "eli": "http://data.europa.eu/eli/reg_del/2025/301/oj" }, "provisions": [ "Article 1", "Article 2", "Article 5" ], "artifact": { "artifact_type": "oj_pdf", "media_type": "application/pdf", "sha256": "sha256:47a209a9f73e228e85e1dad2934d917d5791629fc98add06fc6fda0acb872dbf", "retrieved_at": "2026-05-23T15:31:55Z", "retrieved_from": { "url": "https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32025R0301", "method": "eurlex-direct-pdf" } } }, { "source_binding_id": "sb_dora_reg_2025_0302", "source_type": "eurlex", "authority": "European Commission", "instrument": "Commission Implementing Regulation (EU) 2025/302", "identifiers": { "celex": "32025R0302", "eli": "http://data.europa.eu/eli/reg_impl/2025/302/oj" }, "provisions": [ "Annex I", "Annex II" ], "artifact": { "artifact_type": "oj_pdf", "media_type": "application/pdf", "sha256": "sha256:37ec431c7a11b8b30b39d1c1f0d95c39539d1c1e7236301ee3b06bb229ff009c", "retrieved_at": "2026-05-23T15:31:55Z", "retrieved_from": { "url": "https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32025R0302", "method": "eurlex-direct-pdf" } } }, { "source_binding_id": "sb_dora_reg_2024_1772", "source_type": "eurlex", "authority": "European Commission", "instrument": "Commission Delegated Regulation (EU) 2024/1772", "identifiers": { "celex": "32024R1772", "eli": "http://data.europa.eu/eli/reg_del/2024/1772/oj" }, "provisions": [ "Articles 1 to 8" ], "artifact": { "artifact_type": "oj_pdf", "media_type": "application/pdf", "sha256": "sha256:416fb104161f8b3eb0aae2601060ab869b1672cfa8452d20798800301538ceab", "retrieved_at": "2026-05-23T15:31:55Z", "retrieved_from": { "url": "https://publications.europa.eu/resource/celex/32024R1772", "method": "cellar-content-negotiation" } } } ], "generation": { "method": "ai_assisted_extraction_from_authoritative_sources", "reconciled": true, "reconciliation_note": "Reconciled in May 2026 against the hashed official sources in source_bindings: the general and initial-notification content of Commission Delegated Regulation (EU) 2025/301 Articles 1 and 2, the official major-incident report template in Annex I of Commission Implementing Regulation (EU) 2025/302, and the classification regime of Commission Delegated Regulation (EU) 2024/1772 Articles 1 to 8. Claim-schema corrections were applied where the profile diverged from the official initial-notification template.", "authoring_process": "actproof-events authoring process, eight-stage", "generated_at": "2026-05-23T16:00:00Z" }, "transparency_note_reference": "catalogue/acts/eu/dora/ict_incident_notification_initial.v1.transparency.md", "profile_status": { "maturity": "candidate", "since": "1.5-rc1", "summary": "Source-bound and reconciled against the hashed DORA, RTS, ITS, and classification sources, with conformance vectors published. Held at candidate while the conformance vector set is broadened and the receipt manifest shape is finalised." } }