Pre-drafted dual-regime and multi-regime reporting templates are maintained by the incident response team. Shared fields common to all regimes (entity identity, system identity, timeline of events, nature and scope, containment actions, initial impact assessment) are populated once from the shared incident fact sheet. Regime-specific fields are completed separately as each reporting deadline approaches.

The templates reduce preparation time when multiple reporting deadlines are running concurrently. For a financial entity subject to DORA, NIS2, and the AI Act simultaneously, the four-hour DORA deadline leaves no time for drafting from scratch. DORA requires the incident classification under Article 18’s criteria and the financial impact assessment. NIS2 requires the number of users affected and the cross-border impact. Article 73 requires the suspected causal link and the fundamental rights dimension. CRA requires the vulnerability details and affected product versions.

The Legal and Regulatory Advisor reviews and approves all templates. Templates are tested during the annual tabletop exercises to confirm they remain current and complete.

Key outputs

• Pre-drafted templates with shared fields and per-regime annexes
• Templates for DORA, NIS2, CRA, and Article 73 reporting
• Annual testing during tabletop exercises
• Module 9 AISDP documentation