Chapter III of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) is dedicated to the management, classification and reporting of ICT-related incidents.
Chapter III DORA (Art. 17 to 23 DORA) will be accompanied by RTS on determining the content of reportings of major ICT incidents in accordance with Art. 20 (a) DORA (Regulatory Technical Standards on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents) and ITS specifying the details of reporting on major ICT-related incidents in accordance with Art. 20 (b) DORA (Implementing Technical Standards on the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threat).
These RTS/ITS were in public consultation with the European Supervisory Authorities EBA, ESMA and EIOPA from 8 December 2023 to 4 March 2024 and have been evaluated by the European working groups in the last months with the aim of sending the final drafts to the European Commission by 17 July 2024 in accordance with Art. 20 DORA.
Both drafts are online available since 17 July 2024 (JC 2024 33 – Final Report on the draft RTS and ITS on incident reporting (EN)).
Main Provisions of Chapter III DORA on Incident Reportings
The core content of Chapter III DORA is the obligation for financial entities in the European Union to define a process for handling ICT-related incidents and for monitoring, logging and, if necessary, reporting ICT-related incidents.
The subject of reporting by financial entities is an ICT-related incident and a major ICT-related incident. An information and communication technology (ICT) incident respectively an ICT-related incident is defined in Art. 3 no. 8 DORA as a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity. According to Art. 3 no. 10 DORA, a major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity.
Art. 17 DORA initially describes the process of recognising and handling ICT-related incidents as part of the incident reporting system.
According to Art. 18 DORA ICT-related incidents and cyber threats must be classified by the financial entities. The criteria to be considered include, for example, the number and/or relevance of affected customers who cannot use the service, or counterparts in the financial sector, if applicable the value and number of transactions affected and the potential reputational damage caused (e.g. the incident has been reflected in the media); the duration of the ICT-related incident; the geographical spread of the areas affected by the ICT-related incident; the loss of availability, authenticity, integrity or confidentiality of data associated with the ICT-related incident; the criticality of the services affected, including the transactions and business of the financial undertaking; and the economic impact – in particular direct and indirect costs and losses – of the ICT-related incident on an absolute and relative basis.
These criteria are specified in Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents.
If the classification of an ICT-related incident leads to being categorised as major, the financial entity is obliged to report it to the competent supervisory authority.
RTS for determining the content of reportings of major ICT incidents in accordance with Art. 20 (a) DORA
The RTS (final draft dated 17 July 2024) specifies the reporting procedure in the event of a major ICT-related incident. This concerns the content of initial, interim and final reports as well as deadlines for submitting reports and the content in the case of voluntary reporting of cyber threats.
ITS for determining the details of reporting on major ICT-related incidents in accordance with Art. 20 (b) DORA
Forms, templates and reporting procedures are regulated by the ITS (final draft dated 17 July 2024). The relevant templates are contained in Annex I (Templates for the reporting of major incidents), Annex II (Data glossary and instructions for the reporting of major incidents) and Anex III (Templates for notification of significant cyber threats).
