Article 17 Digital Operational Resilience Act (DORA), Reporting of Major ICT-related Incidents
In an era where digital operations are integral to financial entities, the ability to swiftly and effectively report ICT-related incidents is crucial. The Digital Operational Resilience Act (DORA) outlines stringent requirements for the reporting of major ICT-related incidents to ensure prompt action, transparency, and resilience in the financial sector.
Reporting To Competent Authorities
Financial entities are mandated to report major ICT-related incidents to the relevant competent authority as specified in Article 41 of DORA. This requirement ensures that regulatory bodies are promptly informed and can take necessary actions to mitigate potential risks to the financial system. The reporting process involves several critical steps:
- Timely Reporting: Entities must adhere to specific timelines for reporting major incidents. This includes immediate initial notification, followed by detailed intermediate and final reports.
- Use of Templates: Reports should be produced using the template provided in Article 18, ensuring consistency and completeness of information.
- Content of Reports: The incident report must include all necessary information for the competent authority to determine the incident's significance and assess potential cross-border impacts. This comprehensive approach enables regulators to understand the incident's scope and coordinate a response if needed.
Informing Service Users and Clients
In addition to reporting to authorities, financial entities must inform service users and clients if an ICT-related incident impacts or has the potential to impact their financial interests. This communication must be timely and transparent:
- Prompt Communication: Entities should inform users and clients without undue delay, providing clear information about the incident and the measures being taken to mitigate adverse effects.
- Transparency: This requirement ensures that clients are aware of potential risks and the entity’s efforts to address them, thereby maintaining trust and minimizing potential reputational damage.
Submission Timelines
DORA specifies strict timelines for the submission of incident reports to competent authorities:
- Initial Notification: This must be submitted without delay, but no later than the end of the business day on which the incident was identified. If the incident occurs within two hours before the end of the business day, the report must be submitted within four hours from the start of the next business day. If reporting channels are unavailable, the report should be submitted as soon as they become available.
- Intermediate Report: This should be submitted no later than one week after the initial notification, with subsequent updates provided as relevant information becomes available or upon specific request from the competent authority.
- Final Report: This must be submitted upon completion of the root cause analysis and when actual impact figures are available to replace initial estimates. The final report should be submitted no later than one month from the initial report submission.
Delegation Of Reporting Obligations
Financial entities have the option to delegate reporting obligations to a third-party service provider, but this can only be done with the approval of the relevant competent authority as specified in Article 41. This delegation can help entities manage reporting processes more efficiently, especially during complex incidents. However, it also requires careful oversight to ensure compliance with regulatory requirements.
Competent Authority Actions
Upon receiving an incident report, the competent authority must promptly disseminate the details to other relevant bodies:
- European Supervisory Authorities: The authority must provide details to the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), or European Insurance and Occupational Pensions Authority (EIOPA), as appropriate.
- European Central Bank (ECB): For certain financial entities, the ECB must also be informed to ensure coordinated action within the European System of Central Banks.
- Designated Contact Points: The competent authority must notify the designated single point of contact under Article 8 of Directive (EU) 2016/1148, facilitating a coordinated response across Member States.
Assessment and Notification
The European Supervisory Authorities (EBA, ESMA, or EIOPA) and the ECB will assess the incident's relevance to other public authorities and notify them as soon as possible. This coordinated assessment and notification process is vital for:
- Coordinated Response: Ensuring that all relevant authorities are informed allows for a unified and effective response to the incident.
- Stability Measures: If the incident poses an immediate threat to the financial system's stability, competent authorities will take necessary measures to protect it.
The comprehensive reporting requirements outlined in DORA for major ICT-related incidents highlight the importance of transparency, timeliness, and coordination in managing ICT risks within the financial sector. By adhering to these requirements, financial entities can enhance their operational resilience, maintain client trust, and contribute to the stability of the broader financial system. These measures ensure that incidents are promptly reported and addressed, minimizing their impact and fostering a more secure digital financial environment.