Article 18 Digital Operational Resilience Act (DORA), Harmonisation Of Reporting Content And Templates

Developing technical standards for ICT incident reporting is critical in ensuring a robust and resilient digital infrastructure within the financial sector. The European Supervisory Authorities (ESAs), in collaboration with the European Network and Information Security Agency (ENISA) and the European Central Bank (ECB), play a pivotal role in this process.

Development Of Standards

The ESAs, through the Joint Committee and in consultation with ENISA and the ECB, are tasked with developing comprehensive technical standards to streamline the reporting of major ICT-related incidents. This initiative encompasses two primary areas:

• Common Draft Regulatory Technical Standards: These standards are designed to:

• Establish the Content Required for Reporting: This involves defining the specific information that must be included when reporting major ICT-related incidents. The aim is to ensure that all reports are detailed and consistent, providing the necessary data for accurate assessment and response.

• Conditions for Delegating Reporting Obligations: The standards will specify the conditions under which financial entities can delegate their reporting obligations to third-party service providers. This delegation is subject to prior approval by the competent authority, ensuring that the process remains controlled and compliant with regulatory requirements.

• Common Draft Implementing Technical Standards: These standards will:
• Establish Standard Forms, Templates, and Procedures: This involves creating uniform reporting formats and procedures to be used by all financial entities. Standardization helps in ensuring clarity, consistency, and efficiency in the reporting process.

Submission to the Commission

The ESAs are required to submit the common draft regulatory technical standards and the common draft implementing technical standards to the European Commission. This submission must occur within one year after the date of entry into force of the relevant regulation. This timeline ensures that the standards are developed and implemented promptly, enhancing the overall ICT incident reporting framework.

Regulatory Technical Standards

The Commission is delegated the power to supplement the regulation by adopting the common regulatory technical standards developed by the ESAs. This adoption process is governed by Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1095/2010, and (EU) No 1094/2010. These articles outline the procedural framework for the development and implementation of regulatory technical standards, ensuring that they are thorough, well-considered, and effective.

Implementing Technical Standards

In addition to the regulatory technical standards, the Commission is also conferred the power to adopt the common implementing technical standards. This adoption is conducted in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1095/2010, and (EU) No 1094/2010. The implementing technical standards focus on the practical aspects of reporting, providing detailed guidance on how financial entities should report ICT-related incidents.

Importance Of Technical Standards

The development and implementation of these technical standards are crucial for several reasons:

• Consistency and Uniformity: By establishing common standards, the ESAs ensure that all financial entities report ICT-related incidents in a consistent and uniform manner. This consistency is vital for accurately assessing and responding to incidents across the sector.

• Clarity and Precision: The standards provide clear guidelines on what information needs to be reported and how it should be presented. This clarity helps in reducing ambiguities and ensuring that the reported data is precise and actionable.

• Efficiency and Effectiveness: Standardized reporting procedures enhance the efficiency of the reporting process. Financial entities can follow a well-defined procedure, making the process more streamlined and effective.

• Regulatory Compliance: The standards ensure that financial entities remain compliant with regulatory requirements. By adhering to these standards, entities can avoid potential penalties and maintain their reputational integrity.

• Enhanced Incident Response: With detailed and standardized reporting, regulatory authorities can respond to ICT-related incidents more effectively. The availability of comprehensive data enables them to take timely and appropriate actions to mitigate the impact of incidents.

The role of the ESAs, in collaboration with ENISA and the ECB, in developing technical standards for ICT incident reporting is instrumental in strengthening the digital operational resilience of financial entities. These standards ensure that reporting processes are consistent, clear, and efficient, enhancing the overall ability of the financial sector to respond to ICT-related incidents. The delegated powers of the Commission to adopt these standards further ensure that they are implemented effectively, contributing to a robust regulatory framework. Through these efforts, financial entities can better manage ICT risks, ensuring the continuity and security of their operations in an increasingly digital landscape.