Article 20 Digital Operational Resilience Act (DORA), Supervisory Feedback

The effective response and reporting of ICT-related incidents are crucial for maintaining the resilience and security of financial entities. As outlined in Article 17(1) of the Digital Operational Resilience Act (DORA), financial entities are required to report major ICT-related incidents to the relevant competent authority. This process ensures that incidents are managed efficiently, minimizing adverse impacts on the financial sector. The role of competent authorities and the European Supervisory Authorities (ESAs) in this process is critical for achieving these goals.

Acknowledgment and Feedback

Upon receiving a report of a major ICT-related incident, the competent authority must promptly acknowledge receipt of the report. This immediate acknowledgment is essential to assure the reporting financial entity that their report has been received and is being processed. Following acknowledgment, the competent authority is responsible for providing feedback or guidance to the financial entity as quickly as possible. This feedback includes:

• Discussion of Remedies: The competent authority engages with the financial entity to discuss potential remedies and corrective actions that can be implemented at the entity level. This collaborative approach helps in identifying the most effective solutions to mitigate the impact of the incident and prevent its recurrence.

• Minimizing Adverse Impacts: The competent authority also provides guidance on how to minimize adverse impacts across the financial sector. This includes sharing insights and best practices that can help other entities avoid similar incidents and ensure a coordinated response to widespread threats.

• Communication of Expectations: Clear communication from the competent authority about the expectations regarding incident management and reporting helps financial entities understand their responsibilities and the standards they must adhere to.

Yearly Reporting by ESAs

The ESAs, through the Joint Committee, play a pivotal role in monitoring and analyzing ICT-related incidents across the financial sector. As part of their responsibilities, the ESAs are required to compile and publish an annual report on ICT-related incidents. This report is anonymized and aggregated to protect the confidentiality of the reporting entities while providing valuable insights into the state of ICT resilience. The annual report includes the following elements:

• Number of Major ICT-Related Incidents: The report provides a comprehensive overview of the number of major ICT-related incidents reported by financial entities throughout the year. This data helps in understanding the frequency and prevalence of such incidents in the financial sector.

• Nature of Incidents: Detailed information about the nature of these incidents, including the types of cyber threats encountered and the vulnerabilities exploited, is included in the report. This helps in identifying common patterns and emerging trends in ICT threats.

• Impact on Operations: The report assesses the impact of these incidents on the operations of financial entities and their customers. This includes evaluating the extent of service disruptions, financial losses, and reputational damage caused by the incidents.

• Costs Incurred: An analysis of the costs incurred by financial entities in responding to and recovering from ICT-related incidents is provided. This includes both direct costs, such as those associated with remediation efforts, and indirect costs, such as reputational damage and loss of customer trust.

• Remedial Actions Taken: The report highlights the remedial actions taken by financial entities to address the incidents. This includes the implementation of new security measures, updates to ICT policies and procedures, and other steps taken to enhance resilience.

High-Level Statistics and Warnings

In addition to the annual report, the ESAs issue warnings and produce high-level statistics to support ICT threat and vulnerability assessments. These statistics provide an overview of the overall threat landscape and help financial entities understand the risks they face. Key aspects of these high-level statistics and warnings include:

• Threat Trends: Analysis of current and emerging threat trends, including the types of cyberattacks that are becoming more prevalent and the sectors that are most at risk.

• Vulnerability Assessments: Assessments of common vulnerabilities and weaknesses in ICT systems that are being exploited by attackers. This helps financial entities prioritize their security efforts and focus on the most critical areas.

• Guidance on Mitigation: The ESAs provide guidance on mitigation strategies that can be employed to address the identified threats and vulnerabilities. This includes recommendations for best practices and security measures that have proven effective in reducing risk.

• Coordination with Other Authorities: The ESAs coordinate with other regulatory and supervisory authorities to ensure a harmonized approach to ICT incident management and reporting. This includes sharing information and collaborating on joint initiatives to enhance the overall resilience of the financial sector.

The structured response and reporting framework for ICT-related incidents established by DORA is designed to ensure that financial entities can effectively manage and mitigate the impact of such incidents. The role of competent authorities in acknowledging reports and providing timely feedback, along with the annual reporting and statistical analysis conducted by the ESAs, creates a comprehensive system for monitoring, analyzing, and responding to ICT threats. By adhering to these requirements, financial entities can enhance their operational resilience, protect their customers, and contribute to the stability and security of the broader financial sector.