Article 21, Centralisation Of Reporting Of Major ICT-Related Incidents, Digital Operational Resilience Act (DORA)

Overview

1. The ESAs, through the Joint Committee, and in consultation with the ECB and ENISA, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities. The joint report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.

2. The joint report referred to in paragraph 1 shall comprise at least the following elements:

(a) prerequisites for the establishment of a single EU Hub;

(b) benefits, limitations and risks, including risks associated with the high concentration of sensitive information;

(c) the necessary capability to ensure interoperability with regard to other relevant reporting schemes;

(d) elements of operational management;

(e) conditions of membership;

(f) technical arrangements for financial entities and national competent authorities to access the single EU Hub;

(g) a preliminary assessment of financial costs incurred by setting-up the operational platform supporting the single EU Hub, including the requisite expertise.

3. The ESAs shall submit the report referred to in paragraph 1 to the European Parliament, to the Council and to the Commission by 17 January 2025.

Summary Of Article 21

Article 21 of the Digital Operational Resilience Act (DORA) focuses on the potential centralization of reporting for major ICT-related incidents. The European Supervisory Authorities (ESAs), in collaboration with ENISA and the ECB, are tasked with preparing a report that explores the feasibility of creating a single EU hub for financial entities to report such incidents. This report will assess the prerequisites, benefits, limitations, risks, and financial costs involved in establishing the hub, as well as its operational management, technical requirements, and the conditions for membership. The goal is to improve the efficiency of reporting, reduce costs, and enhance supervisory convergence. The joint report is due by 17 January 2025.