Reporting Circumstances under DORA

This page contains further information about the specific reporting circumstances under DORA that can be submitted via the Incoming Platform:

Note: Since 17 January 2025, the reporting obligation for major ICT-related incidents under Article 19 (1) DORA has replaced the reporting obligation in relation to major operational or security incidents under Article 86 para. 1 ZaDiG 2018 that previously applied for payment service providers.

In the event of a major ICT-related incident occurring financial undertakings are required to notify the FMA without delay via the Incoming Platform. In the event that the incident affects or might affect the financial interests of payment service users, they are required to be informed without delay.

Reporting of major ICT-related incidents under Article 19 (1) DORA

  • Financial undertakings must report major ICT-related incidents to the FMA.
  • Significant credit institutions (SIs) must also submit reports to the FMA, with the FMA forwarding them to the ECB without delay.

DORA constitutes a lex specialis to NIS/NIS2. The reporting obligation under Article 19 (1) DORA. Therefore also meets the requirements under NIS/NIS2. The FMA forwards reprots to the competent NIS authority.

Classification of an incident as major

  • The classification occurs pursuant to Article 18 (1) DORA in conjunction with Delegated Regulation (EU) 2024/1772.

Types of reports

  • Initial notification
  • Intermediate report
  • Final report

Deadlines

  • Extended reporting deadlines apply on weekends and public holidays of until 12:00 on the following working day (does not apply for credit institutions that are classified as essential or important entities pursuant to Article 3 of Directive (EU) 2022/2555).

Submission of reports

  • via the FMA Incoming Platform (for registered users)
    • The form is available on the Incoming Platform.
    • Path for reporting major ICT-related incidents:
      • Menu “DORA” > “Neue Meldung” > “Neue Meldung eines schwerwiegenden IKT-bezogenen Vorfalls”
    • Path for the statement about required information:
      • Menu “Einbringungen” > “Neue Einbringung” > “Banken” > “DORA” > “Allgemein” > “Stellungnahme zu schwerwiegendem IKT-bezogenen Vorfall”
  • Alternative reporting channel (in the event of technical problems)
    • Financial undertakings should contact their FMA single point of contact (SPOC).
    • In this case, the report is made using a secure data transfer application.

Consolidated reports

  • Reports may be made at group level.
  • Data centres may continue to make reports for supervised entities.
  • LSIs: Consolidated reports are possible.
  • SIs, operators of trading venues and central counterparties: Consolidated reports are generally not intended to be made, however, the FMA does permit technically consolidated reports for SIs. Contact with the SPOC is necessary to obtain a special reporting template.

Onward transmission to relevant authorities

  • The FMA transmits reports on to ESAs, ECB and the NIS authority.

Statement in relation to open issues

  • Where necessary the FMA may request a statement in accordance with Article 70 para. 1 no. 1 BWG.
  • The statement must also be submitted via the Incoming Platform (Menu “Einbringungen”).

Financial entities may report significant cyber threats to the FMA on a voluntary basis, where they are of the opinion that there is a relevant threat for the financial system, users of the service, or customers. In the event that the information is relevant for the entire Austrian financial sector, the FMA considers an (anonymised) publication on the FMA website on a case-by-case basis.

Classification of cyber threats as significant

  • Based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk (Article 18 (2) DORA in conjunction with Article 10 of Delegated Regulation (EU) 2024/1772).

Submission

  • FMA Incoming Platform (for registered users)
    • The form is available on the Incoming Platform.
    • Path for submission: Menu “DORA” > “Neue Meldung” > “Freiwillige Meldung erheblicher Cyberbedrohungen”.

Under Article 28 para. 3 last sentence DORA a planned contractual arrangement on the use of ICT services supporting critical or important functions is required to be notified to the FMA. Furthermore, the FMA is also to be notified, when a function has become critical or important in conjunction with a planned contractual arrangement.

Where applicable, an outsourcing notification pursuant to Article 25 para. 5 BWG is also required in addition to a notification pursuant to Article 28 (3) final sentence DORA. It is possible to submit both notifications through a single form via the FMA Incoming Platform.

  • Deadline:
    • The notification is required to be submitted to the FMA within four weeks of the resolution being passed.
    • Where an outsourcing notification pursuant to Article 25 para. 5 BWG is also required in addition to an ex-ante notification in accordance with the final sentence of Article 28 (3) DORA, then the notification is required to be submitted at least four week prior to the planned conclusion of the contract.
  • Competence for Significant Institutions (SIs):
    • The ECB is solely competent from ex-ante notifications under DORA and outsourcings. Submissions should be made exclusively to the ECB.

Submission

  • FMA Incoming Platform (for registered users)
    • The form is available on the Incoming Platform.
    • Path for a notification pursuant to Article 28 (3) final sentence DORA without an outsourcing notification pursuant to Article 25 para. 5 BWG: Menu “Einbringungen” > “Neue Einbringung” > “Banken” > “DORA” > “Anzeige gemäß Art. 28 Abs. 3 letzter Satz DORA”.
    • Path for a notification pursuant to Article 28 (3) final sentence DORA with a simultaneous outsourcing notification pursuant to Article 25 para. 5 BWG: Menu “Einbringungen” > “Neue Einbringung” > “Banken” > “Bankwesengesetz” > “§ 25” > “§ 25 Abs. 5 (optional inkl. Art. 28 Abs. 3 DORA)”.

Financial entities are required to keep and constantly update a register of information that refers to contractual arrangements on the use of ICT services provided by ICT third-party service providers.

  • Deadline:
    • Financial entities are required to report at least yearly to the FMA on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.
    • The register of information is required to be drawn up with a reference date of 31.03.2025.
    • The reporting of the register of information to the FMA is required to take place between 1st and 11th April 2025.
    • Significant credit institutions do not submit the report to the FMA.
    • The FMA itself is required to submit the register of information to the ESAs by 30.04.2025.

Submission

  • FMA Incoming Platform (for registered users)
    • An Excel file drawn up by the FMA will be made available by the FMA in February 2025 via the Incoming Platform.

The FMA will send out detailed information about the register of information to the entities in question in February 2025.

You can find further information on the FMA’s DORA website. The European Commission website also contains an overview about the current status of the legal specifications relating to DORA.