DORA – ICT-related incidents
ICT-related incidents
The management, classification and reporting of incidents relating to information and communication technology (ICT-related incidents), are defined in the Digital Operational Resilience Act (DORA).
Processes
The necessary processes are required to be established regarding the management of ICT-related incidents. Early warning indicators must also be put in place, responsibilities assigned, procedures determined, contact lists and communications plans prepared and evidence secured.
Classification
An ICT-related incident is classified as major where critical services are adversely impacted and where one of the following conditions is met:
- Any successful, malicious and unauthorised access occurs to network and information systems, where such access may result in data losses.
- Two or more of the respective materiality thresholds are reached with regard to the following criteria:
- affected customers or financial counterparties or transactions
- reputational impact
- incident duration and service downtime
- geographical spread
- impact on the availability, authenticity, integrity or confidentiality of data
- economic impact
Recurring incidents that do not meet the criteria for a major ICT-related incident on an individual basis, may be subject to reporting requirements as major incidents when a cumulative view is taken.
Incident Reporting
Initial notifications, intermediate reports and final reports are stipulated. Mandatory reporting requirements to the Financial Market Authority (FMA) apply for ICT-related incidents classified as major. In addition, reports may also be made on a voluntary basis about significant cyber threats.
The FMA in any case forwards the reports that it receives to the respective European Supervisory Authority (European Banking Authority (EBA), European Securities and Markets Authority (ESMA) or European Insurance and Occupational Pensions Authority (EIOPA)) and as applicable to the European Central Bank (ECB) and the Network and Information Systems Security Authority (NIS Authority). Receipt of every individual report is confirmed to the financial entity that has made the submission. The FMA may also pass on responses or general guidance to the financial entity.
Questions and Answers
The Final Report of the draft Regulatory Technical Standards on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents state the following deadlines:
Initial notification
The initial notification shall be submitted as early as possible, within 4 hours of classification of the incident as major, but no later than 24 hours from becoming aware of the incident. See Article 6(1a) of the draft Regulatory Technical Standards.
Intermediate report
An intermediate report shall be submitted the latest within 72 hours from the submission of the initial notification or when regular activities have been recovered (Article 6(1) (b) Draft RTS) and as soon as the status of the original incident has changed significantly or the handling of the major ICT-related incident has changed based on new information available, followed, as appropriate, by updated notifications every time a relevant status update is available, as well as upon a specific request of the competent authority (Article 19 (4) DORA).
Final report
The final report shall be submitted no later than one month from the submission of the latest updated intermediate report. (Article 6(1)(c) Draft RTS).
Provisions for weekends and public holidays
Where the time limit for submission falls on a weekend or a public holiday the extension of the deadline until noon of the next working day is permitted for certain financial entities (Article 6 (4) and (5) Draft RTS).
Yes, in particular, please see Annex I of the Final Report on the draft Implementing Technical Standards on the standard forms, templates and procedures for financial entities to report a major incident and to notify a significant cyber threat.
The FMA’s Incoming Platform will generally be used as a notification channel for submitting reporting forms.
If it is not technically possible to submit the initial notification using the template, the financial entities shall notify this to the competent authority by other means (Article 19(1) DORA). The FMA is making such an alternative available.
Major incidents are defined more clearly in particular in Article 8 of Delegated Regulation (EU) 2024/1772 specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
On a cumulative basis recurring incidents may also be subject to reporting requirements as major incidents, where they are based on the same root cause, and have occurred at least twice within six months (Article 8 (2) of Delegated Regulation (EU) 2024/1772).
Article 10 of Delegated Regulation (EU) 2024/1772 defines the materiality thresholds for determining significant cyber threats.
The competent authority confirms receipt of every report and may, where feasible, provide in a timely manner relevant and proportionate feedback or high-level guidance to the financial entity, in particular by making available any relevant anonymised information and intelligence on similar threats, and may discuss remedies applied at the level of the financial entity and ways to minimise and mitigate adverse impact across the entire financial sector (Article 22(1) DORA).
The three European Supervisory Authorities (ESAs) report yearly through the Joint Committee, on an anonymised and aggregated basis on major ICT-related incidents, the details of which shall be provided by competent authorities in accordance with Article 19(6) DORA, setting out at least the number of major ICT-related incidents, their nature and their impact on the operations of financial entities or clients, remedial actions taken and costs incurred (Article 22(2) DORA).
The ESAs shall issue warnings and produce high-level statistics to support ICT threat and vulnerability assessments (Article 22(2) DORA).
The FMA also plans to publish information about the reports received on an anonymised and aggregated basis.
Financial entities are required to draw up communications plans, as appropriate, that enable the responsible disclosure of, at least, major ICT-related incidents or vulnerabilities towards clients and other financial entities as well as to the public (Article 14(1) DORA).
In the case of clients’ financial interests being impacted, clients are to be informed about the ICT-related incident and the measures taken to mitigate the adverse impact. Financial entities shall as applicable also inform their potentially affected clients in the event of a significant cyber threats of any appropriate protections measures that clients may consider taking (Article 19(3) DORA).
Regarding the reporting of a major incident report authenticity is described in terms of the trustworthiness of the source of data having been compromised (Article 5 (b) Delegated Regulation (EU) 2024/1772 specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents).
Reporting requirements are required to be observed. Confirmations of receipt from the FMA will be sent out after submission, regardless of the day of the week.
See Article 6 of Delegated Regulation (EU) 2024/1772 in this regard; as well as Article of Delegated Regulation (EU) 2024/1772 about the issue of whether it constitutes a major incident as defined in DORA.
Recital 23 of DORA explains that the administrative burden and potentially duplicative reporting obligations are intended to be reduced for certain financial entities, and therefore that the requirement for incident reporting under Directive (EU) 2015/2366 (PSD2) shall no longer apply for payment service providers that fall within the scope of DORA.
Consequently, credit institutions, e-money institutions, payment institutions and account information service providers, as referred to in Article 33(1) PSD2, should, from the date of application of DORA, report pursuant to DORA, all operational or security payment-related incidents that were previously reported pursuant to PSD2.
With reference to the SSM Cyber Incident Reporting Framework it should be noted that the ECB already stated in its opinion dated 04.06.2021 about the proposed DORA Regulation in Point 4.2.1 that replacing such reports with DORA reports should be considered.
DORA also constitutes a lex specialis in relation to Directive (EU) 2022/2555 (NIS2 Directive). Therefore Article 19 DORA reports will be forwarded by the FMA to the NIS authority.
The reporting template will be made available via the Incoming Platform, as soon as a final version is available. It will be possible to test notifications from this point in time (expected during the 2nd half of December 2024).
The FMA is required to forward reports regarding ICT-related incidents pursuant to Article 19 (6) point e DORA to the ECB where the reporting party is a credit institution, payment institution or an e-money institution. Financial entities are accordingly not required to submit any additional notification to the ECB.
No. Reports are forwarded to the institutions listed in Article 19 (6) DORA.
The contents on this website as well as hyperlinks to third party websites serve the purpose of providing general and non-binding information. These “Questions and Answers” do not constitute the FMA’s binding interpretation and in particular do not constitute interpretation within the scope of the question and answer processes (Q&As) of the three European Supervisory Authorities (EBA – European Banking Authority, ESMA – European Securities and Markets Authority, and EIOPA – European Insurance and Occupational Pensions Authority). All information on this website is provided without any guarantee, especially with regard to its up-to-dateness, completeness and correctness, and the FMA, including its employees or the persons responsible for this website, assume no liability whatsoever for the content; in addition, the FMA neither guarantees nor assumes liability for the use of hyperlinks or content that can be accessed via them.
Legal bases
Information regarding the legal bases for DORA can be found on the FMA’s “DORA – Digital Operational Resilience in the Financial Sector” web page.