In today’s rapidly evolving digital landscape, operational resilience has never been more critical, especially within the financial sector. As we continue to navigate the complexities of cybersecurity threats and ICT-related incidents, staying ahead with robust reporting standards is paramount. I am thrilled to share significant updates regarding the new incident reporting standards under the Digital Operational Resilience Act (DORA), which aim to fortify our collective defence mechanisms across the European financial sector.
What is DORA?
DORA (Digital Operational Resilience Act) introduces a comprehensive framework designed to harmonise e and streamline the reporting of ICT-related incidents and significant cyber threats for financial entities in the European Union. This regulation ensures that all financial entities adhere to a consistent and efficient reporting process, thereby enhancing the overall operational resilience of the financial system.
Key Highlights of the New Reporting Standards
1. Streamlined Reporting Process
One of the most significant changes is the reduction in the number of reporting fields for initial notifications—from 84 to 59. This streamlining focuses on capturing the most critical information, enabling financial entities to allocate more resources to managing incidents effectively.
2. Defined Reporting Timelines
Clear and concise reporting timelines have been established to ensure timely communication with relevant authorities:
- Initial Notification: Must be submitted within 4 hours of classifying an incident as major, but no later than 24 hours from becoming aware of it.
- Intermediate Report: Due within 72 hours from the initial notification.
- Final Report: To be submitted within one month from the latest intermediate report.
These timelines are designed to balance the urgency of incident reporting with the need for thorough incident management.
3. Proportionality and Specificity
The new standards recognise the varying sizes and complexities of financial entities. Proportional reporting requirements ensure that smaller entities are not overburdened, particularly during weekends and bank holidays, while larger, systemic institutions maintain standard reporting timelines to ensure prompt action on significant incidents.
4. Aggregated Reporting Capabilities
Third-party providers can now submit aggregated reports on behalf of multiple financial entities. This approach not only reduces the reporting burden but also provides a comprehensive overview of incidents, particularly those originating from third-party services.
Implications for the Financial Sector
The adoption of these new standards marks a pivotal moment for the financial sector’s digital resilience. By adhering to these streamlined processes, financial entities can improve their incident response capabilities, ensuring timely and effective communication with supervisory authorities. This not only enhances individual organisational resilience but also strengthens the stability and security of the broader financial system.
The guidelines have already been adopted by the Boards of Supervisors of the three ESAs. The final draft technical standards have been submitted to the European Commission, which will now start working on their review with the objective to adopt these policy products in the coming months.
The document can be found here : https://www.esma.europa.eu/sites/default/files/2024-07/JC_2024-33_-_Final_report_on_the_draft_RTS_and_ITS_on_incident_reporting.pdf