Quickly understand your incident reporting requirements under DORA
On October 23rd 2024 the European Commission (EC) adopted two new regulatory and implementing technical standards (RTS/ITS) under the Digital Operational Resilience Act (DORA). These provide detail on the reporting of content and time limits for reporting major ICT-related incidents:
- Regulatory Technical Standard (RTS) on harmonisation of incident reporting
- Implementing Technical Standard (ITS) on harmonisation of incident reporting templates
Summary of Incident Reporting Requirements Under DORA
As detailed in the RTS, firms must adhere to harmonised requirements for reporting major ICT-related incidents to relevant authorities, as outlined in the Digital Operational Resilience Act (DORA). Key obligations include:
1. Prompt Notifications:
- Initial Notification: Financial entities must notify authorities as soon as possible, but no later than four hours after classifying an ICT incident as major, and within 24 hours of awareness.
- Intermediate Report: Due within 72 hours of the initial notification, it provides updated details, even if there are no changes to the incident's status.
- Final Report: To be submitted within one month after the intermediate report, including root cause analysis, resolution details, and impact assessment.
2. Content Requirements:
- Reports must contain specified data, including the type of incident, affected areas, detection time, impact, and actions taken for resolution.
- Voluntary reporting of significant cyber threats requires a reduced scope of information.
3. Flexibility & Proportionality:
- Reporting timeframes account for weekends, holidays, and the specific nature of financial entities (e.g., microenterprises may receive adjusted obligations).
- Authorities may adjust reporting obligations for entities deemed systemically important.
4. Data Protection:
- All incident reporting must comply with relevant data protection regulations.
The aim is to ensure the timely communication of major ICT incidents, balanced with firms' ability to manage and resolve crises effectively.
Reporting of ICT-related Incidents
1. Utilise the Standardised Reporting Template
To streamline communication and ensure consistency, all financial entities must use the standardised reporting template outlined in the regulation. This template must be applied across the initial notification, intermediate report, and final report stages. Here's how to approach it:
- Initial Notification: Provide all mandatory fields as specified, with the option to fill in additional details if available for later stages.
- Intermediate Report: Continue updating the data fields, including any new or corrected information.
- Final Report: Ensure comprehensive reporting by completing all data fields, reflecting the incident’s resolution and analysis.
Using Adoptech’s workflow you can generate the incident reports in the format stipulated under DORA. Contact your project manager for support.
2. Be Ready to Update Information
Incident reporting isn’t static. As a situation evolves, so does the available data. Entities must update information submitted in previous reports when providing intermediate or final updates. This flexibility ensures accurate, up-to-date details and allows for the reclassification of incidents from "major" to "non-major" if warranted after further review.
3. Handling Recurring or Aggregated Incidents
Sometimes, smaller, recurring incidents can collectively meet the criteria for a major incident. In such cases, report these incidents in an aggregated form, providing a holistic view of their cumulative impact. If a third-party ICT service provider causes an incident affecting multiple entities, a consolidated report can be submitted, provided:
- The incident is classified as major by all affected entities.
- Reporting covers financial entities within a single Member State under the same authority.
- Competent authorities have given explicit approval for aggregated reporting.
4. Outsourcing Reporting Obligations? Keep Authorities Informed
If you outsource your incident reporting obligations to a third party, you must inform your competent authority about this arrangement prior to the first submission. Provide details such as the third-party’s name and contact information. This ensures transparency and the legitimacy of the reporting party.
5. Secure Channels for Submission
Security and confidentiality are paramount. Use the secure electronic channels provided by your competent authority to submit all reports. If circumstances prevent this, notify the authority and agree on an alternative secure method until you can use the standard channel again.
6. Flexibility in Combining Reports
In certain situations where operations have stabilised or a root cause analysis is completed, entities may combine the submission of initial, intermediate, and final reports. This can simplify processes, provided all relevant timelines are met.
7. Significant Cyber Threat Notifications
For significant cyber threats that don’t qualify as major incidents but require reporting, use the designated template and instructions. Ensure your submissions are complete and precise, following all specified data fields and definitions.
Conclusion
Effective reporting of ICT-related incidents isn’t just a regulatory requirement—it’s a vital practice for maintaining trust, transparency, and security within the financial ecosystem. By adhering to these structured steps and updating your reports as situations evolve, you can ensure regulatory compliance while minimising risks and maximising operational resilience.