Incident reporting under DORA

Increasing the resiliency of the European financial sector has been an ongoing priority for the EU. As a result, financial entities need to demonstrate that they can recover quickly from cyber breaches and incidents.

Under DORA any ICT-related incidents that are classified as major are required to submit three reports to the relevant CAs (Competent Authorities). For more information see Incident classification. The reports required to be submitted are:

• Initial Notification
• Intermediate Report
• Final Report

The regulation outlines the reporting timelines for each report. For more information see Reporting timelines.

Reporting cyber threats

The notification of significant cyber threats is voluntary under DORA. Financial entities can instead choose to report cyber threats to their country specific cyber security and incident response centers.

Reporting purpose

The reports will inform whether the ESAs (European Supervisory Authorities) need to coordinate a response at an EU level. The CA will conduct the initial assessment, taking into account whether the incident will impact multiple financial entities, consumers or the wider financial sector.

Further Reading

• The ITS (Implementing Technical Standards) provides the standard forms, templates and procedures for reporting major incidents and notification of significant cyber threats.

---

The information on this site is for general information purposes only and is not intended to serve as legal advice. Laws governing the subject matter may change quickly, so Guanciale Technologies Ltd cannot guarantee that all the information on this site is current or correct. Should you have specific legal questions about any of the information on this site, you should consult with a lawyer in your area.