DORA Regulation: ICT Incident Management and Cyber Resilience

Alessandro Micagni
On October 24th, 2024

The European Commission updates the DORA regulation, strengthening ICT incident reporting, cyber resilience, and improving oversight of third-party providers across the EU financial sector.

DORA Regulation: ICT Incident Management and Cyber Resilience


On 23 October 2024, the European Commission made crucial updates to the DORA regulation (Digital Operational Resilience Act) to enhance how financial entities manage ICT-related incidents and cyber threats. These updates focus on improving the resilience of the financial sector through the implementation of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). In this article, we will provide a detailed technical overview of these updates, their implications for the financial industry, and how they reinforce the objectives of the DORA regulation.



Source

[1]

DORA Regulation: European Commission’s Rejection of Draft ITS
The ESAs published responses to the European Commission’s proposal, defending LEI use under DORA regulation against EUID cost-reduction measures
GrandAlessandro Micagni

[2]

Register of Commission Documents


What is the DORA Regulation?


The DORA regulation (Regulation (EU) 2022/2554) was introduced to strengthen the digital operational resilience of financial entities across the European Union. It provides a unified framework for managing ICT risks, ensuring that financial institutions can maintain operational continuity in the face of increasing cyber threats and technological disruptions. This regulation requires financial entities to have solid risk management frameworks, including incident reporting, ICT security, and third-party risk management.


The DORA regulation not only mandates compliance with security measures but also aligns with other cybersecurity laws, like the NIS2 Directive, making it a comprehensive solution for the financial sector. The latest updates introduced on 23 October 2024 further clarify the reporting obligations and strengthen the operational resilience framework by refining key elements such as timelines for reporting, the handling of third-party ICT providers, and ensuring that incident classification is accurate and transparent.



Key Updates to the DORA Regulation on 23 October 2024


The latest updates to the DORA regulation focus on standardizing and simplifying the process for financial entities to report major ICT-related incidents and significant cyber threats. These updates introduce new RTS and ITS that define the procedures, timelines, and content requirements for incident reporting.


1. Regulatory Technical Standards (RTS) for ICT Incident Reporting

The Regulatory Technical Standards (RTS) introduced under the DORA regulation define the specific information that financial entities must include when reporting major ICT-related incidents. The updates from 23 October 2024 focus on the following:


  • Initial Notification: Financial entities are required to submit an initial notification within four hours of classifying an ICT incident as major. This ensures that regulatory bodies are promptly informed, allowing for quick supervisory actions. The initial report must include crucial details like the nature of the incident, its origin, and immediate actions taken. The streamlined process is critical to ensuring quick, effective responses to digital disruptions and is closely aligned with DORA’s objective of harmonizing digital resilience across the EU.

  • Intermediate and Final Reports: After the initial notification, financial entities must provide more detailed updates in the form of intermediate and final reports. The intermediate report must be submitted within 72 hours, while the final report is due within one month. These reports must include a full analysis of the incident, its root cause, the actions taken to recover, and any further remediation efforts. These timelines ensure that financial entities maintain transparency throughout the lifecycle of an incident, providing regulators with ongoing updates as more information becomes available.

  • Handling Recurring Incidents: The RTS introduces mechanisms for dealing with recurring ICT incidents. Financial entities are required to submit aggregated reports for incidents that meet the criteria of major incidents over time. This ensures that recurring issues are not overlooked and are reported consistently, further aligning with DORA’s emphasis on comprehensive risk management and resilience.

  • Voluntary Cyber Threat Notification: The RTS also addresses the voluntary notification of significant cyber threats. Financial entities can notify competent authorities of threats that have not yet materialized into incidents but could pose risks. This proactive approach enhances the preparedness of financial entities and allows regulators to monitor emerging threats, helping to prevent potential widespread disruptions in the financial system.

2. DORA ITS for Standardised Reporting


The Implementing Technical Standards (ITS) under the DORA regulation complement the RTS by providing the detailed templates and procedures that financial entities must use when reporting ICT incidents and cyber threats. These ITS are crucial in ensuring consistency across the financial sector, helping authorities to compare and evaluate reports across institutions.


  • Standardized Templates: The ITS introduces standardized templates for reporting major ICT-related incidents. These templates cover all necessary fields, such as incident classification, affected services, and recovery measures, ensuring that all relevant details are captured in a consistent manner. This consistency is essential for enabling regulators to assess and compare incidents across different financial entities and jurisdictions, improving oversight and response times.

  • Aggregated Reporting for Multiple Entities: For incidents affecting multiple financial entities, especially when caused by third-party providers, the ITS allows for aggregated reporting. This feature reduces the reporting burden by enabling a single report that covers all impacted entities under one authority, particularly when the incident affects a critical third-party ICT service provider. Aggregated reporting is key to streamlining the communication between financial entities and regulators when an incident has widespread implications, ensuring a coordinated and efficient response.

  • Third-Party Provider Reporting: As part of the DORA regulation, financial entities that outsource critical ICT functions must ensure that third-party providers adhere to incident reporting obligations. The ITS mandates that these third-party providers can submit reports on behalf of financial entities when incidents originate from their services. This guarantees transparency and compliance, even when core services are outsourced. The regulation also requires financial entities to notify competent authorities about outsourcing arrangements, further ensuring oversight of third-party risks in the financial system.


Classification and Reclassification of Incidents Under the DORA Regulation


A significant aspect of the 23 October 2024 updates to the DORA regulation is the detailed process for classifying and reclassifying ICT-related incidents. Financial entities are required to classify incidents based on their impact and report them accordingly.


  • Initial Classification: The classification of an ICT-related incident as "major" triggers the requirement for immediate notification and subsequent reporting. This classification is based on the criteria set out in the RTS, which include the incident’s impact on operational capabilities, data integrity, and customer service. This ensures that incidents that could pose significant risks to the financial sector are reported promptly and accurately.

  • Reclassification of Incidents: If further assessment determines that an incident initially classified as major does not meet the criteria, financial entities are allowed to reclassify the incident as non-major. However, they must notify competent authorities of this change using the appropriate fields in the standardized templates. This flexibility ensures that the severity of incidents is accurately reflected throughout the reporting process, providing regulators with the most accurate and updated information as the situation evolves.

By refining these processes, the DORA regulation ensures that financial entities remain agile in their response to ICT incidents while maintaining transparency and compliance with regulatory requirements. The updates introduced on 23 October 2024 significantly enhance the resilience of the financial sector, ensuring that financial entities can navigate the complexities of today’s digital landscape effectively.


In conclusion, the updates to the DORA regulation mark a major step forward in enhancing the digital operational resilience of the European financial sector. These changes not only standardize and simplify reporting processes but also ensure that financial entities are better equipped to manage ICT risks, maintain operational continuity, and protect against emerging cyber threats. As the digital landscape continues to evolve, the DORA regulation will play a critical role in safeguarding the integrity and stability of the financial system.


DORA: Cooperation with Third-Party ICT Providers
DORA: Cooperation with Third-Party ICT Providers

DORA: Cooperation with Third-Party ICT Providers


The DORA regulation places a strong emphasis on managing the risks associated with outsourcing to third-party ICT providers. The 23 October 2024 updates further clarify the responsibilities of financial entities in maintaining operational resilience, even when critical ICT services are outsourced. These updates strengthen the oversight and ensure that third-party providers adhere to the regulatory requirements, ensuring seamless integration with the operational frameworks of financial entities.


Outsourcing Arrangements


Under the DORA regulation, financial entities must notify competent authorities in advance when outsourcing ICT incident reporting responsibilities to third-party providers. The 23 October 2024 updates specify that financial entities must provide detailed information, such as the identity and contact details of the third-party provider, ensuring that authorities are fully informed about the outsourcing arrangement. This preemptive notification process allows regulators to assess the provider’s compliance with DORA regulation standards, including their ability to handle ICT incidents effectively and securely. Moreover, this notification must take place before the first notification or report submission related to any incident handled by the third-party provider.


Third-Party Aggregated Reporting


Third-party providers can submit aggregated reports on behalf of multiple financial entities affected by the same incident, provided specific conditions are met. The 23 October 2024 updates introduce clear guidelines on how aggregated reporting should be handled. This is particularly relevant for incidents involving critical ICT service providers, where the incident impacts multiple financial entities under the same regulatory authority. The updates state that third-party providers must ensure that all affected entities classify the incident as major, and that the report covers all relevant financial entities within a single Member State.


This aggregated reporting approach simplifies the reporting process, reduces the administrative burden on financial entities, and provides regulators with a comprehensive view of the incident’s impact on the financial ecosystem. However, aggregated reporting is not applicable to systemically important entities, such as credit institutions of significant relevance, central counterparties, and operators of trading venues, which are required to submit individual reports for each incident.



Digital Operational Resilience Act: Timeframes and Flexibility in Reporting


The updates to the DORA regulation introduce clear timeframes for incident reporting, ensuring that financial entities provide timely and accurate information to regulators. The structured timelines provide a balance between the urgency of reporting ICT incidents and the flexibility needed to manage and recover from such incidents.


Reporting Deadlines


Financial entities must adhere to strict deadlines when reporting ICT incidents. For example, the initial notification must be submitted within four hours of classifying an incident as major. This requirement ensures that competent authorities are quickly informed and can initiate supervisory actions if necessary. The 23 October 2024 updates also allow flexibility for entities that face incidents on weekends or public holidays. In such cases, financial entities may submit their reports by noon on the next working day, ensuring that the incident management process is not hampered by administrative constraints.


The reporting timelines for intermediate reports and final reports are also clearly defined. Financial entities must submit intermediate reports within 72 hours and final reports within one month. These timelines ensure that regulators receive continuous updates as the incident progresses and more information becomes available.


Exceptions for Critical Institutions


The flexibility in reporting timeframes does not apply to systemically important financial entities or those considered critical to national or Union-level financial infrastructure. For such institutions, which include central counterparties and operators of trading venues, stricter reporting timelines are enforced due to their significant role in the financial system. These entities must report incidents immediately without the flexibility granted to smaller institutions, reflecting their importance in maintaining the stability of the broader financial sector.



Conclusion: Future Impact of the 23 October 2024 DORA Regulation Updates


The 23 October 2024 updates to the DORA regulation mark a significant shift in how financial entities will approach digital resilience in the future. By refining the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), these updates set the stage for a more streamlined and efficient reporting process for ICT-related incidents and cyber threats.


Enhanced Incident Response


The clarified reporting timelines and standardized templates will enable financial entities to respond to ICT incidents faster and more efficiently. This will improve communication with regulators and allow for quicker interventions, reducing the potential for large-scale financial disruption. The DORA regulation’s structured reporting process ensures that entities can act swiftly without compromising on the accuracy and depth of the information provided to authorities.


Proactive Cyber Threat Management


With the voluntary reporting of significant cyber threats now better defined, financial entities will be more proactive in addressing emerging risks before they escalate into major incidents. This early-warning system allows regulators to gain insights into potential threats, which enhances the sector's overall security posture. The DORA regulation encourages entities to share cyber threat information voluntarily, promoting a collaborative approach to cybersecurity within the financial ecosystem.


Increased Accountability of Third-Party Providers


As financial institutions continue to rely on third-party ICT services, the new rules for reporting and aggregated reporting will ensure that third-party service providers are more accountable. These providers must adhere to strict reporting obligations when handling incidents on behalf of financial entities, improving the overall oversight of outsourced services. The increased transparency will mitigate the risks associated with third-party dependencies and ensure that financial entities maintain control over critical operational functions, even when they are outsourced.


Harmonization Across the EU


The updates foster greater consistency across the financial sector, creating a unified approach to incident management and reporting. This harmonization will facilitate better coordination between regulators and financial entities across EU Member States, leading to more effective responses to cross-border incidents. The DORA regulation’s uniform reporting standards ensure that no matter where an entity operates within the EU, it will be subject to the same incident reporting requirements, promoting a cohesive regulatory environment.


Scalability for Future Threats


As cyber threats continue to evolve, these updates provide a scalable framework for addressing both current and future digital risks. The flexibility built into the reporting process, such as aggregated reporting and flexible timelines for smaller entities, ensures that the DORA regulation can adapt to a rapidly changing threat landscape. This scalability will allow financial entities to remain resilient as new and more sophisticated digital threats emerge, ensuring long-term operational stability and security.


Overall, these updates position the DORA regulation as a cornerstone of operational resilience for the financial sector, ensuring that institutions not only comply with regulatory requirements but are also better prepared to navigate future challenges in an increasingly digital financial ecosystem.

Reduce your
compliance risks

Sign Up Free Request Demo