Article 17 Digital Operational Resilience Act (DORA), Reporting of Major ICT-Related Incidents

Sep 9, 2024

Article 17 of the Digital Operational Resilience Act (DORA) delineates the procedures and requirements for reporting major ICT-related incidents by financial entities. This article is crucial for ensuring that significant ICT disruptions are communicated effectively to authorities and stakeholders, thus enabling a coordinated response and mitigating potential impacts on the financial system.

Article 17 Digital Operational Resilience Act (DORA), Reporting of Major ICT-Related Incidents

1. Reporting Major ICT-Related Incidents

Financial entities are required to report major ICT-related incidents to the relevant competent authority as specified in Article 41. The reporting must be done within the prescribed time limits, ensuring prompt and accurate disclosure.

To meet this requirement, financial entities must prepare an incident report after collecting and analyzing all pertinent information. This report should follow the template outlined in Article 18 and be submitted to the competent authority. The report needs to include comprehensive details necessary for the competent authority to assess the significance of the incident and evaluate any potential cross-border implications.

The goal is to provide a clear and thorough account of the incident, which allows the competent authority to understand its scope and potential impact on the financial sector and beyond.

2. Informing Service Users and Clients

When a major ICT-related incident has, or potentially has, an impact on the financial interests of service users and clients, financial entities must inform these stakeholders without undue delay. This communication should detail the nature of the incident and the measures taken to mitigate its adverse effects.

Timely and transparent communication with service users and clients is critical for maintaining trust and enabling them to take necessary actions to protect their interests. Financial entities must ensure that they provide updates as soon as possible regarding the steps being taken to address the incident and minimize any potential damage.

DORA Compliance Framework

3. Reporting Timelines

Financial entities must adhere to specific reporting timelines for communicating major ICT-related incidents to the competent authority:

  • Initial Notification: Entities must submit an initial notification of the incident without delay, but no later than the end of the business day. If the incident occurs less than two hours before the end of the business day, the notification should be made within four hours of the start of the next business day. If reporting channels are unavailable, the notification should be made as soon as they become accessible.
  • Intermediate Report: An intermediate report must be submitted no later than one week after the initial notification. This report should provide updates on the incident’s status and any additional information that has become available. Further updates should be provided whenever relevant, and upon specific requests from the competent authority.
  • Final Report: A final report must be issued once the root cause analysis of the incident is complete. This report should include accurate impact figures and details of any mitigation measures implemented. The final report must be submitted no later than one month from the initial notification.

4. Delegation of Reporting Obligations

Financial entities may delegate their reporting obligations to a third-party service provider, but only with prior approval from the relevant competent authority as specified in Article 41. This ensures that any delegation is properly vetted and does not compromise the integrity of the reporting process.

5. Information Sharing with Relevant Authorities

Upon receiving the report, the competent authority must promptly share the incident details with:

  • The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), or the European Insurance and Occupational Pensions Authority (EIOPA), as appropriate.
  • The European Central Bank (ECB), in cases involving financial entities as defined in Article 2(1) of DORA.
  • The single point of contact designated under Article 8 of Directive (EU) 2016/1148.

6. Assessment and Notification by EBA, ESMA, EIOPA, and ECB

The EBA, ESMA, EIOPA, and ECB are responsible for assessing the relevance of the incident to other public authorities. They must notify these authorities as soon as possible to ensure that all relevant parties are informed. The ECB is specifically tasked with notifying members of the European System of Central Banks regarding issues related to the payment system. Based on these notifications, competent authorities must take appropriate measures to safeguard the stability of the financial system, addressing any immediate risks or disruptions.

In summary, Article 17 of DORA establishes a clear framework for reporting major ICT-related incidents. By following these guidelines, financial entities can ensure timely and effective communication with relevant authorities and stakeholders, contributing to the overall stability and resilience of the financial system.

DORA Compliance Framework