Article 18 Digital Operational Resilience Act (DORA), Harmonisation of Reporting Content and Templates
Article 18 of the Digital Operational Resilience Act (DORA) focuses on standardizing the reporting requirements for major ICT-related incidents. This harmonization is essential for ensuring consistency and clarity in how financial entities report such incidents, thereby improving the overall response and management of ICT-related disruptions.
Development of Regulatory and Implementing Standards
- Draft Regulatory Technical Standards: The European Supervisory Authorities (ESAs), through their Joint Committee and in consultation with the European Union Agency for Cybersecurity (ENISA) and the European Central Bank (ECB), are tasked with developing common draft regulatory technical standards. These standards will address two key areas:
- Content of Reporting: The standards will establish the specific content required for reporting major ICT-related incidents. This includes defining the detailed information that financial entities must provide when they experience significant ICT-related issues, ensuring that the reporting is comprehensive and informative.
- Delegation Conditions: The standards will specify the conditions under which financial entities may delegate their reporting obligations to a third-party service provider. This delegation must be approved by the competent authority prior to being enacted. The conditions will outline how such delegation should be managed to ensure compliance and maintain the quality of the reporting.
- Draft Implementing Technical Standards: In addition to the regulatory standards, the ESAs will develop common draft implementing technical standards. These will focus on:
- Standard Forms and Templates: The implementing technical standards will establish standard forms, templates, and procedures for reporting major ICT-related incidents. This includes creating uniform formats and protocols that financial entities must follow when submitting their reports. The goal is to streamline the reporting process and ensure consistency across different entities.
- Reporting Procedures: The standards will also define the procedures for submitting reports, ensuring that all financial entities adhere to a standardized process. This includes the timing and method of reporting, as well as any required supplementary information.
Submission and Adoption
- Submission Timeline: The ESAs are required to submit both the common draft regulatory technical standards and the common draft implementing technical standards to the European Commission by a date specified as one year after the entry into force of DORA. This timeline ensures that the standards are developed and adopted promptly, facilitating the implementation of consistent reporting practices.
- Delegated Authority: The European Commission is delegated the power to adopt the common regulatory technical standards referred to in paragraph 1(a). This adoption will follow the procedures outlined in Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010, respectively.
- Implementing Authority: The Commission is also conferred the power to adopt the common implementing technical standards mentioned in paragraph 1(b). This adoption will be in accordance with Article 15 of the same regulations. These powers enable the Commission to finalize and enforce the standards necessary for effective incident reporting.
Conclusion
Article 18 of DORA aims to ensure that financial entities report major ICT-related incidents in a consistent and standardized manner. By mandating the development of common draft regulatory and implementing technical standards, the article seeks to enhance the clarity and efficiency of incident reporting. The involvement of the ESAs, ENISA, and the ECB in developing these standards, along with the delegated powers of the European Commission, underscores the importance of a coordinated approach to managing ICT-related risks and incidents. This harmonization is crucial for improving transparency, facilitating effective incident response, and ensuring that financial entities across the EU adhere to uniform reporting practices.