Article 19 Digital Operational Resilience Act (DORA), Centralisation of Reporting of Major ICT-Related Incidents

Sep 9, 2024

Article 19 of the Digital Operational Resilience Act (DORA) emphasizes the centralization of reporting major ICT-related incidents across financial entities within the European Union. This article focuses on the feasibility, benefits, limitations, and operational aspects of establishing a single EU Hub for centralized incident reporting.

Article 19 Digital Operational Resilience Act (DORA), Centralisation of Reporting of Major ICT-Related Incidents

Joint Report on Centralization Feasibility

Under Article 19, the European Supervisory Authorities (ESAs), through the Joint Committee, are tasked with preparing a comprehensive report on the feasibility of centralizing ICT-related incident reporting. This report is to be developed in consultation with the European Central Bank (ECB) and the European Union Agency for Cybersecurity (ENISA). The primary aim is to assess whether establishing a single EU Hub for major ICT-related incidents would be feasible and beneficial for financial entities within the EU.

The report is expected to explore various ways to streamline the flow of ICT-related incident reports, reduce the associated costs, and support thematic analyses that could enhance supervisory convergence across EU member states. This convergence is crucial in ensuring that financial entities operate under a uniform regulatory framework, thereby reducing discrepancies and improving overall resilience against ICT-related threats.

Key Elements of The Report

The report mandated by Article 19 must provide a comprehensive assessment of the proposed EU Hub, covering several critical elements. It should begin by outlining the essential prerequisites for establishing the EU Hub, including the necessary technical infrastructure, legal frameworks, and coordination mechanisms among various stakeholders.

The report must also evaluate the benefits, limitations, and potential risks associated with the EU Hub. This includes a thorough examination of the advantages, such as improved efficiency in incident reporting and enhanced data sharing across the EU. However, it should also address the limitations, such as the challenges in harmonizing reporting standards, and the risks, including potential cybersecurity threats or operational inefficiencies that might arise from centralization.

Operational management elements of the proposed EU Hub should be detailed, including governance structures, decision-making processes, and the roles and responsibilities of various entities involved in managing the Hub.

Additionally, the report must specify the conditions of membership for financial entities wishing to join the EU Hub. This could involve compliance with specific regulatory requirements, adherence to cybersecurity standards, or demonstrating operational resilience capabilities.

Access modalities for financial entities and national competent authorities (NCAs) should also be explored. The report needs to address how these entities can access and use the EU Hub, considering aspects such as data-sharing agreements, access controls, and the technical means for submitting and retrieving information.

Finally, a preliminary financial cost assessment is crucial. The report should include an evaluation of the costs involved in setting up and operating the EU Hub, covering aspects such as developing the necessary IT infrastructure, maintaining the platform, and ensuring the availability of skilled personnel to manage and operate the Hub effectively.

DORA Compliance Framework

Reporting and Submission Timeline

The ESAs are required to submit the completed report to the European Commission, the European Parliament, and the Council of the European Union within a specified timeframe. The deadline is set for three years after the entry into force of the Digital Operational Resilience Act. This timeline allows sufficient time for a detailed and thorough examination of the feasibility and implications of establishing a centralized EU Hub for ICT-related incident reporting.

The submission of this report is a critical step in determining the future direction of ICT-related incident reporting within the EU financial sector. Should the report conclude that centralization is feasible and beneficial, it could lead to significant changes in how financial entities report and manage ICT-related incidents, thereby enhancing the overall resilience and stability of the EU financial system.

Conclusion

Article 19 of DORA underscores the importance of exploring the centralization of ICT-related incident reporting across the EU. By tasking the ESAs with preparing a detailed report on this topic, the EU aims to assess the feasibility of creating a centralized EU Hub that could streamline reporting processes, reduce costs, and enhance supervisory convergence. The outcome of this report could have far-reaching implications for the future of digital operational resilience within the EU's financial sector.

DORA Compliance Framework