Article 20 Digital Operational Resilience Act (DORA), Supervisory Feedback

Sep 9, 2024

The Digital Operational Resilience Act (DORA) is a critical regulation aimed at enhancing the operational resilience of financial entities within the European Union. One of its significant provisions is Article 20, which focuses on supervisory feedback following the reporting of Information and Communication Technology (ICT)-related incidents. This article outlines the responsibilities of both competent authorities and the European Supervisory Authorities (ESAs) in ensuring that financial entities are guided effectively in managing and mitigating the impacts of ICT incidents.

Article 20 Digital Operational Resilience Act (DORA), Supervisory Feedback

Immediate Acknowledgment and Guidance

Upon receiving a report as referred to in Article 17(1) of DORA, competent authorities are mandated to acknowledge receipt of the notification without delay. This prompt acknowledgment is not merely a formality; it is a crucial step in ensuring that the financial entity is aware that its concerns are being taken seriously and that the issue is under review.

Following this acknowledgment, the competent authority is required to provide necessary feedback or guidance as quickly as possible. This feedback is particularly important as it helps the financial entity understand the potential implications of the reported incident and offers a pathway to address the issue effectively. The guidance provided by the authority may include discussions on possible remedies at the entity level, which could involve technical fixes, process improvements, or strategic changes to mitigate the impact of the incident. Additionally, the authority may advise on ways to minimize any adverse effects the incident might have on the broader financial sector, highlighting the interconnected nature of modern financial systems and the importance of coordinated responses to ICT threats.

Role of the European Supervisory Authorities (ESAs)

The European Supervisory Authorities (ESAs) play a pivotal role in the broader regulatory framework under DORA. Through the Joint Committee, the ESAs are tasked with reporting on an annual basis on the ICT-related incident notifications received from competent authorities. This reporting is done on an anonymized and aggregated basis, ensuring that sensitive information about specific entities is protected while still providing valuable insights into the overall landscape of ICT incidents within the financial sector.

The annual reports compiled by the ESAs serve multiple purposes. Firstly, they provide a comprehensive overview of the number and nature of ICT-related major incidents that have occurred over the year. This includes an analysis of the impact these incidents have had on the operations of financial entities and their customers, highlighting the potential risks and vulnerabilities within the sector. Additionally, the reports detail the costs associated with these incidents, offering a clear picture of the financial implications of ICT-related disruptions. Finally, the reports include information on the remedial actions taken by financial entities in response to these incidents, providing valuable lessons that can be shared across the sector to enhance overall resilience.

DORA Compliance Framework

Warnings and High-Level Statistics

In addition to their reporting duties, the ESAs are also responsible for issuing warnings and producing high-level statistics to support ICT threat and vulnerability assessments. These warnings are a critical tool in the ongoing effort to protect the financial sector from emerging ICT threats. By analyzing the data collected from incident reports, the ESAs can identify trends and patterns that may indicate new or evolving risks. These insights are then used to inform the broader financial sector, enabling entities to take proactive measures to protect themselves against potential threats.

The high-level statistics produced by the ESAs serve as a valuable resource for both regulators and financial entities. They provide a snapshot of the current state of ICT resilience within the sector, highlighting areas of strength and potential vulnerabilities. This information is crucial for ongoing risk management efforts and helps to ensure that the financial sector remains vigilant and prepared in the face of ever-evolving ICT threats.

Conclusion

Article 20 of DORA underscores the importance of timely and effective supervisory feedback in the management of ICT-related incidents within the financial sector. By ensuring prompt acknowledgment and guidance from competent authorities, and through the comprehensive reporting and analysis conducted by the ESAs, DORA aims to enhance the operational resilience of financial entities across the EU. The collaborative efforts outlined in this article are essential for minimizing the impact of ICT incidents and for safeguarding the stability and integrity of the financial system in an increasingly digital world.

DORA Compliance Framework