In our latest blog post on preparing for the EU’s Digital Operational Resilience Act (DORA), entering into force on January 17, 2025, we take a look at second-level requirements under DORA covering the classification and reporting of major information and communications technology (ICT) related incidents. These requirements will need to be addressed through operational risk management frameworks and contract remediation efforts with technology vendors.
Background
Beginning January 17, 2025, financial entities based in the EU must have in place processes and policies, and mandatory contract provisions with their third-party technology vendors, that comply with DORA.
For many requirements under DORA, the European supervisory authorities (ESAs) are required to develop further detail in the form of regulatory technical standards (RTS) or, in respect of standard forms and templates, implementing technical standards.
For example, in the event of an ICT-related incident that compromises network security or has an adverse impact on the availability or confidentiality of data or the services of an EU-based financial entity, Article 19 requires EU-based financial entities to classify the incident as “major” or not and then submit a sequence of notifications and reports to their national competent authority. Under Article 20, the ESAs must develop draft RTS specifying the content and time limits of the notification and reports.
See our previous blog post wherein we highlighted the final-form RTS on subcontracting ICT services supporting critical or important functions.
Incident Reporting
On July 17, 2024, the ESAs published final-form RTS (Final RTS) that set out the timeframes in which financial entities must classify incidents and submit notifications and reports to their national supervisor, as follows:
Report |
Timeframe |
Requirement |
Initial report |
Incident classification: As soon as possible upon becoming aware of the incident Initial report: Within four hours of classification as “major” and no later than 24 hours from the financial entity becoming aware of the incident (or by 12:00 pm the next working day if that deadline falls on a weekend or public holiday) |
First, the ICT-related incident must be classified by the financial entity as “major” or not. A “major” incident means one that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity. Then, the financial entity must submit to the national supervisory authority an initial report containing general information about the incident. |
Intermediate report |
Within 72 hours of the initial report |
The financial entity must submit to the national supervisory authority an intermediate notification of, among other items, the incident cause, classification, and actual or estimated economic impact. |
Final report |
Within one month of the intermediate notification |
The financial entity must submit to the national supervisory authority a final notification of a root cause analysis, lessons learned, and any other relevant information. |
The intermediate and final reporting timeframes in the Final RTS commence from submission of the prior report (as opposed to classification of the incident), though otherwise the timeframes are aligned with the proposals.
There are a few other minor changes that will be favorable for financial entities and their service providers:
- Only significant or systemic institutions will be required to submit notifications over the weekend; for all other regulated financial entities any deadline falling on a nonworking day is pushed to 12:00 pm the next working day
- There are fewer data fields for the financial entity to report
- On timeframes, there is a clarification that incidents can still be upgraded to “major” following the 24-hour period after the financial entity becomes aware, and in such cases they must be notified within four hours of that upgrade, which is not likely to be too impactful
Analysis
The Final RTS provide long-awaited clarity to EU-based financial entities and their ICT service providers on one of the key areas of change under DORA. Many firms’ DORA implementation projects are in full swing and will need to address these requirements in operational risk management frameworks and contracts with technology vendors.
As between financial entities and their ICT service providers, the initial notification by the service provider of an ICT-related incident will be critical considering the timeframe for the financial entity to classify the incident and submit an initial report is measured from the financial entity becoming aware, and not from the incident occurring. Financial entities will want to ensure that such notification is made urgently but also with sufficient and appropriate information to enable classification of the incident by the financial entity within 24 hours.
The parties will then need to work closely over the subsequent month in order to enable the financial entity to complete the intermediate and final reports and any material updates to the same.
Finally, as we previously highlighted, the Commission de Surveillance du Secteur Financier (CSSF), Luxembourg’s financial regulator, introduced a new ICT-related incident-reporting framework effective from April 1, 2024 or June 1, 2024 (depending on the type of financial entity), which is based on the draft RTS under DORA. Helpfully, the reporting timeframes under DORA will remain broadly aligned with the CSSF’s framework.