European Union: Closed consultation on Joint regulatory and implementing technical standards on major incident reporting

On 4 March 2024, the three European Supervisory Authorities (EBA, EIOPA and ESMA) closed their consultation on a draft joint technical standard on reporting major ICT-related incidents and notifying significant cyber threats under DORA. The standards aim to harmonise reporting, ensure competent authorities receive relevant information in a timely manner, and avoid undue reporting burden on financial entities, taking into account the proportionality principle. The draft regulatory standards specify the content, format, timelines and procedures for reporting major incidents and notifying cyber threats. The implementing standards provide standard forms, templates and procedures for reporting major incidents and notifying cyber threats. Initial notifications of major incidents would have to be submitted within 4 hours of classification, but no later than 24 hours from detection, while intermediate reports would be due within 72 hours and final reports within 1 month. The notifications and reports would be mandated to contain information such as a description of the incident, its impact, actions taken, root causes, costs, etc, with an increasing level of detail from initial notification to final report. Financial entities must use secure electronic channels agreed with competent authorities for submitting notifications and reports.