On 8 December 2023, the three European Supervisory Authorities (EBA, EIOPA and ESMA) published and opened a consultation until 4 March 2024 on a draft joint technical standard on reporting major ICT-related incidents and notifying significant cyber threats under DORA. The standards aim to harmonise reporting, ensure competent authorities receive relevant information in a timely manner, and avoid undue reporting burden on financial entities, taking into account the proportionality principle. The draft regulatory standards specify the content, format, timelines and procedures for reporting major incidents and notifying cyber threats. The implementing standards provide standard forms, templates and procedures for reporting major incidents and notifying cyber threats. Initial notifications of major incidents would have to be submitted within 4 hours of classification but no later than 24 hours from detection, while intermediate reports would be due within 72 hours and final reports within 1 month. The notifications and reports would be mandated to contain information such as a description of the incident, its impact, actions taken, root causes, costs, etc., with an increasing level of detail from the initial notification to the final report. Financial entities must use secure electronic channels agreed upon with competent authorities for submitting notifications and reports.
Original source