The Bank of Italy has issued a communication requiring all directly supervised intermediaries to submit annual consolidated estimates of the aggregated annual costs and losses caused by major ICT incidents. The reporting is to be made each year by 31 May, with the first reporting cycle only deferred to 30 June 2026. The measure is framed under the EU Digital Operational Resilience Act, which provides that financial entities other than microenterprises must report these estimates to competent authorities on request. Submissions must follow the Joint Guidelines issued by the European Supervisory Authorities and the operational instructions published on the Bank of Italy’s website.
Bank of Italy2026-05-22
Bank of Italy requires directly supervised intermediaries to report annual aggregated ICT incident costs and losses with first filing due by 30 June 2026
The Bank of Italy will require all directly supervised intermediaries to submit annual consolidated estimates of aggregated costs and losses from major ICT incidents, in line with the EU Digital Operational Resilience Act. Firms must report using the Joint Guidelines of the European Supervisory Authorities and the operational instructions published by the Bank of Italy.