The European Supervisory Authorities, through a joint report by the European Banking Authority, European Insurance and Occupational Pensions Authority and European Securities and Markets Authority, have assessed the feasibility of further centralising how financial entities report major ICT-related incidents to competent authorities under Article 21 of the Digital Operational Resilience Act. The analysis compares three models for incident reporting: a baseline model, a model with enhanced data-sharing arrangements, and a fully centralised model. It considers the potential burden and cost reductions for firms and authorities, as well as efficiency and effectiveness gains for cross-sector supervisory practices. The report has been submitted to the European Parliament, the European Council and the European Commission, which will consider the findings for potential future developments on further centralisation of major ICT-related incident reporting. The assessment draws on input from competent authorities and the ESAs’ stakeholder groups, and includes consultation with the European Central Bank and the European Union Agency for Cybersecurity, as well as input from an external IT strategy firm.
European Insurance and Occupational Pensions Authority 2025-01-17
European Supervisory Authorities publish report assessing options to centralise major ICT incident reporting under DORA
The European Supervisory Authorities, including the European Banking Authority, European Insurance and Occupational Pensions Authority, and European Securities and Markets Authority, evaluated centralizing financial entities' reporting of major ICT-related incidents under the Digital Operational Resilience Act. The report compares three models for incident reporting, assessing potential cost reductions and efficiency gains. Submitted to the European Parliament, Council, and Commission, the findings will inform future centralization efforts.