ICT incident management, classification and reporting under DORA
Locations
Incident management and reporting has become a hot topic across industry generally in the last decade, largely thanks to the revolutionary requirements introduced under the EU's General Data Protection Regulation (GDPR). Taking a lead from that framework, regulators across multiple industry sectors have sought to impose similar (but slightly different) requirements upon the organisations within their remit – with the effect that organisations are now often subject to multiple overlapping obligations to report incidents to different authorities in different timeframes with different levels of information required.
DORA follows this general trend, and introduces strict new rules that impose substantial stringent requirements (including abbreviated reporting timelines) on organisations supported by a robust enforcement regime and penalty framework. In order to comply with this framework, most firms will need to revisit their existing policies and processes and keep those under close review on a continuing basis. The overarching message is this: firms should engage with this change programme now, as there will not be time to do so if and when an incident occurs.
It is worth noting upfront that DORA's proportionality based approach, which we discuss in more detail here, applies to DORA's incident management, classification and reporting requirements. The effect of this is that organisations can and should take into account the size, risk profile and nature of the activities in question when designing their incident management, classification and reporting processes.
Incident management
Chapter III of DORA sets out the incident management, classification and reporting requirements which in-scope organisations must adhere to. Importantly, these obligations all apply only to "financial entities" – which includes all financial services organisations covered by DORA but does not include "ICT third-party service providers". (For more detail on these definitions, please refer to our previous article here).
Under Article 17, financial entities are required to define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. For these purposes, and "ICT-related incident" is defined as "a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity".
It is important to note that this requirement applies in respect of all ICT-related incidents, not just "major ICT-related incidents" (i.e. an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity) as is the case for the reporting requirements (see below).
Financial entities must record all ICT-related incidents and significant cyber threats (defined as "a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident"). They must also establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and response to incidents, and to carry out root causes analyses to prevent the recurrence of similar incidents.
Specifically, the ICT-related management process will need to:
- include early warning indicators;
- establish procedures for the identification, tracking, logging and categorisation of incidents;
- establish defined roles and responsibilities for incident response purposes;
- set out plans for internal and external incident communications;
- ensure that major incidents are reported to senior management; and
- establish incident response procedures.
Incident classification
In addition to having a robust incident management process in place, Article 18 requires financial entities to comply with a detailed classification system for ICT-related incidents. Financial entities shall classify ICT-related incidents and determine their impact based on the following criteria:
- number of impacted transactions, clients and/or financial counterparts;
- reputational impact;
- duration of the incident;
- geographical spread;
- losses of availability, authenticity, integrity or confidentiality of data;
- criticality of the services affected; and
- economic impact.
Financial entities shall classify cyber threats as significant based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk.
More detailed guidance on the criteria for classification, including materiality thresholds for determining major ICT-related incidents that are subject to DORA's reporting requirement (see below) and "significant cyber threats", are to be developed by the European Supervisory Authorities (ESAs) in consultation with the European Central Bank (ECB) and the European Union Agency for Cybersecurity (ENISA). The ESAs are required to submit proposed materiality thresholds to the European Commission by 17 January 2024, and a consultation on their contents was commenced from 19 June 2023 (for more information, see here).
Incident reporting
Article 19 requires that financial entities report incidents which have been classified as major ICT-related incidents to the relevant competent authority (see below) using the reporting templates and adhering to the timelines to be defined over the coming months by the ESAs under Article 20.
Reports shall include all information necessary for the competent authority to determine the significance of the major ICT-related incident and assess possible cross-border impacts. Specifically, financial entities are required to submit:
- an initial notification;
- an intermediate report and, as appropriate, updates to track the status of the incident; and
- a final report once the root cause analysis has been completed.
Under Article 20, the ESAs are tasked with the initial development of common draft standards, which will establish standard forms, templates and procedures for financial entities to use and follow when reporting major ICT-related incidents and notifying significant cyber threats. These will include:
- the content of the reports for major ICT-related incidents;
- the time limits for the initial notification and each subsequent report under Article 19; and
- the content of the notification for significant cyber threats.
When developing these, the ESAs are required to take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations, and in particular, with a view to ensuring that different time limits may reflect, as appropriate, specificities of financial sectors, without prejudice to maintaining a consistent approach to ICT-related incident reporting. The ESAs are expected to provide their draft standards to the Commission by 17 July 2024.
Additionally to the requirement to report to competent authorities, where a major ICT-related incident has an impact on the financial interests of clients, financial entities must, without undue delay as soon as they become aware of it, inform their clients about the incident and about the measures that have been taken to mitigate the adverse effects of such incident.
Note that whilst financial entities are permitted to outsource their reporting obligations to a third-party, they will remain ultimately responsible for the compliance with those obligations under DORA.
Separately to the mandatory requirement to report "major ICT-related incidents", under Article 19(2) financial entities may also, on a voluntary basis, notify "significant cyber threats" to the relevant competent authority when they deem the threat to be of relevance to the financial system, service users or clients. Where those "significant cyber threats" impact their clients directly, financial entities shall inform their clients that are potentially affected of any appropriate protection measures which those client may consider taking.
The role of the 'competent authority'
A financial entity's competent authority for reporting purposes is defined in Article 46. The competent authority will differ depending on the nature of the specific financial entity. Where a financial entity is subject to supervision by more than one national competent authority, Member States are expected to designate a single competent authority.
Unfortunately, DORA does not create a single point of contact for reporting purposes. However, the ESAs are tasked with assessing the feasibility of further centralisation through the establishment of a single EU Hub for incident reporting. The ESAs are expected to report to the European Parliament, Council and Commission by 17 January 2025 regarding the feasibility of such a single hub.
Upon receipt of an incident report, the competent authority will cascade applicable details to other relevant regulators and authorities in the EU, as set out in Article 19(6), which may include, amongst others the European Banking Authority (EBA), European Securities and Markets Authority (ESMA) or European Insurance and Occupational Pensions Authority (EIOPA), the ECB, the Computer Security Incident Response Teams (CSIRTs) designated or established in accordance with second Network and Information Security Directive (NIS2).
Once the competent authority has received the initial notification and each subsequent report it may, where feasible, provide feedback or high-level guidance to the financial entity, for example by making available any relevant anonymised information and intelligence on similar threats, and may discuss remedies applied at the level of the financial entity and ways to minimise and mitigate adverse impact across the financial sector. Note, however, that regardless of the feedback provided, financial entities remain fully responsible for the handling and for any consequences of the incident.
How is reporting under NIS2, PSD2 and GDPR affected?
As set out in our introductory article on DORA available here, DORA constitutes lex specialis with regard to the NIS 2 Directive. This means that where DORA and NIS 2 cover the same subject matter, including with regards to incident reporting obligations, organisations covered by both will be required to look to the provisions in DORA rather than in NIS 2.
In relation to PSD2, to reduce the administrative burden and potentially duplicative reporting obligations for certain financial entities, the requirement for the incident reporting under PSD2 ceases to apply to payment service providers that fall within the scope of DORA. Moving forward, payment service providers are expected to report under DORA all operational or security payment-related incidents that were previously reportable under PSD2, irrespective of whether such incidents are ICT-related.
It is worth pointing out that DORA does not relieve financial entities from other incident reporting obligations, such as the requirement to notify personal data breaches under the GDPR.
Conclusion
With key details yet be defined by the ESAs in the coming months and years, financial entities will need to closely watch how the ICT-related incident management, classification and reporting requirements evolve under DORA. Financial entities should also consider whether the stricter reporting requirements under DORA will necessitate the imposition of stricter contractual terms with their third-party ICT providers, to ensure that they are able to fully meet requirements under DORA when it becomes effective on 17 January 2025.
Get in touch
If you would like a to speak to one of the financial services and payments team please get in touch with Jonathan Rehbein (jonathan.rehbein@fieldfisher.com) to arrange a free 30 minute consultation.