EU Commission adopted further technical standards for the application of Regulation on digital operational resilience for the financial sector (Regulation (EU) 2022/2554) (DORA).

The technical standards include the:

- Implementing Technical Standard (ITS) on standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat (the Reporting ITS);

- Regulatory Technical Standard (RTS) on the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats (the Reporting RTS); and

- RTS on harmonisation of conditions enabling the conduct of the oversight activities (the Harmonisation RTS).

The Reporting ITS

The Reporting ITS contains templates for the initial notification, intermediate report, and final report on major ICT-related incidents to be given to competent supervisory authorities under Article 19(4) of DORA. The Reporting ITS also clarifies that financial entities that provide information on non-major recurring ICT-related incidents that cumulatively meet the conditions for one major ICT-related incident must provide information in an aggregated form. Likewise, financial entities that conclude after an assessment that the ICT-related incident previously reported as major does not meet such criteria must notify competent supervisory authorities of the reclassification.

The Reporting RTS

The Reporting RTS details the required contents of initial notifications, intermediate, and final reports to be given under Article 19(4) of DORA.

In addition, the Reporting RTS outlines the time limits for submission of the above notification and reports. Initial notification should be made within four hours from the classification of ICT-related incidents as major incidents and no later than 24 hours from the moment the financial entity becomes aware of it. Intermediate reports should be made within 72 hours of the initial notification, and an updated intermediate report should be submitted without undue delay where regular activities have been recovered. The final report should be made no later than one month after either the submission of the intermediate report or after the latest updated intermediate report.

Notably, when an ICT-related incident is not classified as major within 24 hours of becoming aware of it but later reclassified as major, the financial entity must submit the notification of the incident as major within four hours of the reclassification.

The Reporting RTS also notes the contents of voluntary notification of significant cyber threats under Article 19(2) of DORA.

The Harmonisation RTS

The Harmonisation RTS concerns the role of critical ICT third-party service providers in the financial sector under Article 31 of DORA. Specifically, critical ICT third-party service providers that submit a voluntary request to be designated as critical must provide a European Supervisory Authority (ESA) with all the information necessary to prove its criticality. The Harmonisation RTS details what must be included in the submission to the ESAs by critical ICT third-party service providers, alongside the content, structure, and format of such submissions.

The Harmonisation RTS also includes the information to be submitted to the Lead Overseer which is necessary to carry out its oversight duties under DORA.

The ESAs include the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).