The Digital Operational Resilience Act (DORA) requires major ICT-related incidents to be reported to the German Federal Financial Supervisory Authority (BaFin) from January 2025.
Why should you take a close look at this requirement now? Where in DORA is this obligation regulated? And how does the reporting process work? In our blog post, we examine the requirements for ICT-related incident management and the new, EU-wide reporting system for major ICT-related incidents.
The reporting obligation should be on your DORA priority list
DORA will already apply on January 17, 2025, and the list of requirements to be implemented according to the EU regulation is long. Therefore, affected financial institutions and ICT service providers need to prioritize wisely. Our security consultants recommend the following simplified selection criteria for your priority list:
- Things you must submit from January 17, 2025.
- Things that must be established from January 17, 2025.
- Things that must be approved by the management board.
- Everything that requires the three previous criteria.
The required ICT-related incident management process falls into the second category “Things that must be established from January 17, 2025”. We therefore recommend that you take a closer look at this requirement with us today.
The reporting obligation aims to increase the resilience of the entire financial market
"ICT-related incident management process"
(DORA, Chapter III, Article 17)
Article 17 requires companies to establish advanced monitoring processes for IT systems and to ensure comprehensive management of ICT-related incidents. It is essential that companies have the ability to identify such incidents immediately and manage them effectively. This implies, among other things, the need to define preventive early warning indicators. It is also necessary for companies to define clear guidelines regarding roles and responsibilities and ensure transparent communication with all affected stakeholders. The regulation also requires management to be informed immediately of any major ICT-related incident.
"Classification of ICT-related incidents and cyber threats"
(DORA, Chapter III, Article 18)
Every ICT-related incident in the field of information and communication technology must be carefully classified in accordance with the criteria set out in Article 18. These criteria are further specified in the Regulatory Technical Standard (RTS) on classification of incidents.
"Reporting of major ICT-related incidents and voluntary notification of significant cyber threats“
(DORA, Chapter III, Article 19)
Companies are obliged to report incidents that are categorized as major to the competent financial supervisory authorities in accordance with Article 19. This reporting obligation comprises an initial notification, an intermediate report and a final report.
The primary objective of the DORA requirements in the area of ICT-related incident management is to strengthen the resilience of the affected organizations. In the event of an ICT-related incident, the reporting system ensures that important information is communicated immediately to all relevant authorities. This is particularly important to ensure that the consequences of an ICT-related incident can be promptly assessed not only for the company concerned, but also for the financial sector as a whole, so that the competent authorities can act immediately if necessary.
What is considered a major ICT-related incident?
An ICT-related incident is an event not planned by the company or a series of related events that affect the security of the network and information systems and have a negative impact on the availability, authenticity, integrity or confidentiality of data or on the services provided by the financial company.
Articles 18-19 and the RTS on ICT incidents define the classification process used to assess and categorize individual ICT incidents. Incidents classified as major must be reported to the financial supervisory authority.
An ICT-related incident is considered major as soon as critical services are impaired and either the materiality threshold for “loss of data” has been reached or at least two materiality thresholds for the classification criteria have been exceeded. The definitions for materiality thresholds can be found here.
The classification process can be illustrated in a simplified form using the following diagram:
The pre-defined classification from the RTS establishes a standardized and clear procedure across the entire financial sector. The RTS is based on the provisions of the EU directives NIS-2 and PSD-2. This harmonization helps financial institutions to reduce the adaptation effort for their existing ICT-related reporting processes. For companies that are already bound by these two directives, the additional implementation effort should be minimal. Other companies may need to adapt their existing assessment and reporting processes and the affected systems, which may incur additional costs.
The reporting process and the involved stakeholders
BaFin acts as the central reporting authority for all ICT-related incidents in Germany. The reports are immediately forwarded to other responsible authorities. In the event of incidents that have a significant impact in other member states of the European Economic Area, the supervisory authorities of the countries concerned are informed by the respective European supervisory authority:
[Illustration based on the BaFinJournal article "Transparency ensured by reporting requirements“]
If you have to comply with both NIS-2 and DORA, please note that the requirements partially overlap. This is where the “lex specialis” rule comes into play again, i.e. the requirements of DORA must be given priority if they are more specific than those of the NIS-2 Directive. This means that financial companies that fall under the NIS-2 Directive will in future only have to submit an incident report to BaFin in accordance with DORA. The BaFin will immediately forward the report to the Federal Office for Information Security (BSI).
All information will in future be processed by BaFin in its situation report on cyber risk in the financial sector.
Initial notification
Immediately after the occurrence of an ICT-related incident classified as major, the respective company must inform BaFin. The initial notification must be informative enough to enable the supervisory authority to make an accurate assessment. For example, the following questions should be answered: Which services are affected? What impact does the ICT-related incident have on customers or other financial market players? How serious are the effects, e.g. due to unauthorized data access or data encryption?
In addition, incidents that occur at a service provider contracted by the company must also be reported. BaFin can then use its outsourcing database to evaluate the impact on the entire financial market and, if necessary, notify other affected parties.
Intermediate report
In their intermediate report, companies provide BaFin with specific data on the extent of the ICT-related incident as well as a more detailed analysis. This provides the supervisory authority with more information to assess the impact of the ICT-related incident on the company, its customers, counterparties and the financial market. In particular, the intermediate report must indicate changes to the status, such as information on ongoing restrictions, the restoration of business operations or an escalation of the ICT-related incident. If necessary, several intermediate reports must be submitted.
Final report
Once the ICT-related incident has been resolved and the causes analyzed, the company informs the supervisory authority with a final report. The final report must include the cause of the ICT-related incident, measures taken and costs and losses incurred.
Further information on the reporting process can be found in the corresponding RTS (Art. 20a) and ITS (Art. 20b) Reporting major ICT-related incidents and significant cyber threats.
Summary of the most important questions
What is an ICT-related incident? An ICT-related incident is an unplanned event or series of related events that affect the security of network and information systems and negatively impact the availability, authenticity, integrity or confidentiality of data or the services provided by the financial organization.
What does my company need to do to manage ICT-related incidents? Use early warning indicators and use the classification criteria to classify a major ICT-related incident. Carry out additional external and internal reports and set up measures to respond.
When must an ICT-related incident be reported? An ICT-related incident must be reported if it meets the relevant classification criteria and is considered major.
To whom do I have to report an ICT-related incident? BaFin is the reporting hub for all financial companies under its supervision.
Do you need support? We are happy to help!
With the application of DORA on January 17, 2025, the reporting obligation for major ICT incidents will begin. We recommend that you start adapting your processes now. To do this, you will have to create the conditions that will enable you to submit all the required data in the event of an ICT-related incident. Furthermore, you nee to ensure that your responsible employees are able to identify, manage and report incidents in accordance with the new requirements. We are happy to support you!
