Article 11(11) of Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) mandates the European Supervisory Authorities (ESAs), to develop 'common guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents'. The apparent aim of these Guidelines is to harmonise the estimation by financial entities of their aggregated annual costs and losses caused by major information and communication technology (ICT)-related incidents according to Article 11(10) DORA, which are then to be reported by financial entities, other than microenterprises, to their competent authority upon its request.
In view of the ESAs, this mandate is closely interlinked with the DORA mandates conferred to the ESAs under Article 18(3) on incident classification and under Article 20 on reporting of incidents as these also require an assessment of costs and losses of ICT-related incidents. Consequently, the ESAs seek to achieve consistency across t
…