Determining the timeframe and data source for the estimation of annual costs and losses

16. Article 11(10) of DORA provides that financial entities shall report to their competent authorities, upon request, an estimation of aggregated annual costs and losses caused by major ICT-related incidents. Article 11(10) DORA does not specify how the "annual" costs and losses should be determined. Consequently, there is a lack of clarity on the start and end date of the one-year period and whether the reporting requirements can cover overlapping time periods. In view of the ESAs, the requirement should be such that for any given financial entity, sequential reports should not cover overlapping time periods, as otherwise two subsequent data requests addressed to a financial entity would not be distinctly comparable. The reporting period should also be consistent over time for the same reason, also as this should allow for a long-term, perennial assessment of costs and losses related to major ICT-related incidents and their remediation. Finally, the reporting period must be practical

…