1. One of the objectives of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) is to harmonise and streamline the ICT-related incident reporting regime for financial entities (FEs) in the EU. To that end, DORA introduces consistent requirements for FEs on management, classification and reporting of ICT-related incidents.
2. Article 19(1) of DORA prescribes that FEs ‘shall report major ICT-related incidents to the relevant competent authority’. Article 19(4) of DORA, in turn, specifies that FEs ‘may, on voluntary basis, notify significant cyber threats to the relevant competent authorities when they deem the threat to be of relevance to the financial system, service users or clients’.
3. In that regard, Article 20 of DORA mandates the European Supervisory Authorities (ESAs) to develop through the Joint Committee and in consultation with ENISA and the ECB:
a) common draft regulatory technical standards (RTS) in order to:
(i) establish the
…