News

Friday with DORA – ICT incident management process. Financial entities’ obligation under DORA

Zofia Zborowska Zofia Zborowska Associate
26 April 2024
Friday with DORA – ICT incident management process. Financial entities’ obligation under DORA

The provisions of Regulation 2022/2554 on Digital Operational Resilience of the Financial Sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 commonly referred to as “DORA” (the Digital Operational Resilience Act, also referred to as the “Regulation”) regulate a number of requirements for obligated entities to strengthen digital security in the EU financial market.

According to Article 3(8) of the Regulation, an ICT incident means a single event or a series of related events, unplanned by the financial entity in question, that threatens the security of networks and information systems and adversely affects the availability, authenticity, integrity or confidentiality of data or the services provided by the financial entity.

In order to detect, manage, monitor and report ICT incidents, DORA requires financial entities to establish and implement an internal ICT incident management process, including:

  • introducing early warning indicators;
  • establishing procedures for identifying, tracking, recording, categorizing and classifying ICT incidents according to their priority and severity, and the criticality of the services affected by the incidents, in accordance with the criteria set forth in Article 18(1) of DORA;
  • assigning roles and responsibilities to be put in place for different types of ICT incidents and relevant scenarios;
  • defining plans for outreach to employees, external stakeholders and the media in accordance with Article 14 of DORA, as well as plans for notifying customers, plans for internal escalation procedures, including ICT-related customer complaints, and providing information to financial entities acting as counterparties (if applicable);
  • ensuring that, at a minimum, serious ICT-related incidents are reported to relevant senior management and that, at a minimum, serious ICT-related incidents are reported to the governing body, along with an explanation of the impact, response and additional controls to be established as a result of such ICT-related incidents;
  • establish procedures for responding to ICT-related incidents to mitigate the impact and ensure the restoration of operational and safe services within a reasonable period of time.

❗ It is the responsibility of financial entities to correctly classify ICT incidents and cyber threats (as defined in Article 2(8) of Regulation (EU) 2019/881) on a regular basis, in accordance with the criteria indicated in Article 18(1) and (2) of DORA, which were further clarified in the draft regulatory technical standards (RTS) JC 2023 83 published by the European Supervisory Authorities (i.e., EBA, ESMA and EIOPA) and adopted by the European Commission on March 13, 2024.

Delegated Act C(2024) 1519 final is available at the following link: https://ec.europa.eu/finance/docs/level-2-measures/dora-regulation-rts–2024-1519_en.pdf

Related

Friday with DORA – Incident reporting of payment institutions (MIP, KIP, EMI, AISP) under the DORA Regulation
26 April 2024

The regulation of Article 32g of the Payment Services Act of August 19, 2011 (hereinafter:…

Zofia Zborowska Zofia Zborowska Associate
Do you want to receive news?
Subscribe to Newsletter