The regulation of Article 32g of the Payment Services Act of August 19, 2011 (hereinafter: PSA) is the implementation into the national legal order of Article 96 (1)-(2) of Directive (EU) 2015/2366 – PSD2, which imposes information obligations on payment service providers in the event of serious operational or security incidents related to payments.
Accordingly, now providers – as defined in Article 4 of the PSA (including MIP, KIP, EMI, AISP) are required to:
-
- immediately notify the FSA of their occurrence of the above-mentioned incidents (also with regard to incidents of ICT nature);
- in the event that any of the aforementioned incidents has or may have an impact on the financial interests of the payment service users of a given payment service provider – notify the provider’s payment service users of the incident without undue delay and inform them of all available measures they can take to limit the negative effects of the incident.
The provisions of Regulation (EU) 2022/2554 (hereinafter: “DORA” or “the Regulation”) provide an exemption from the obligation to report incidents under PSD2 for, among others, small payment institutions, national payment institutions, providers of account information access service and electronic money institutions.
-
- In view of this, as of the date of application of DORA (January 17, 2025), the reporting of any operational or security incidents related to payments is to be done in accordance with the rules provided for in the aforementioned Regulation.
What rules for reporting serious ICT incidents does DORA introduce?
When serious ICT incidents occur, financial entities are to submit the following documents to the relevant competent authority:
a) initial notification;
b) an interim report after the initial notification referred to above, as soon as the status of the original incident changes significantly, or the handling of the serious ICT incident in question changes based on new information (if applicable, updated notifications shall be submitted whenever a relevant status update is available, as well as upon special request from the relevant competent authority),
c) a final report, once the root cause analysis has been completed (regardless of whether mitigation measures have already been implemented for the incident) and actual impact data is available to replace estimates.
Deadlines for initial notification and individual reports will be set by the ESAs in draft regulatory technical standards – RTS (by 17.07.2024 at the latest). The RTS will include, among other things, standard forms, templates and procedures to be used by financial entities for the reporting of major ICT incidents and notification of significant cyber threats.
Importantly, pursuant to Article 19(5) of DORA, Financial Entities may outsource tasks related to reporting obligations under this Article to a third-party service provider. In the case of such outsourcing, the financial entity remains fully responsible for complying with the incident reporting requirements.