Joint Technical Standards on major incident reporting

Status: Under consultation

This set of Technical Standards include:

Regulatory Technical Standards (RTS) establishing the content of the reports for ICT-related incidents and the notification for significant cyber threats, and the time limits for FEs to report these incidents to competent authorities.
Draft Implementing Technical Standards (ITS) establishing the standard forms, templates and procedures for FEs to report a major ICT-related incident or to notify a significant cyber threat.

The draft RTS set out time limits for reporting of the initial notification of 4 hours after classification and 24 hours after detection of the incident, 72 hours for reporting of the intermediate report and 1 month for the reporting of the final report. The proposed time limits have been aligned with NIS2 and have been set out in a way to be proportionate for the different types and size of FEs within the scope of DORA.

In addition, the Technical Standards set out the types of information to be collected with the notification/reports for major incidents and significant cyber threats, with detailed description of these types of information and instructions how to populate them provided in the Annex to the draft ITS.

Summary of document history

Previous versions Current version Ongoing versions

Consultation on Joint draft technical standards on major incident reporting

Status: Closed
Deadline: 4 MARCH 2024

Documents

Consultation paper on Joint draft technical standards on major incident reporting

(1.03 MB - PDF)

Download

Responses to public consultations on DORA (2nd batch)

(858.87 KB - Excel Spreadsheet)

Download

Responses

The form is now closed.

News item

ESAs launch joint consultation on second batch of policy mandates under the Digital Operational Resilience Act

8 December 2023

The European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) launched today a public consultation on the second batch of policy mandates under the Digital Operational Resilience Act (DORA). Today’s package includes four draft regulatory technical standards (RTS), one set of draft implementing technical standards (ITS) and two sets of guidelines (GL). These policy instruments aim to ensure a consistent and harmonised legal framework in the areas of major ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and oversight over critical ICT third-party providers. The consultation runs until 4 March 2024.

Press contacts

Franca Rosa Congiu

Organisation and governance

Legal and policy framework

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre