- Question ID
-
2024_7050
- Legal act
- Regulation (EU) No 2022/2554 (DORA)
- Topic
- ICT-related incidents (management / classification / reporting)
- Article
-
19
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Not applicable
- Article/Paragraph
-
N/A
- Name of institution / submitter
-
AFME
- Country of incorporation / residence
-
Belgium
- Type of submitter
-
Industry association
- Subject matter
-
Duplicate ICT Incident Reporting
- Question
-
Is duplicate incident reporting via the ECB SSM Cyber Incident Reporting Framework required, alongside DORA incident reporting under Article 19?
- Background on the question
-
Significant credit institutions are required to notify the ECB of significant cyber incidents via their own SSM portal. These reports will duplicate reporting due under DORA, where the ECB is the competent authority.
- Submission date
- Final publishing date
-
- Final answer
-
Recital 51 of Regulation (EU) 2022/2554 clarifies that ICT-related incident reporting should be harmonised through the introduction of a requirement for all financial entities to report directly to their relevant competent authorities. Where a financial entity is subject to supervision by more than one national competent authority, Member States should designate a single competent authority as the addressee of such reporting. Credit institutions classified as significant in accordance with Article 6(4) of Council Regulation (EU) No 1024/2013 (19) should submit such reporting to the national competent authorities, which should subsequently transmit the report to the European Central Bank (ECB).
Accordingly, ICT-related major incidents, including cyberincidents, affecting significant institutions in accordance with Article 6(4) of Council Regulation (EU) No 1024/2013 (19) should be classified and reported only under regulation (EU)2022/2554 and the related Technical Standards.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the Joint ESAs Q&A
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.