Everything you need to know about DORA regulations and legal requirements for reporting major incidents and significant cyber threats, including reporting requirements and timelines. In the 2nd batch of technical standards, two standards are relevant in the area of ICT incident management:
RTS (technical regulatory standard) on the content of notification and reporting of major incidents and significant cyber threats and setting deadlines for reporting major incidents (Art. 20.a).
ITS (technical implementation standard) on the standard forms, templates and procedures for financial entities to report a major incident and report a significant cyber threat (Art. 20.b).
These standards are closely related to the RTS that specifies the criteria for ICT-related incident classification, materiality thresholds for major incidents and significant cyber threats, which was finally published (1) as of Jan. 17, 2024.
The RTS aims to harmonize incident reporting across the EU and ensure timely and efficient communication of major incidents. The ITS complements the RTS by providing templates and procedures for reporting on major ICT-related incidents and cyber threats.
(1) https://www.esma.europa.eu/press-news/esma-news/esas-publish-first-set-rules-under-dora-ict-and-third-party-risk-management
