Skip to content

In a crisis, seconds matter immensely.

Preparing for Cyber Threats: Reporting Mandatory for Significant IT Incidents - DORA Sets Specific Timeframes and Expectations

Time's essence is critical in a crisis: each passing moment matters.
Time's essence is critical in a crisis: each passing moment matters.

In a crisis, seconds matter immensely.

In an informative article, Dana Wondra, a consultant and project manager at GOLT Coaching, discusses the new reporting obligations for serious IT incidents imposed by the Digital Operational Resilience Act (DORA) on financial entities and their IT service providers.

Under DORA, financial institutions must establish robust IT incident management and immediate, tiered reporting procedures. This is part of a broader mandate to improve operational resilience and digital security in the EU financial sector.

According to DORA, companies must classify a serious IT incident within 24 hours. An initial report for a classified IT incident must be submitted to the supervisory authority within four hours. This immediate notification is crucial for incidents that impact services, have significant operational impact, or involve security breaches that may affect service continuity or customer interests.

The regulation distinguishes the urgency and detail of reporting according to the severity and impact of the incident. Major ICT-related incidents and significant cyber threats require faster and more comprehensive notifications to the authorities. Every major ICT-related incident must be reported individually; entities are not permitted to submit combined or aggregated reports covering multiple incidents.

Interim and final reports are also required, each with specific contents, fixed deadlines, and standardized formats. These reports aim to ensure that serious digital disruptions are communicated to regulatory authorities without delay, with a strong emphasis on individual incident transparency and customer notification.

Josefine Spengler, in her discussions on common mistakes in IT incident handling in practice, emphasizes the importance of interdisciplinary incident response teams and the use of scenarios, checklists, and exercises to prepare effectively for IT incidents. DORA also demands clear internal processes and coordinated responsibilities in companies to ensure efficient incident management.

Even if external service providers are affected, the responsibility for reporting lies with the companies themselves. This underscores the need for legally secure contracts with IT partners.

Dana Wondra brings a wealth of experience to this discussion, having previously played a key role in public relations for the Olympic Training Center Berlin e.V. and organized Olympic campaigns. Since June 2022, she has been working as a consultant and project manager at GOLT Coaching, and since August 2023, she has been a Senior Manager Marketing at Payment & Banking.

Malicious access to systems, such as a hacker attack, is automatically reportable under DORA. This requirement underscores the importance of robust cybersecurity measures in the financial sector to protect against such incidents.

In conclusion, DORA's reporting obligations for serious IT incidents have significantly redefined IT incident handling in the financial sector. Financial entities must now prioritize robust IT incident management and immediate, tiered reporting procedures to ensure compliance with the regulation and maintain customer trust.

In line with DORA's mandate, financial institutions must prioritize technology and cybersecurity measures to establish robust IT incident management and immediate, tiered reporting procedures to ensure operational resilience and digital security. Moreover, the new regulation requires companies to classify a serious IT incident within 24 hours and submit initial reports to the supervisory authority within four hours after classification.

Read also:

    Latest