Centralisation of reporting of major ICT-related incidents

Article 21 addresses one of the most practical pain points in EU financial regulation: the burden of reporting the same incident to multiple supervisory authorities. Financial entities operating across borders or regulated under multiple frameworks often face overlapping reporting obligations that consume valuable resources during an incident — precisely when those resources are most needed for response and recovery.

The article mandates the ESAs to assess the feasibility of establishing a single EU hub that would serve as a central collection point for major ICT-related incident reports. The hub would receive reports from financial entities and distribute relevant information to the appropriate competent authorities, national and European alike.

The feasibility assessment must consider the technical infrastructure required, the governance framework for data sharing between authorities, data protection implications, and the costs and benefits compared to the current distributed reporting model. The assessment must also evaluate whether centralization could improve the speed and quality of supervisory responses by providing a holistic view of incident patterns across the EU financial sector.

While Article 21 is framed as a feasibility study rather than a mandate for immediate implementation, it signals the EU's intent to streamline supervisory reporting. For financial entities, the eventual implementation of such a hub could significantly reduce the administrative burden of multi-jurisdictional incident reporting.