Supervisory feedback

Article 22 establishes a feedback mechanism that transforms incident reporting from a one-way compliance obligation into a two-way exchange of value. Competent authorities are required to provide feedback and guidance to financial entities following the receipt of major incident reports, leveraging the supervisory vantage point to add value beyond mere data collection.

This feedback can take multiple forms. It may include guidance on the entity's incident response approach, identification of common patterns observed across the sector, early warnings about related threats affecting other entities, or recommendations for strengthening preventive measures. The goal is to ensure that the reporting effort yields benefits for the reporting entity, not just regulatory visibility.

The article also enables competent authorities to share anonymized, aggregated insights from incident data collected across the financial sector. This cross-sector intelligence is particularly valuable because it allows individual entities to benchmark their experiences, identify emerging trends, and anticipate threats that have affected peers. Without this feedback loop, each entity operates in an information silo.

For the feedback mechanism to function effectively, competent authorities must develop the analytical capabilities to extract meaningful insights from incident reports and the communication channels to deliver timely, actionable feedback. This represents a significant capability investment for supervisory authorities and reflects DORA's broader vision of collaborative, intelligence-driven supervision.