ICT-Related Incident Management
Requires financial entities to establish and implement an incident management process for detecting, managing, and reporting ICT-related incidents. Introduces harmonized classification criteria, mandatory reporting timelines to competent authorities, and obligations for root cause analysis and remediation tracking.
Key Themes
What this pillar covers
Incident detection and classification
Regulatory reporting obligations
Root cause analysis
Remediation and lessons learned
7 Articles
Articles in Pillar II
Explore the 7 articles that make up ICT-Related Incident Management, from Art. 17-23.
7 articles
ICT-related incident management process
Requires financial entities to define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. The process must include early warning indicators, procedures for identifying, tracking, logging, categorizing and classifying incidents, and assigning roles and responsibilities.
Classification of ICT-related incidents and cyber threats
Establishes harmonized classification criteria for ICT-related incidents based on impact indicators including number of clients affected, duration, geographical spread, data losses, criticality of services affected, and economic impact. Defines thresholds for "major" ICT-related incidents requiring regulatory notification.
Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Establishes the mandatory reporting framework for major ICT-related incidents to competent authorities. Requires initial notification, intermediate report, and final report with defined timelines. Creates a single EU reporting hub to avoid duplicative reporting across supervisors.
Harmonisation of reporting content and templates
Mandates the ESAs to develop implementing technical standards (ITS) specifying the content, timelines and templates for incident reporting. Ensures consistency across the EU by standardizing the format and data fields for initial notifications, intermediate reports and final reports.
Centralisation of reporting of major ICT-related incidents
Explores the feasibility of establishing a single EU hub for major ICT-related incident reporting. The ESAs must assess the viability, costs and benefits of centralizing reports to reduce reporting burden on financial entities while maintaining information flow to all relevant authorities.
Supervisory feedback
Requires competent authorities to provide feedback and guidance to financial entities following major incident reports. This two-way communication ensures that entities benefit from supervisory insights and cross-sector intelligence derived from incident data collected across the financial sector.
Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions
Extends the incident management and reporting requirements to operational or security payment-related incidents for credit institutions, payment institutions and e-money institutions. Aligns DORA reporting with existing PSD2 incident reporting to prevent duplicative obligations.