Sound familiar? You switch on your computer in the morning – and an important software programme is not working. There is a problem in your company’s information and communication technology ICT. Whether this is a harmless bug that can be quickly eliminated or an IT failure with tangible, lasting consequences – no one can know at this juncture.

ICT incidents of this kind can occur at companies at any time, despite extensive security measures and a functioning ICT risk management system. They are rarely triggered by malicious attacks. The most common causes are internal operational problems that can have considerable consequences for a company’s business operations.

The Digital Operational Resilience Act (DORA) defines requirements for managing incidents at companies of the financial sector. Moreover, the European regulation is introducing a harmonised reporting system for major ICT incidents and significant cyber threats.

Incident reporting: a key feature of DORA

The objective of this reporting system is to ensure that relevant information is channelled quickly to the responsible authorities. This is the only possibility these authorities have to be able to assess at short notice the impact of an incident on the financial entity and the financial market and, if necessary, to respond accordingly. In addition to the reporting system, new requirements for incident management are being introduced to help boost the resilience of financial entities.

Article 17 of DORA requires financial entities to implement processes for monitoring IT systems and managing ICT incidents and significant cyber threats. Financial entities should be in a position to quickly detect and manage such incidents. This includes, for example, the requirement to define early warning indicators. Financial entities are also obliged to clearly regulate roles and responsibilities and define rules for communication to external stakeholders. In addition, DORA requires that the management body has to be informed about each major incident.

Each ICT incident must be classified according to the criteria set out in Article 18 of DORA (see Figure 1). The classification process is set out in the Regulatory Technical Standards (RTS) on classification of incidents. Under Article 19 of DORA, incidents classified as major must be reported by the financial entity concerned to the relevant competent authority. The entity is to do so by submitting an initial notification, an intermediate report and a final report.

Figure 1: Classification process for major ICT incidents

Source: BaFin diagram based on the Regulatory Technical Standards (RTS) on the classification of incidents

The initial notification must be made shortly after an incident has been classified as major. The supervisory authority should not first be alerted to an incident by a press report. The time limits for the reports are set out in the RTS on reporting of major incidents. In the initial notification, the financial entity concerned should inform the supervisory authority about the incident – and do this in such a way that the supervisors, as competent third parties, understand the facts of the matter. The initial notification should ensure that the supervisors are in a position to appropriately assess the situation (see Info Box “At a glance: initial notifications).

How severe is the impact of the incident? This assessment is an important element of the initial notification. Factors that might have a severe impact are, for example, long-term disruptions in payment services or stock exchange trading. Or if unauthorised persons gain access to data or if data were encrypted or inadvertently altered. Incidents are also deemed severe if ICT systems that support critical or important functions are down for longer periods – in other words, if the Recovery Time Objective (RTO) is exceeded. This is the maximum tolerable length of time that critical functions may be down after a failure or disaster occurs.

If the cause of an incident is not attributable to the financial entity itself but to one of its service providers, the supervisory authority must also be notified of this by the financial entity. Using its outsourcing database, BaFin is able to analyse which other entities might also be impacted by the incident – and draw their attention to this, if necessary. The outsourcing database makes it possible for BaFin to better assess the consequences of the incident for the entire financial sector.

The intermediate report provides BaFin with concrete data on the magnitude of the incident as well as a detailed analysis of it. It is intended to enable the financial supervisor to make an even better assessment of the impact of the incident on the entity, its clients, counterparts and the financial market.

Depending on how the incident develops, the entity must ensure that BaFin is kept up-to-date by submitting several intermediate reports, if necessary. It is of particular importance that BaFin is notified of changes in the status of the incident, i.e. whether the restrictions due to the incident are still ongoing, business operations have been restored or the incident has become more acute.

The entity must notify the supervisory authority when the incident has been resolved and once it has completed its analysis of the causes. This notification involves sending a final report containing an explanation of the causes of the incident, the measures taken and any costs and losses incurred. The RTS provides information on which costs are to be taken into account for this.

For many financial entities, these requirements are nothing new. Payment service providers are already obliged to meet similar reporting and notification requirements under section 54 (1) of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG), which transposed the reporting requirements enshrined in the Second Directive on Payment Services (PSD-2) into German law. DORA extends the notification requirement for major ICT incidents to include all financial entities (see Article 2 of DORA) and standardises them.

BaFin is to become the central reporting hub for ICT incidents of the financial entities in Germany covered by DORA and will immediately forward all reports to other relevant authorities (see Figure 2). If an incident has a significant impact on other member states of the European Economic Area (EEA), the supervisory authorities of these states will be informed of the incident by the respective European Supervisory Authority.

Some entities of the financial sector are covered by the EU Directive on Security of Network and Information Systems (NIS Directive, from October 2024 “NIS-2 Directive”). The requirements of this directive partially overlap with those of DORA. The lex-specialis rule is to apply here – in other words, the requirements under DORA must take precedence if they are more specific than those of the NIS-2 Directive. This means that, in future, financial entities that fall under the NIS-2 Directive must only submit one incident report to BaFin in accordance with DORA. BaFin will immediately forward the report to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

Figure 2: Reporting process under DORA

Source: BaFin diagram

At BaFin, an incident management team checks the quality of the data and immediately analyses the reports, focusing on both the micro- and macro-prudential impact of each incident, i.e. the impact on the entity and the financial market.

The incident management team is part of the horizontal supervision of IT risks. In other words, it is responsible for all BaFin sectors and thus for all sectors of the financial market. If necessary, the members of the team will engage with the competent supervisors at BaFin and – if credit, payment and e-money institutions are affected – with the relevant staff members at the German Bundesbank. If necessary, BaFin can seek dialogue with the entity affected in order to better understand the causes and consequences of the ICT incident. If the need arises, the incident management team can support the competent supervisors in the implementation of supervisory measures.

Besides the reporting obligation for ICT incidents, DORA is also introducing a voluntary system for reporting significant cyber threats. These also include weaknesses that can be exploited for launching cyber-attacks. Such voluntary reports are very valuable and help BaFin to gain a more comprehensive impression of the security and threat situation in the financial sector. In future, BaFin will be processing all information – whether in the form of mandatory or voluntary reports – in its overview of cyber risks in the financial sector.

What needs to be done?

Starting 17 January 2025, i.e. the date on which DORA enters into force, all major ICT incidents must be reported. It is important that entities begin adapting their processes now. This includes taking all the measures necessary to ensure that they can submit all data pertaining to the occurrence of an ICT incident. Moreover, the responsible staff members must be in a position to detect, manage and report incidents in accordance with the new requirements.

At a later date, BaFin will be providing further information on the specific procedure for activating the accounts of entities’ reporting agents and on the structure of the reporting procedure.