ICT incident reporting under DORA

Chapter III of the EU’s Regulation on digital operational resilience for the financial sector (DORA) (Regulation (EU) 2022/2554) requires financial entities to implement a management process for incidents related to information and communication technology (ICT). These requirements are complemented by regulatory technical standards on criteria for classifying ICT-related incidents (Delegated Regulation (EU) 2024/1772) and regulatory technical standards (Delegated Regulation (EU) 2025/301) and implementing technical standards (Implementing Regulation (EU) 2025/302) covering the content, format, timeframes and procedures for reporting major ICT-related incidents and significant cyber threats under DORA. 

An ICT-related incident is an unplanned event that compromises the security of network and information systems and has an adverse impact on the availability, authenticity, integrity or confidentiality of data or services (see Article 3(8) and (10) of DORA). 

Similar reporting obligations already existed under the revised Payment Services Directive (PSD2) and the Network and Information Security Directive (NIS). DORA replaces and extends these obligations to the entire financial sector and designates BaFin as the competent authority for such reports. BaFin forwards the reports to the Bundesbank and other relevant authorities (including the Federal Office for Information Security (BSI) and the European Central Bank (ECB)).

Register of information and reporting obligations under DORA

Article 28(3) of DORA requires financial entities to maintain a register of information containing all contractual arrangements on the use of information and communication technology (ICT) services provided by ICT third-party service providers. Financial entities must provide the full register of information to the competent authority upon request. These requirements are supplemented by implementing technical standards establishing standard templates for the register of information (Implementing Regulation (EU) 2024/2956).

DORA also provides for additional reporting obligations. For example, financial entities have to report at least yearly to the competent authorities regarding the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided. In addition, financial entities must inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.