The European Supervisory Authorities (ESAs) have jointly published a report on the feasibility of further centralisation in the reporting of major ICT-related incidents. The paper is a response to article 21 of the Digital Operational Resilience Act (DORA), which requires ESAs to explore centralisation through “the establishment of a single EU hub for ICT-related incident reporting”.
With DORA in force since 17 January, financial entities in the EU now have a consistent incident reporting framework that includes requirements for major ICT-related incidents to be forwarded to the relevant competent authorities. This feasibility report studies whether “an EU hub could facilitate the flow of ICT-related incident reporting, reduce associated costs, support effective incident response, and underpin thematic analyses with a view to enhancing coordination and supervisory convergence”.
The ESAs, comprising the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) recommend three options for further centralising incident reporting: the baseline model, enhanced data sharing model, and a fully centralised model.
Go with the flow
In the baseline model, the reporting flows will be “fundamentally based on those established in DORA” with some modifications. Competent authorities will use the same system for reporting flows directed to the ESAs and for notifying other competent authorities in other member states. This would allow competent authorities to use one system for consulting incident reports and for getting access to ESAs.
The enhanced data sharing model is a combination of the baseline model and the fully centralised model. Under it, the flows of data at member state level will be simplified to facilitate replication of the structure in all countries. The duplication of reporting flows will only be maintained in the case of financial entities operating under the supervision of more than one national competent authority (NCA).
As its name implies, the fully centralised model is the most centralised of the three alternatives. Here, financial entities will report directly to the EU hub. The rest of the stakeholders will receive notifications and get access to reports and relevant information also through the hub. Centralisation would not apply only to reporting and information dissemination, but also to analysis – stakeholders will get access to centralised tools that help with analysis and follow-up processes.
A beneficial exercise
The report concludes that further centralisation through a single EU hub for ICT incident reporting under DORA is “feasible and brings certain benefits”. All three options are technically feasible, although only the baseline model is possible in the short term, defined as three years from January 2025. The implementation of the enhanced data sharing model should be viable in the medium term between three and five years, while the fully centralised option will require five years or more.