Article 20 Harmonisation of reporting content and templates
TL;DR
This article outlines the development of the Digital Operations Resilience Act from the EU. The ESAs, in consultation with ENISA and the ECB, are responsible for developing common draft regulatory technical standards for reports regarding major ICT-related incidents, notifications for significant cyber threats, and establishing standard forms, templates and procedures for entities to report major ICT-related incidents and notify significant cyber threats. The ESAs must take into account the financial entity's size and risk profile, as well as the nature, scale and complexity of its services and operations in developing the draft regulatory technical standards. The ESAs must submit the common draft standards to the Commission by July 17th 2024, with the Commission having the power to adopt the standards in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.The ESAsEuropean Supervisory Authority, through the Joint Committeemeans the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010;, and in consultation with ENISA and the ECB, shall develop:
-
common draft regulatory technical standards in order to:
-
establish the content of the reports for major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; in order to reflect the criteria laid down in Article 18(1) and incorporate further elements, such as details for establishing the relevance of the reporting for other Member States and whether it constitutes a major operational or security payment-related incidentmeans an operational or security payment-related incident that has a high adverse impact on the payment-related services provided; or not;
-
determine the time limits for the initial notification and for each report referred to in Article 19(1);
-
establish the content of the notification for significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;.
When developing those draft regulatory technical standards, the ESAsEuropean Supervisory Authority shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations, and in particular, with a view to ensuring that, for the purposes of this paragraph, point (a), point (ii), different time limits may reflect, as appropriate, specificities of financial sectors, without prejudice to maintaining a consistent approach to ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; reporting pursuant to this Regulation and to Directive (EU) 2022/2555. The ESAsEuropean Supervisory Authority shall, as applicable, provide justification when deviating from the approaches taken in the context of that Directive;
-
-
common draft implementing technical standards in order to establish the standard forms, templates and procedures for financial entitiesas defined in Article 2, points (a) to (t) to report a major ICT-related incidentmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; and to notify a significant cyber threatmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;.
The ESAsEuropean Supervisory Authority shall submit the common draft regulatory technical standards referred to in the first paragraph, point (a), and the common draft implementing technical standards referred to in the first paragraph, point (b), to the Commission by 17 July 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the common regulatory technical standards referred to in the first paragraph, point (a), in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.
Power is conferred on the Commission to adopt the common implementing technical standards referred to in the first paragraph, point (b), in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.