by Robert Maddox, Stephanie Thomas, Annabella M. Waszkiewicz, and Michiko Wongso 

With the EU Digital Operational Resilience Act (“DORA”) implementation deadline set for January 2025, many financial services firms are spending 2024 preparing for the new regime. Amongst many operational resilience and management oversight requirements, DORA will require covered entities to monitor for, identify, and classify Information and Communications Technology (“ICT”)-related incidents (“incidents”) and cyber threats and report them under certain circumstances to regulators, clients, and the public.

In this post, we take a closer look at DORA’s ICT-related incident and cyber threat reporting obligations (which can require notifications as fast as four hours) and how covered entities can prepare to address them within their existing incident response plans (“IRPs”).

For a more general overview of DORA’s requirements, please see our previous blog post here, along with our coverage of management obligations for covered entities under DORA and how DORA will impact fund managers and the insurance sector in Europe.

ICT-Related Incidents

DORA and its implementing regulatory technical standards (“RTS”) require covered entities to classify incidents and report “major” incidents to the regulator and, depending on the nature of the impact, also to clients or the public. Notably, certain details on the timing and content of reporting remain under development.

Management and Monitoring Processes. As a baseline, DORA requires covered financial entities to establish and implement a management process to monitor, manage, and report incidents.

Classifying ICT-Related Incidents. DORA requires covered entities to classify incidents based on their impact, using the following criteria: (i) the criticality of the services affected; (ii) the number and/or relevance of affected clients, financial counterparts, and transactions; (iii) reputational impact; (iv) duration and service downtime; (v) geographical spread; (vi) data losses; and (vii) economic impact.

The European Supervisory Authorities (“ESAs”) developed a draft RTS further specifying the above criteria for approval and in January 2024 submitted a Final Report to the European Commission. These standards include materiality thresholds for determining “major” incidents and, where applicable, “major operational or security payment-related incidents,” both of which are subject to the reporting requirement discussed below.

Major Incidents. An incident is considered major where it has any impact on critical services and has met certain materiality impact thresholds.

“Critical services” are affected if the incident:

• affects ICT services or network and information systems supporting the covered entity’s critical or important functions;
• affects financial services that require authorisation or registration or that are supervised by competent authorities; or
• represents a successful, malicious, and unauthorised access to the covered entity’s network and information systems.

If critical services are affected, the incident is considered major if: (i) there is successful, malicious, and unauthorised access to network and information systems that may result in data losses; or (ii) two or more of the following categories’ thresholds, outlined here, are met:

• Clients, financial counterparts, and transactions. For example, incidents affecting more than 100,000 clients or 10% of all clients using the affected service;
• Reputational impact. For example, incidents reflected in the media or where financial entities receive repetitive complaints from different clients;
• Duration and service downtime. Incidents lasting longer than 24 hours or experiencing service downtime exceeding two hours for ICT services supporting critical or important functions;
• Geographical spread. Incidents impacting territories of at least two Member States;
• Data losses. Incidents impacting the availability, authenticity, integrity, or confidentiality of data, which has or will have an adverse impact on the implementation of the business objectives of the covered entity or on meeting regulatory requirements;
• Economic impact. Incidents where the costs and losses incurred by the financial entity have exceeded, or are likely to exceed, EUR 100,000.

Further, recurring incidents may be considered as one major incident where they have occurred at least twice within six months, have the same apparent root cause, and collectively categorise as a major incident according to the above requirements.

Regulatory Reporting of Major Incidents. DORA will require that covered entities report major incidents to their relevant competent authority[1] by submitting initial, intermediate, and final reports. The reporting templates are still under development but are expected to be published by July 17, 2024. The time frames in which the reports must be submitted are also not yet finalised, however the current draft proposes that:

• initial notification be made just four hours from determining the incident is major but in any event within 24 hours of detecting the incident;
• intermediate notification be made within 72 hours of classifying the incident as major; and
• a final report be made no later than one month from classifying the incident as major.

The proposed initial and intermediate notification timeframes, in particular, present significant obligations on covered entities given the speed at which they would have to be made during what is typically a critical and resource-strained period of incident response for an organisation.

Client Notification of Major Incidents. Where a major incident has an impact on clients’ financial interests, covered entities will have to notify those clients of the incident without undue delay, “as soon as they become aware of it,” and communicate the measures taken to mitigate the adverse effects of the incident.

Public Disclosure of Major Incidents. Notably, DORA will also require covered entities to have communication plans enabling the responsible disclosure of major incidents to the public where appropriate. There is not yet guidance that clarifies under what circumstances public disclosure may be expected.

Cyber Threats

In addition to ICT-related incidents, DORA also requires covered entities to assess and classify “cyber threats” and to notify potentially affected clients of “significant cyber threats” while encouraging voluntary notification to regulators. These provisions are a significant outlier against other reporting regimes, which do not require classification or reporting of cyber threats that have not yet materialised.

Classifying Cyber Threats. DORA requires covered entities to classify cyber threats based on the following criteria:

• “the criticality of the services at risk, including the financial entity’s transactions and operations;
• number and/or relevance of clients or financial counterparts targeted; and
• the geographical spread of the areas at risk.”

The RTS specifies “high materiality thresholds for determining significant cyber threats” in order to establish reporting obligations.

Significant Cyber Threats. A cyber threat is “significant” where the cyber threat:

• if materialised, could affect critical or important functions of the financial entity, or other financial entities, third-party providers, clients, or financial counterparts, based on information available to the financial entity;
• has a high probability of materialising; and
• if materialised, could affect “critical services” or meet the materiality thresholds classifying a “major” incident, with primary reference to those thresholds relating to impact on clients, financial counterparts, transactions, or geographical spread, though others may be considered.

When assessing whether a cyber threat has a high probability of materialising, covered entities should consider: (i) applicable risks related to the cyber threat, including potential vulnerabilities of the covered entity’s systems that can be exploited; (ii) the capabilities and intent of threat actors known by the covered entity; (iii) the persistence of the threat and any accrued knowledge about incidents that have impacted the covered entity or its third-party providers, clients, or financial counterparts.

Client Notification of Significant Cyber Threats. Covered entities will have to notify potentially affected clients of significant cyber threats and any “appropriate protection measures” those clients may consider taking. Notably, the time frame for notification is not explicitly stated; however, the relevant line is within the same section requiring notice “without undue delay” for major incidents and thus may apply here as well.

Regulatory Reporting of Significant Cyber Threats. Covered entities may voluntarily notify regulators of significant cyber threats where “they deem the threat to be of relevance to the financial system, service users or clients” but are not required to do so.

Five Considerations When Updating Incident Response Plans

Covered entities can prepare for DORA by beginning to review their IRPs to ensure they are appropriately able to monitor, classify, and, where appropriate, report incidents and cyber threats by January 2025 (although Luxembourg-regulated entities are subject to similar local reporting regimes already, or shortly will be).[2] When evaluating their IRPs, firms should consider the following:

• Revise the Scope of Covered Incidents. For many entities already assessing notification thresholds under a range of definitions, DORA adds additional complexity and new terminology. Entities may need to adjust IRP definitions and educate personnel about what additional circumstances should be escalated in order to capture the appropriate scope of ICT-related incidents and cyber threats for reporting obligations assessments. Additionally, entities may wish to identify in advance the means to obtain metrics relevant to a major incident analysis, such as customer and financial data, or pre-fill available data.
• Designate Responsible Personnel. Given the range of reporting audiences for major incidents and serious cyber threats, entities should consider designating who will be responsible for information gathering, drafting and submitting notifications to regulators, notifying clients, and preparing internal and external communications and what internal approvals are needed. Additionally, DORA requires that entities assign at least one responsible individual for implementing the communication strategy.
• Establish Escalation Paths. To meet reporting obligations and deadlines, especially for an initial report of a major incident as quickly as within four hours, entities should consider defining in the IRP or related playbooks how and how quickly each category of ICT-related incident and cyber threat should be internally escalated.
• Align with the Communications Team. Well ahead of any potential disclosure scenario, the communications team should be briefed about DORA’s implications on the communications process and review its protocols and templates to accommodate the range of potential reporting to regulators, clients, and the public and attendant communications needs.

Draft Notification Templates. The ESAs will develop pre-made templates for regulator and client notifications. Once these templates are made available, potentially by July 17, 2024, entities should consider integrating them into the appendices of an IRP or related playbooks to save valuable time during an incident and include contact and submission details for the designated competent authority.

Footnotes

[1] A centralised “EU hub” for major ICT-related incident reporting is still undergoing a feasibility assessment.

[2] Note that, for covered entities regulated in Luxembourg, the Commission de Surveillance du Secteur Financier is bringing DORA’s incident notification requirements into effect early, as of 1 April 2024 for certain supervised entities and 1 June 2024 for management companies and alternative investment fund managers.

Robert Maddox is International Counsel, Stephanie Thomas and Michiko Wongso are Associates, and Annabella M. Waszkiewicz is a Law Clerk at Debevoise & Plimpton LLP. This post first appeared on the firm’s Data Blog.  

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with the authors.