Cybersecurity threats can have catastrophic consequences not only for financial institutions themselves, but also for their customers and the broader financial market. Disruptions in access to ICT services, data loss, and declining trust in payment institutions are just some of the potential consequences.
Achieving a high level of digital operational resilience therefore requires effective management of ICT-related incidents and proper reporting to the relevant authorities. In response to these challenges, the European Union introduced the DORA Regulation (Digital Operational Resilience Act), aimed at harmonizing the approach to ICT risk management across the financial sector.
The regulation imposes obligations on financial institutions related to the identification and classification of ICT-related incidents and places particular emphasis on reporting major ICT-related incidents. Read the article to learn about the key definitions included in the regulation, as well as the requirements and obligations imposed on financial entities.
Key Concepts and Definitions of ICT-Related Incidents
Understanding the key concepts and definitions included in DORA is essential for effective ICT incident management. It helps organizations prepare comprehensive internal escalation procedures and customer notification plans in the event of an incident.
The DORA Regulation defines two types of ICT-related incidents:
ICT-related incident (according to Article 3(8) of the DORA Regulation) – a single event or a series of related events unplanned by the financial entity that compromises the security of network and information systems and adversely affects the availability, authenticity, integrity, or confidentiality of data, or the services provided by the financial entity.
Major ICT-related incident (Article 3(10) of the DORA Regulation) – an ICT-related incident with a significant adverse impact on the network and information systems supporting critical or important functions of the financial entity. Major ICT-related incidents can disrupt critical services and impair the institution’s ability to meet its obligations.
DORA also defines a cyber threat as any potential circumstance, event, or action that may damage or disrupt network and information systems and affect users of those systems.
A significant cyber threat is one that could result in a major ICT-related or security incident, for example in the context of payment operations. These definitions emphasize the broad scope and potential impact of cyber threats on digital security.
The regulation also introduces additional concepts that are important for understanding the scope of ICT-related incidents, including:
- Network and information systems – the entire ICT infrastructure, including electronic communications networks, data-processing devices, and digital data itself.
- Security of network and information systems – the ability of systems to withstand threats that may compromise the availability, integrity, or confidentiality of data and services.
- Critical or important function – a function whose disruption could materially impair the financial institution’s operations, financial stability, or services provided to customers.
Understanding these concepts allows organizations to better prepare for potential risks and implement effective incident response procedures.
What Is the ICT Incident Management Process Under DORA?
To support the detection and management of ICT-related incidents, DORA identifies the essential elements of the incident management process. According to Article 17(3), these include:
a) implementing early warning indicators;
b) establishing procedures for identifying, tracking, logging, categorizing, and classifying ICT-related incidents according to their priority, severity, and the criticality of the services affected, in line with the criteria set out in Article 18(1) of the DORA Regulation;
c) assigning roles and responsibilities to be activated in the event of different types of ICT-related incidents and related scenarios;
d) defining communication plans for employees, external stakeholders, and the media in accordance with Article 14 of the DORA Regulation, as well as customer notification plans and internal escalation procedures, including procedures for ICT-related customer complaints and, where appropriate, providing information to financial entities acting as counterparties;
e) ensuring that at least major ICT-related incidents are reported to the appropriate senior management and that the management body is informed about their impact, the response taken, and any additional controls that should be established as a result of such incidents;
f) establishing ICT incident response procedures aimed at mitigating impacts and restoring operational capability and service security within a reasonable timeframe.
In practice, DORA requires financial institutions to build structured and repeatable processes for detecting, classifying, escalating, and responding to ICT incidents. Effective communication, clearly assigned responsibilities, and well-defined response procedures are essential for maintaining operational continuity and security.
Obligations of Financial Entities in Managing ICT-Related Incidents
DORA imposes specific obligations on financial entities in the context of ICT incident management.
Financial institutions are required to undertake a range of actions specified in Chapter III of the regulation and further clarified in draft regulatory technical standards.
Preparing Communication Plans
Financial institutions must develop crisis communication plans that enable the responsible disclosure of major ICT-related incidents. These plans should include procedures for informing customers, counterparties, and, where necessary, the public about identified threats.
Implementing Rapid Incident Detection Mechanisms
Institutions are also required to implement mechanisms that enable the rapid detection of abnormal activities within ICT systems, including issues related to network performance and incidents that may lead to serious disruptions.
As part of these measures, organizations should identify potential single points of failure that may threaten business continuity.
Monitoring User Activity and Detecting Irregularities
Financial institutions must ensure sufficient resources and tools for monitoring user activity within ICT systems. This includes detecting anomalies such as unusual behavior or cyberattacks and responding effectively to such incidents.
Additionally, DORA provides that further details regarding ICT risk management and incident response will be specified in regulatory technical standards developed by the European Supervisory Authorities. These standards are intended to improve processes related to the detection of and response to ICT threats.
Summary
Transparency in reporting incidents and cyber threats is one of the key elements of digital operational resilience. Financial institutions are therefore required to report major ICT-related incidents, enabling better coordination of corrective and preventive measures across the sector and supporting integrated monitoring of ICT risks.
DORA also encourages the voluntary reporting of cyber threats that could potentially escalate into major incidents.
Information sharing strengthens collective digital resilience across the financial sector and improves cooperation with external ICT providers. As cyber threats continue to grow, this collaboration becomes increasingly important.
The DORA Regulation represents a major step toward a more integrated approach to digital risk management in the financial sector. Financial institutions should therefore implement appropriate procedures, governance mechanisms, and ICT systems to meet regulatory requirements and ensure service continuity, operational resilience, and customer trust.
With the DORA application deadline approaching, the time available to adapt to the new requirements is rapidly decreasing. Organizations covered by the regulation should take action now to ensure full compliance and strengthen their digital operational resilience.
