DORA: ESAs consider further centralisation in reporting major ICT incidents
20 January 2025 UK, Europe
Image: InkCrafts/stock.adobe.com
The European Supervisory Authorities (ESAs) have published a joint report exploring the potential for further centralisation in reporting major ICT-related incidents by financial entities.
Article 21 of the Digital Operational Resilience Act (DORA) requires ESAs to assess the feasibility of further centralisation of incident reporting through the establishment of a single EU hub.
In addition to that, the report also assesses the feasibility of the existing reporting flows, operational from 17 January, and a model with enhanced data-sharing arrangements.
It considers the potential burden and cost reductions, as well as the efficiency and effectiveness gains that each model would bring for cross-sector supervisory practices.
“The study clearly shows further centralisation and a single EU Hub scenario is feasible and brings certain benefits,” say ESAs.
According to the report, the fully centralised model aims to facilitate the collection, dissemination, and offering of advanced analytical capabilities of ICT incidents, creating efficiencies at the EU level.
The report also identifies that the high concentration of sensitive information brings a higher risk of data loss, which will require comprehensive information security controls to be built into such a centralised solution.
However, this risk is “only marginally higher” in comparison to the first scenario, the ESAs add.
The report concludes that all three models are feasible, and there is no significant difference in terms of costs.
The authorities estimate that the data-sharing solution could be implemented progressively from this solution within three years, and the fully centralised hub could be put in place five years after that.
The ESAs have submitted the report to the European Parliament, the European Council, and the European Commission, which will consider its findings for future developments.
Article 21 of the Digital Operational Resilience Act (DORA) requires ESAs to assess the feasibility of further centralisation of incident reporting through the establishment of a single EU hub.
In addition to that, the report also assesses the feasibility of the existing reporting flows, operational from 17 January, and a model with enhanced data-sharing arrangements.
It considers the potential burden and cost reductions, as well as the efficiency and effectiveness gains that each model would bring for cross-sector supervisory practices.
“The study clearly shows further centralisation and a single EU Hub scenario is feasible and brings certain benefits,” say ESAs.
According to the report, the fully centralised model aims to facilitate the collection, dissemination, and offering of advanced analytical capabilities of ICT incidents, creating efficiencies at the EU level.
The report also identifies that the high concentration of sensitive information brings a higher risk of data loss, which will require comprehensive information security controls to be built into such a centralised solution.
However, this risk is “only marginally higher” in comparison to the first scenario, the ESAs add.
The report concludes that all three models are feasible, and there is no significant difference in terms of costs.
The authorities estimate that the data-sharing solution could be implemented progressively from this solution within three years, and the fully centralised hub could be put in place five years after that.
The ESAs have submitted the report to the European Parliament, the European Council, and the European Commission, which will consider its findings for future developments.
NO FEE, NO RISK
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
