ALFI responds to the ESA consultation on the proposed RTS and ITS on major incidents reporting under DORA

On 1 March 2024, ALFI responded to the ESA consultation on the draft regulatory and implementation technical standards on the ICT-related incident reporting regime for financial entities (FEs) under DORA.

The proposed RTS aim at establishing the content of the reports for ICT-related incidents and significant cyber threats, including the time limits for FEs to report these incidents to competent authorities. The associated ITS define the standard forms, templates and procedures for FEs to report a major ICT-related incident or to notify a significant cyber threat.

In its response to this consultation, ALFI highlighted the following concerns:

1. Timeline alignment with CSSF 24/847: building upon the Luxembourg regulator’s incentive for FE to start implementing DORA and the local regulation thereof, we are in favour of deadlines
   1. Expressing the elapsed time in working days;
   2. Strictly distinguishing 24 hours after detection for the classification and 4 hours for the subsequent initial reporting, therefore removing the vagueness in this respect;
   3. Applying the proportionality principle consistently for all 3 reports and pushing back the reporting to the next business day, including for the initial notification
2. Implementation time/best effort: we would advise sufficient implementation time, under the best effort basis, and suggest that FE should be allowed to phase the implementation and present a transition plan, detailing their risk assessment and cost/ benefit assessment, while considering the size and risk-level of the local FE.
3. Final report “assessment of effectiveness of actions taken”: FE should only be required to provide this information once/if assessment of the effectiveness of the measures taken to avoid recurrence is completed, rather than a subjective tick-the-box exercise.

View the ALFI response.