ALFI responds to the ESA consultation on the proposed guidelines on costs and losses caused by major ICT-related incidents under DORA

On 1 March 2024, ALFI responded to the ESA consultation on the draft common guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents.

The proposed guidelines aim at harmonising the estimation by financial entities of their aggregated annual costs and losses caused by major information and communication technology (ICT)-related incidents, to be reported to their competent authority.

In its response to this consultation, ALFI highlights the following points:

1. “Upon request” reporting: ALFI would welcome the guidelines to confirm the non-periodic (i.e. ad-hoc) characteristic of the report, upon request from the NCA, and to limit the timeframe the requested report could cover (e.g. up to 3 years backwards);
2. Treatment of exceptional costs: we would appreciate clarification with regards to exceptional costs, such as consulting expenses involved in the resolution of the incident or in the implementation of measures to avoid recurrence of incidents;
3. No mandatory external validation: being based on actual audited accounting figures, external validation of this report should not be implemented.

View  the ALFI response.