ESAs explore centralised ICT incident reporting under DORA
The European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) have published a joint report assessing the feasibility of centralising ICT-related incident reporting by financial entities, as mandated by the Digital Operational Resilience Act (DORA). The report, published on 22 January, outlines three potential models for centralisation and examines their costs, benefits, and implications.
The baseline model sticks to the current decentralised approach: financial entities report to their national authorities, who then pass the information along. The second model adds data-sharing arrangements to speed up and simplify how incidents are communicated. Then there’s the fully centralised EU Hub, an ambitious reimagining that consolidates everything into a single system.
The ESAs argue that further centralisation could unlock significant benefits, such as faster data dissemination and improved analytical capabilities. However, they also highlight challenges, including potential risks associated with concentrating sensitive data and the costs of transitioning from existing systems. Ultimately, any decision to move forward will require further technical studies and amendments to the legislation.
You can check the full report here.
