Article 22

Supervisory feedback


TL;DR This article outlines the responsibilities for the handling of ICT-related incidents for the European Union (EU) under the Digital Operations Resilience Act. Upon receipt of the initial notification, the competent authority is required to acknowledge the incident and if feasible, provide relevant and proportionate feedback or high-level guidance. Financial entities are responsible for handling the incident and its outcomes. The ESAs must report annually on major ICT-related incidents in an anonymized and aggregated manner, highlighting their numbers, nature, impact and costs. In addition, the ESAs issue warnings and create high-level statistics to aid with ICT threat and vulnerability assessments.
  1. Without prejudice to the technical input, advice or remedies and subsequent follow-up which may be provided, where applicable, in accordance with national law, by the CSIRTscomputer security incident response teams under Directive (EU) 2022/2555 the competent authorityas defined in Article 46 shall, upon receipt of the initial notification and of each report as referred to in Article 19(4), acknowledge receipt and may, where feasible, provide in a timely manner relevant and proportionate feedback or high-level guidance to the financial entity, in particular by making available any relevant anonymised information and intelligence on similar threats, and may discuss remedies applied at the level of the financial entity and ways to minimise and mitigate adverse impact across the financial sector. Without prejudice to the supervisory feedback received, financial entitiesas defined in Article 2, points (a) to (t) shall remain fully responsible for the handling and for consequences of the ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity reported pursuant to Article 19(1).

  2. The ESAsEuropean Supervisory Authority shall, through the Joint Committeethe committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, on an anonymised and aggregated basis, report yearly on major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity, the details of which shall be provided by competent authoritiesas defined in Article 46 in accordance with Article 19(6), setting out at least the number of major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity, their nature and their impact on the operations of financial entitiesas defined in Article 2, points (a) to (t) or clients, remedial actions taken and costs incurred.

    The ESAsEuropean Supervisory Authority shall issue warnings and produce high-level statistics to support ICT threat and vulnerabilitya weakness, susceptibility or flaw of an asset, system, process or control that can be exploited assessments.