Major incident reporting

This is a placeholder-page for the full legal text of the regulator techincal standard (RTS) on major incident reporting, supplementing DORA. It was submitted by the ESAs to the European Commission in January 2024 as mandated by Article 20 of DORA. It is expected to become applicable on 17 January 2025 along with DORA.

Until we publish the full legal text here, please find the draft RTS on ESMA’s web page or the adopted regulation on the EC’s web page..

The RTS major incident reporting, in line with the objectives of Regulation (EU) 2022/2554 (DORA), aims to standardize and streamline the ICT-related incident reporting regime for financial entities (FEs) across the EU. Mandated by Article 20 of DORA, it proposes time limits for reporting incidents, aligned with Directive (EU) 2022/2555 (NIS2) and tailored to the varying sizes and types of FEs. Additionally, the RTS and ITS outline the types of information to be included in incident notifications and reports, emphasizing essential data fields while providing flexibility for different incident types and entity sizes.