The final text of the Digital Operational Resilience Act (DORA)

Article 21, Centralisation of reporting of major ICT-related incidents

1. The ESAs, through the Joint Committee, and in consultation with the ECB and ENISA, shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities. The joint report shall explore ways to facilitate the flow of ICT-related incident reporting, reduce associated costs and underpin thematic analyses with a view to enhancing supervisory convergence.

2. The joint report referred to in paragraph 1 shall comprise at least the following elements:

(a) prerequisites for the establishment of a single EU Hub;

(b) benefits, limitations and risks, including risks associated with the high concentration of sensitive information;

(c) the necessary capability to ensure interoperability with regard to other relevant reporting schemes;

(d) elements of operational management;

(e) conditions of membership;

(f) technical arrangements for financial entities and national competent authorities to access the single EU Hub;

(g) a preliminary assessment of financial costs incurred by setting-up the operational platform supporting the single EU Hub, including the requisite expertise.

3. The ESAs shall submit the report referred to in paragraph 1 to the European Parliament, to the Council and to the Commission by 17 January 2025.

Note: This is the final text of the Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance).

Articles, Digital Operational Resilience Act (DORA):