BaFin provides guidance on reporting security incidents under DORA

DORA will come into effect on 17 January 2025, imposing a range of ICT risk-related requirements, including new incident reporting obligations on financial businesses. The BaFin guide (link in German) lays down what the reporting obligations under DORA are about, what BaFin’s role is and what happens when it receives a notification.

Daniel Widmann, Munich-based cyber security expert at Pinsent Masons, said: "In its guide, BaFin provides some useful examples what it considers to be ‘serious ICT incidents’ that must be notified to BaFin under DORA. BaFin considers it a serious ICT incident if payment transactions or stock exchange trading are disrupted for a longer period of time, or if unauthorised third parties have gained access to data or have encrypted data. This shows that in the view of BaFin, the notification threshold for serious ICT incidents is not too high, meaning that companies regulated under DORA should prepare for the processes and formalities of such notification obligations.

DORA defines requirements for incident management in the financial sector and introduces a harmonised reporting system for serious incidents and significant cyber threats. Article 17 DORA requires organisations to implement processes to monitor their IT systems and manage incidents and significant cyber threats quickly. This means, for example, that they must define early warning indicators. In addition, companies must clearly regulate roles and responsibilities as well as communication to all relevant stakeholders. DORA also requires the management to be informed of any serious incident.

"German financial sector companies seem to be in a good starting position for the applicability of DORA from 2025, as individual instruments that BaFin has already created in the past to increase the ICT security of the German financial sector can be found in DORA," said Florian Elsinghorst, a Düsseldorf-based expert in Regulated Industries at Pinsent Masons. "Nevertheless, companies should start adapting their processes now. This also includes creating the conditions to enable them to submit all the necessary data in the event of an ICT incident. In addition, the responsible employees should be enabled to detect, manage, and report incidents in accordance with the new requirements. "

Each ICT incident must be classified in accordance with the criteria set out in Article 18 of DORA. The regulatory technical standards (RTS, link in German) on classification of incidents specify the process for this. Incidents classified as serious must be reported to the BaFin via an initial and a final report. The initial report must be placed shortly after the incident has been classified as serious.

The initial report must disclose information on what happened, which services were affected, what impact this will have on consumers and financial market participants and for how long the incident has lasted or will last.

According to BaFin, the aim of the new reporting obligations is to give all relevant information to the authorities so they can assess the likely impact on the financial market.

If the cause of an incident does not lie with the company itself, but with one of its service providers, the company must nevertheless report the incident.

Depending on how the incident develops, the company must keep BaFin up to date with several interim reports. In particular, it must notify BaFin of any changes in status.

Once the incident has been resolved and the root cause analysis has been completed, the company informs BaFin with a final report. Among other things, it must describe the cause of the incident, measures taken, costs incurred and losses. The RTS provide information on the types of costs to be considered.

Luke Scanlon, an expert in financial technology regulation, highlighted the cross-border implications of BaFin’s approach. “While DORA, as EU Regulation, does not need to be implemented through local legislation, the approach taken by regulators in different EU member states will determine the extent to which in practice its requirements can be met by financial institutions operating in multiple jurisdictions in a harmonised way, and the BaFin advice goes some way to indicating what the likely trend amongst regulators will be in setting out at a granular level what is expected in order to comply”, he said.

Many financial companies are already subject to similar obligations, for example under the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz/ZAG) and the Revised Payment Services Directive (PSD 2 Directive). However, DORA extends the reporting obligation for serious ICT incidents to a much broader range of financial businesses and defines uniform standards.

Also, from October 2024 onwards, the European Network and Information Security Directive (NIS 2 Directive) will apply to some businesses in the financial sector. Some of the requirements overlap with DORA. However, BaFin said that the requirements from DORA must be given priority if they are more specific than those of the NIS 2 Directive: "Financial companies that fall under the NIS 2 Directive will therefore only have to submit an incident report to BaFin in accordance with DORA in future. BaFin will make the report available to the Federal Office for Information Security without delay. "

Widmann said: "Currently, we see a lot of uncertainty amongst our financial sector clients, whether they are subject to DORA or NIS 2. In principle, as BaFin states in its guide, we advise our financial sector clients to prepare for DORA because the NIS 2 makes certain exceptions for companies that are already regulated under DORA. However, since NIS 2 is not yet implemented across all EU member states, there remains legal uncertainty until the national NIS 2 laws are finally implemented.”