Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Germany: BaFin publishes guide on incident reporting under DORA

On June 18, 2024, the Federal Financial Supervisory Authority (BaFin) published a guide on incident reporting under the Digital Operational Resilience Act (DORA), stating that from January 2025, serious information communication technology (ICT) incidents must be reported to BaFin. DORA defines requirements for incident management in the financial sector and introduces a harmonized reporting system for serious incidents and significant cyber threats.

The guide illustrates the classification of ICT incidents and indicates what would constitute serious incidents. The guide further explains, among other things, the incident reporting procedure and states that the initial incident report must answer questions such as: 

  • what happened;
  • which services are affected;
  • what impact the incident may have on customers, counterparties, or other financial market participants;
  • if the incident is still ongoing and, if so, how long it is likely to last;
  • if the incident is likely to be the result of malicious intent; and
  • how serious the incident is from the financial institution's perspective at the time of reporting, with an assessment of the severity of very low, low, medium, high, or very high.

BaFin advises companies to start adapting their processes for incident reporting now. In addition, the responsible employees should be enabled to detect, manage, and report incidents in accordance with the new requirements.

You can read the press release, only available in German, here.