European Commission Adopts Implementing Technical Standards and Regulatory Technical Standards on Notification of Major ICT-Incidents and Cyber Threats under EU Digital Operational Resilience Act

The European Commission has adopted the following legislation supplementing the EU Digital Operational Resilience Act: (i) Commission Delegated Regulation containing Regulatory Technical Standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats; and (ii) Commission Implementing Regulation laying down Implementing Technical Standards with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat. The Council of the European Union and the European Parliament will now scrutinize the Delegated Regulation. If neither object, it will be published in the Official Journal of the European Union. The Implementing Regulation will be published in the Official Journal without further scrutiny. Both Regulations will enter into force 20 days after publication in the Official Journal of the European Union. DORA will apply as of January 17, 2025.