CySEC has released a crucial circular C700, outlining the reporting obligations under DORA. Here are the key takeaways:
- Incident Reporting:
Major ICT-related incidents must be reported within strict deadlines: Initial reports within 4 hours, intermediate within 72 hours, and final reports within one month. This ensures swift action and transparency. - Classification of Incidents:
Entities must classify incidents based on various criteria, including client impact, service downtime, and economic repercussions. Understanding the severity helps prioritize responses effectively. - Notification of Cyber Threats:
Voluntary notifications for significant cyber threats are encouraged, allowing entities to proactively address potential risks to the financial system. - Annual Register of Information:
A register detailing ICT service contracts must be maintained and submitted annually by February 28, each year. The first submission is due by April 30, 2025 with reference date 31 March 2025.
Entities must familiarize themselves with the new forms and processes outlined in the circular.