DORA notifications

 In principle, anyone who is a legal representative/director is authorised to submit DORA notifications. If others in your organisation will also be submitting DORA notifications, you must authorise them yourself. You can do this in the AFM Portal by using the authorisation management function to select the individuals within your company who are allowed to submit notifications for DORA. If you do not have access to the DORA page, it is important to report this in a timely manner to ensure that you can submit the required notifications within the portal.

When should you report?

When a major ICT-related incident has occurred, it must be reported as soon as possible. After having classified the incident, companies have 4 hours to submit an initial notification via the AFM portal.

Time limits of 24 hours, 72 hours and 1 month

Major ICT-related incidents must be reported no later than 24 hours after detection. A follow-up report must be shared 72 hours after the initial notification has been submitted. In the follow-up report, companies must provide more details about the incident. A final report must be submitted to the regulator no later than one month after submitting the follow-up report. Once the final report is assessed (and approved), the notification process is completed. As long as the notification is not completed, the ICT-related incident can be reclassified (to a non-major ICT-related incident).

In addition to reporting major ICT-related incidents, companies can voluntarily report significant cyber threats. There are no specific timelines for this, and companies can report them at any time when they believe the cyber threat is relevant to the financial sector.

Companies must also report planned contractual arrangements on the use of ICT services supporting critical or important functions as well as when a function has become critical or important. This can be done at any time via the portal.

How should you report

All DORA notifications must be submitted via the DORA page in the AFM Portal. To report ICT-related incidents, companies must upload a file containing the required information about the incident. All follow-up notifications (the follow-up report and final report) can then be submitted through this notification in the portal. A template is available in the portal that can be used for the initial notification, follow-up report, and final report.

Reporting significant cyber threats

For reporting significant cyber threats, companies do not need to upload any files. When reporting a cyber threat, companies must first provide their contact details and the contact persons. They can then provide information about the cyber threat, such as a description of the threat, details about the possible impact, and the status of the threat (active or inactive). No additional notifications are required after having reported the cyber threat.

Reporting agreements with ICT service provider

When notifying an agreement with an ICT third-party service provider, companies can specify whether it concerns a new agreement or an existing agreement where the function supported by the ICT service has become important or critical. Depending on this choice, information about the type of ICT service being outsourced or the function that has become important or critical will be requested. As with serious ICT-related  incidents, we will review the notification and may request additional information if necessary.