Position paper - Letter on the regulatory technical standards on the classification of ICT incidents under DORA

The inclusion of sharing incident reports across numerous authorities and on a non-anonymised basis in the Regulatory Technical Standards (RTS) on the classification of information and communication technology (ICT) incidents will cause significant concerns for financial entities. Incident reports constitute confidential security information for financial entities, possibly including technical details concerning an entity’s IT infrastructure and information concerning its vulnerabilities. Sharing this level of sensitive information across numerous authorities and on a non-anonymised basis creates a material cybersecurity risk for financial entities and will likely become a target for malicious actors. This requirement should not be included within the RTS. Rather, incident reports should only be shared on a need-to-know basis and anonymised in all circumstances. Moreover, financial entities should be informed of any other authorities that receive an incident report.