Europejski Urząd Nadzoru Bankowego, Europejski Urząd Nadzoru Giełd i Papierów Wartościowych (European Securities and Markets Authority - ESMA), Europejski Urząd Nadzoru Ubezpieczeń i Pracowniczych Programów Emerytalnych (European Insurance and Occupational Pensions Authority - EIOPA), Ostateczne sprawozdanie dotyczące wspólnych wytycznych dotyczących szacowania skumulowanych rocznych kosztów i strat spowodowanych poważnymi incydentami związanymi z technologią informacyjną i komunikacyjną (ICT) na mocy Rozporządzenia (UE) 2022/2554

JC 2024 34

17 July 2024

Final Report Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554

1. Executive Summary

Article 11(11) of Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) mandates the European Supervisory Authorities (ESAs), to develop ‘common guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents’. These Guidelines aim at harmonising the estimation by financial entities of their aggregated annual costs and losses caused by major information and communication technology (ICT)-related incidents according to Article 11(10) DORA.

In view of the ESAs, this mandate is closely interlinked with the DORA mandates conferred to the ESAs under Article 18(3) on incident classification and under Article 20 on reporting of incidents as these also require an assessment of costs and losses of ICT-related incidents....