Helpful links

Popular Topics

Incident reporting

Published
Updated

Obligation to report major ICT-related incidents

Financial entities subject to the requirements laid down by Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA), in accordance with Article 19 of this Regulation, report major ICT-related incidents and significant cyber threats to Latvijas Banka.

The content of reports and templates is stipulated in the technical and implementing standards (RTS/ITS). Different templates can be used for reporting incidents and cyber threats:

  • according to Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing DORA with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents;
  • according to Commission Implementing Regulation (EU) 2024/2956 of 29 November 2024 laying down implementing technical standards for the application of DORA with regard to standard templates and procedures intended for reporting major incidents and significant cyber threats.

Financial entities report major ICT-related incidents and significant cyber threats to Latvijas Banka in XLSX (Microsoft Excel Open XML) file format according to the XLSX file templates published on Latvijas Banka's website (without altering the worksheet order and table placement in both templates).

Financial entities send reports of incidents and significant cyber threats to the official e-address of Latvijas Banka.

Credit institutions classified as significant submit reports using Latvijas Banka's file exchange service (FAS).

The deadline for submitting the initial notification is 4 hours after the incident classification and 24 hours after the incident detection, 72 hours are allocated for the intermediate reporting and 1 month – for the submission of the final report.

After collecting, analysing, and classifying incident information using templates (Excel file), financial entities prepare an initial notification followed by an intermediate report and a final report, and submit them to Latvijas Banka according to the specified deadlines.

When submitting an intermediate report or a final report, the template retains the information previously provided in the initial notification or the intermediate report. If necessary, the previously submitted information in the relevant tables is revised.

File templates for reports can be downloaded here:

The file name format is aaa_v_nn_yyyymmdd.xlsx xls, where:

aaa – file name prefix:

"DORA_IR" – for major incident reports;

"DORA_CYB" – for significant cyber threat reports;

v – version number of the submitted incident report (for cyber threat reports, only "1" is used), where:

"1" – initial notification;

"2" – intermediate report;

"3" – final report;

nn – report sequence number, if there is more than one report on the submission day (consists of two digits, such as 01, 02, etc.);

yyyymmdd – date of submission of the initial notification of the incident, where:

yyyy – year;

mm – month;

dd – day.

Financial entities can fill in the incident report template in Latvian or English.

The availability of the contact points or employees indicated in the report must be ensured throughout the incident handling cycle.

If the financial entity has also sent the incident report to the National Cyber Security Centre or consulted it about incident containment solutions, the initial notification must include the relevant information.

If a financial entity plans to delegate or has delegated the reporting obligation to a third party or an ICT service provider, it must notify Latvijas Banka through the general communication procedure.

Financial market participants that have submitted reports to the Latvijas Banka on significant ICT-related incidents in accordance with Article 19(4)(c) of Regulation (EU) 2022/2554 during the reporting year must prepare, by 1 April of the following year, a report on the total annual costs and losses caused by significant ICT-related incidents that occurred during the reporting year.

This report must be submitted to the Latvijas Banka upon request.

The report shall be prepared in accordance with Article 11(10) of Regulation (EU) 2022/2554 and the Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554.

The report should include:

  • all significant ICT-related incidents for which a final report was submitted during the reporting year;
  • incidents reported in previous reporting years under Regulation (EU) 2022/2554, if they had a quantifiable financial impact in the relevant reporting year (e.g. recovery of financial resources).

Three European Supervisory Authorities – the European Banking Authority, the European Securities Market Authority and the European Insurance and Occupational Pensions Authority – are compiling questions and answers to support consistent and effective application of the European Union regulation in the area of financial services. The database of questions and answers regarding DORA is available on the website of the European Insurance and Occupational Pensions Authority (see Joint Q&As - EIOPA) and can be navigated by selecting appropriate filters.

The questions published there are the ones that market participants have most often found confusing. If you cannot find an answer to your question via the resources of the European Supervisory Authorities or Latvijas Banka, you can e-mail it to dora@bank.lv or submit your question via the EIOPA's web resource Joint Q&As – EIOPA.

How valuable was this information for you?
Not valuable Very valuable
How can we improve your experience in our site

This page is protected by Google’s reCAPTCHA and visitors are subject to Google Terms of Service and Google Privacy Policy