PensionsEurope has raised several concerns about proposed timelines for reporting major and intermediate incidents under the Digital Operational Resilience Act (DORA).

In response to the European Supervisory Authorities’ (ESAs) joint consultation on the second batch of policy mandates under DORA, which closed for submissions earlier this week, PensionsEurope said it does not agree with the proposed timelines as no proportionality is given to the timelines for reporting.

“That does no justice to the size or risk of different types of financial entities,” PensionsEurope stated. “We urge ESAs to explore the idea of different timelines depending on the type of financial entity, to better capture the specificities of the different types of financial entities such as IORPs which are not operating on a 24-hour a-day and 7 days a week basis like in the payment sector but rather on a monthly cycle.”

In addition, whilst the association acknowledged the need to tackle major incidents, it would like to understand if it is feasible for national competent authorities to act in such cases and if that justifies the short timeline for the initial notification.

PensionsEurope gave four reasons as to why the proposed time limit for the initial notification of a major incident is not suitable. Firstly, it argued that the classification of an incident as major is complex, requiring lots of information from many different sources within the entity, in several member states and the media.

“Despite some simplifications brought in the final report sent to the Commission on 17 January 2024, the classification of major incidents remains time-consuming,” PensionsEurope argued.

Secondly, it said the timeline is too challenging for situations where an incident relates to multiple financial entities, as each party will need to gather information from the financial entity or third party at which the incident was initiated.

“This may strain (answering, replying, and discussing) the crisis response for the incident and may result in reporting delays. The team, usually accountable for the classification and the reporting itself does not work 24/7. This organisational issue will be even greater for SMEs.”

Furthermore, the association warned that brief deadlines may result in premature notifications of significant incidents, necessitating later reclassification as non-major. This it said, would create unnecessary administrative burdens, both for the financial entities and for the authorities.

PensionsEurope also stressed the differences between the pensions sector and payment services.

“Indeed, the 4-hour timeline is aligned with the Payment Services Directive 2 (PSD2) but does not fit with the pension and insurance sector. Thus, the pensions sector does not have functions that are critical on a 4-hour basis or even on a 24-hour basis. In this regard, it must be stressed that as indicated above, that level 1 of DORA encourages the ESAs to provide different timeframes for different sectors. Therefore, to extend our argumentation, we would propose to mirror the 72-hour deadline in the GDPR legislation to ensure consistency across the regulation.

“In that case, it would mean that financial entities would have no later than 72 hours from the detection of the incident to submit the initial notification,” PensionsEurope concluded.

The association is also concerned about the timelines for intermediate reports arguing that the 72-hour deadline is too short given the amount of information authorities have to provide.

“Consequently, either the amount of data that needs to be provided to the authorities must be limited in scope or the deadline needs to be longer. We are worried that the timeframes might be too brief when an incident involves multiple financial entities,” the association said.

---