Last month (July 2024) several of the US financial institutions and the ABA proposed or recommended to CISA for its final rule reporting requirements that would better align to CIRCIA and current (not evolving) regulatory requirements in the US to expedite the IRP and reporting for US banks. In multiple meetings I have had with colleagues and counterparts in major financial institutions this past month I have heard those comments on data collection focusing just on immediately actionable information and limiting the scope limitations to substantial incidents that affect critical services, I would point out that this is going to have some severe inconsistencies and potential consequences with DORA.
DORA mandates detailed reporting (with some specific data structures,,) on numerous aspects of ICT incidents, not just those that are immediately actionable because in the EBA and ESMA consultations there were specific discussions over the regulators' ability to identify systemic risks and emerging threats. Moreover, the recommendations to limit reporting scope to "substantial incidents affecting critical services" and only U.S. operations is going to have some serious unintended consequences for financial institutions with footprints in the EU because it fundamentally contradicts DORA's comprehensive approach, which requires reporting of a wide range of ICT-related incidents.
I am not arguing the ethics of either approach, it is important to recognize the divergence of regulations and the dire need to manage this and be very aware of these inconsistencies going into 2025.
------------------------------
Weiyee In
CIO
Protego Trust Bank
------------------------------