According to the DORA Regulation the financial entities referred to in Article 2 of DORA are required to report all major ICT-related incidents and, on a voluntary basis, significant cyber threats to Banca d'Italia. For what concerns banks, payment institutions, account information service providers and electronic money institutions, the reporting obligations are also extended to any operational or security payment-related incidents that affect them.
Furthermore, pursuant to Article 11(10) of the DORA Regulation, financial entities directly supervised by Banca d'Italia are required to submit annually, by 31 May, estimates of aggregated annual costs and losses caused by major ICT-related incidents, in accordance with the Joint Guidelines issued by the European Supervisory Authorities (JC/GL/2024/34). In the case of less significant banking groups or groups of investment firms (SIMs), this reporting must be carried out at the consolidated level. With regard solely to the reporting due in 2026, the deadline is postponed to 30 June.
Financial entities must use Banca d'Italia's INFOSTAT platform to submit the reports.
To make it easier for financial entities to collect and present the information to be communicated pursuant to the DORA provisions, the necessary reporting templates and instructions for reporting are provided on this page.
It should be noted that the information on this page applies only to the following entities: banks, payment institutions, electronic money institutions, investment firms, managers of alternative investment funds, management companies, crypto-asset service providers, issuers of asset-referenced tokens, and crowdfunding service providers, Cassa Depositi e Prestiti S.p.A. and Poste Italiane S.p.A., for Bancoposta.
Instagram
YouTube
X - Banca d'Italia
Linkedin
RSS
E-mail Alert
