Starting on 17 January 2025 - date of application of the DORA regulation - the financial entities referred to in Article 2 of DORA are required to report all major ICT-related incidents and, on a voluntary basis, significant cyber threats to Banca d'Italia. In addition, for banks, payment institutions, account information service providers and electronic money institutions, the reporting obligations are also extended to any operational or security payment-related incidents that affect them.
To report incidents and cyber threats, financial entities must use Banca d'Italia's INFOSTAT platform.
To make it easier for financial entities to collect and present the information to be communicated pursuant to the DORA provisions, the necessary reporting templates and instructions for reporting are provided on this page.
It should be noted that the information on this page applies only to the following entities: banks, payment institutions, electronic money institutions, investment firms, managers of alternative investment funds, management companies, crypto-asset service providers, issuers of asset-referenced tokens, and crowdfunding service providers.
Starting on 17 January 2025, the current incident reporting framework applied to banks and payment and electronic money institutions will no longer be in force and will be replaced by the DORA incident reporting framework described in this page.
