DORA Reporting
Reporting of serious ICT-related incidents (Art. 19 DORA)
Since April 1, 2022, the FMA e-Service Portal has been used to report serious or disruptive cyber attacks in accordance with section 140 of FMA Guideline 2021/3. The cyber-attack reporting form is available for this purpose. With the applicability of DORA in the EEA, this notification will be replaced by the notification pursuant to Art. 19 DORA.
In a first implementation step, reports on serious ICT-related incidents and reports of significant cyber threats will be submitted in Excel format via the e-Service Portal in the form of an incident-related report. The following ESA templates are to be used for the submission of reports from February 1, 2025:
The latest Excel templates, which are also made available in the notification in the e-Service Portal, may not be adapted for the submission and must be used unchanged.
Notification of the information register (Art. 28 para. 3 DORA)
In accordance with Art. 28 para. 3 DORA, an annual notification of the information register will be required in future, which relates to all contractual agreements on the use of ICT services provided by third-party ICT service providers. The information register is expected to be requested for the first time shortly after DORA becomes applicable.
Information register submission window 2026:
With regard to the notification of the Information Register in accordance with Article 28(3) DORA, the FMA currently assumes that the notification requirements in the e-Service Portal for Financial Intermediaries in Liechtenstein will probably be sent out at the end of January/beginning of February. The submission deadline is expected to be in the last week of February. Due to information that is not yet final with regard to specific deadlines for forwarding and possible technical adjustments on the part of the ESA, it is not yet possible for the FMA to announce final dates. As soon as the relevant parameters are known or changes to this time window are specifically foreseeable, the FMA will provide further separate information.
In addition, financial intermediaries will in future inform the FMA promptly of any planned contractual agreement on the use of ICT services to support critical or important functions and in the event that a function has become critical or important (ex ante reporting obligation).
The documents published by the ESAs as part of a voluntary dry run in preparation for the future submission of the information register have been expanded to include information for the submission of the information register from 2025. These documents and information can be found here:
Preparation for DORA application
The publication of the EBA Reporting Technical Package, which contains the necessary information for submitting the DORA information register, can also be found here:
Ex-ante reporting obligation pursuant to Art. 28 (3) DORA
In connection with the ex-ante notification obligation pursuant to Art. 28 para. 3 DORA, the notification must be submitted using the corresponding e-Service form. The form Notification of contractual relationships pursuant to Art. 28 para. 3 DORA is displayed in the e-Service Portal under "Event-related notifications".
This content has been translated using a fully automated machine translation tool. Some content may not be accurately translated. More information.