Banks must report ICT incident costs to Banca d'Italia
The Banca d'Italia requires all directly supervised intermediaries to annually submit aggregated costs and losses from major ICT incidents. The first-year deadline for this reporting is June 30, 2026.
The DORA imperative
The European Union's Digital Operational Resilience Act (DORA) Regulation 2022/2554 introduces a new, mandatory reporting requirement for financial entities, with the specific exclusion of micro-enterprises.
These entities are now obligated to provide their respective Competent Authorities with an aggregated annual estimate of the costs and losses that result from major ICT incidents.
The precise methodology and format for this reporting are stipulated within the Joint Guidelines issued by the European Supervisory Authorities (ESAs), ensuring a standardized approach across the EU financial landscape.
In direct alignment with this comprehensive regulatory framework, the Banca d'Italia has formally requested all financial intermediaries under its direct supervision to adhere to this new reporting standard.
The central bank's primary objective in this initiative is to secure complete and up-to-date information concerning the financial repercussions of significant ICT incidents.
This data is deemed essential for bolstering supervisory oversight and enhancing the overall digital operational resilience within the Italian financial sector, addressing potential vulnerabilities arising from technological disruptions.
A grace period for compliance
The Banca d'Italia's request specifies that directly supervised intermediaries must submit these aggregated annual cost and loss estimates on a consolidated basis.
The standard annual deadline for this submission is May 31st.
However, for the inaugural year of this new reporting requirement, the deadline has been extended to June 30, 2026.
This postponement provides institutions with additional time to adapt to the new obligations and ensure accurate data collection.
Operational instructions detailing the submission procedures are available on the Banca d'Italia's website, complementing the Joint Guidelines from the ESAs.
This structured approach ensures consistent and comparable data across the supervised financial sector, facilitating robust analysis of ICT incident impacts and fostering greater transparency in operational resilience.