Since January 17, 2025, the European financial sector has entered a new era of regulatory scrutiny regarding its digital infrastructure. Under the Digital Operational Resilience Act (DORA), financial entities are now legally mandated to report severe information and communication technology (ICT) incidents to their respective supervisors. This shift moves the industry away from fragmented national guidelines toward a unified, rigorous standard for operational resilience across the European Union.
Although the burden of reporting is significant, the regulation recognizes that not every firm has the internal bandwidth to manage high-pressure incident reporting during a crisis. To address this, DORA allows firms to delegate these tasks to third-party service providers. But, this flexibility comes with strict transparency requirements to ensure that regulators—such as Germany’s Federal Financial Supervisory Authority (BaFin)—maintain a clear line of sight into who is managing the data.
For many firms, the primary challenge is no longer just the technical recovery from a cyberattack or system failure, but the administrative precision required to satisfy outsourcing DORA reporting obligations. The process involves a specific sequence of notifications and a careful weighing of the risks associated with “aggregated reporting,” a mechanism designed for efficiency that may inadvertently expose firm data to unnecessary jurisdictions.
The Framework for Outsourcing Reporting Duties
Under Article 19(5) of DORA, financial institutions can outsource the reporting of severe ICT-related incidents to a specialized service provider. This is particularly relevant for smaller entities or those relying heavily on managed service providers (MSPs) who are often the first to detect a systemic failure.
However, this is not a silent handover. According to Article 6 of the Implementing Regulation (EU) 2025/302, any firm choosing to outsource these duties must formally notify BaFin. This notification is a prerequisite; it must be submitted immediately after the outsourcing agreement is signed and, crucially, before the service provider submits the first incident report on the firm’s behalf.
To complete this notification, firms must provide a specific set of identifiers to ensure there is no ambiguity regarding the parties involved. The required data includes:
- The name, BaFin identification number and Legal Entity Identifier (LEI) of the reporting financial entity.
- The name and LEI of the service provider.
- The service provider’s BaFin identification number (if available) or their full postal address.
Maintaining this registry is a dynamic process. If an outsourcing agreement is terminated or modified, the financial entity is required to inform BaFin promptly to ensure the regulatory record remains accurate.
Aggregated Reporting: Efficiency vs. Privacy
One of the more complex features of the new regime is the ability to submit “aggregated reports.” Under Article 7 of the Implementing Regulation (EU) 2025/302, a service provider can submit a single report covering a severe ICT incident that affects multiple financial clients simultaneously.
This is designed for scenarios where a single failure—such as a major cloud outage or a breach at a critical software vendor—triggers a ripple effect across dozens of firms. Rather than receiving fifty identical reports for the same root cause, the regulator receives one comprehensive overview.
Despite the efficiency, BaFin has issued specific guidance to prevent administrative chaos and data leakage. Because financial firms vary wildly in structure and business models, the regulator recommends that aggregated reports only be used for entities that share a legal relationship, such as companies within the same corporate group or conglomerate.
The Risk of Regulatory Over-Exposure
The most significant caveat to aggregated reporting lies in how data is shared across borders. Under Article 19(6) of DORA, incident details are often forwarded to other relevant competent authorities. In an aggregated report, the list of affected firms is bundled together.
This creates a transparency risk: if a report is forwarded to a regulator in another EU member state, that authority will see the names of all firms in the aggregate, even those that have no business relevance or presence in that specific country. BaFin has explicitly stated that it cannot “split” these reports once they are submitted. Firms that are sensitive about their data being shared with non-relevant EU authorities are advised to avoid the aggregated reporting process and instead stick to individual filings.
| Feature | Self-Reporting | Outsourced Reporting | Aggregated Reporting |
|---|---|---|---|
| Execution | Internal team | Third-party provider | Provider for multiple firms |
| BaFin Notice | Not required | Mandatory before 1st report | Mandatory via outsourcing |
| Primary Benefit | Full data control | Expertise & resource relief | Reduced redundant filings |
| Main Risk | Internal resource strain | Dependency on third party | Cross-border data exposure |
Compliance and Next Steps
For compliance officers, the immediate priority is auditing current third-party contracts. If a service provider is intended to handle DORA notifications, the legal agreement must be mirrored by a formal notification to the regulator. Failure to do so could render the first incident report non-compliant, potentially leading to further regulatory scrutiny during an active crisis.
The broader industry is now looking toward the practical application of these rules as the first wave of severe ICT incidents under the new regime is documented. Firms are encouraged to review the official FAQ guidelines provided by the regulator to clarify specific edge cases regarding their organizational structure.
Disclaimer: This article is provided for informational purposes only and does not constitute legal or financial advice. Organizations should consult with legal counsel to ensure full compliance with EU Regulation 2025/302 and DORA.
The next critical phase for the industry will be the evaluation of these reporting channels by European Supervisory Authorities (ESAs) to determine if the aggregated reporting thresholds require further refinement to better protect firm privacy. We will continue to monitor these regulatory updates as they emerge.
Do you have questions about your firm’s DORA transition? Share your thoughts in the comments or reach out to our editorial team.
