DNB Update on Reporting of Major ICT-Related Incidents Under DORA

The Digital Operational Resilience Act (DORA) has become the cornerstone of the European Union’s effort to safeguard the financial sector against cyber‑threats and systemic ICT failures. Enacted in 2024, DORA obliges banks, insurers and asset managers to report any major information‑technology incident to their national supervisory authority within a tight timeframe. By standardising incident taxonomy and mandating transparent disclosure, the regulation aims to create a pan‑European view of digital risk, enabling faster coordination among regulators and reducing the likelihood of cascading failures.

On 13 April 2026 the Dutch Central Bank (DNB) announced a refinement to the reporting workflow that adds an automated validation layer for all DORA‑related submissions. From mid‑April, each report will be checked against a set of technical requirements; institutions receive a feedback sheet that flags any deviations. If the issue is classified as a warning, firms can amend the relevant fields in their next scheduled report without re‑filing. Conversely, an error triggers a rejection, obliging the institution to correct the flaw and resubmit the report before it can be processed.

The new validation regime raises the bar for data quality and accelerates regulatory response times. Financial firms operating in the Netherlands must now invest in tighter internal controls, automated compliance checks and staff training to avoid costly error re‑submissions. While the immediate compliance burden may increase, the approach promises more reliable incident data, which can be leveraged for industry‑wide risk analytics and benchmarking. As other EU supervisors observe DNB’s model, similar validation mechanisms could spread, harmonising reporting standards and reinforcing the EU’s collective cyber‑resilience posture.