Joint Guidelines of the European Supervisory Authorities on the estimation of aggregated annual costs and losses caused by major ICT-related incidents (JC/GL/2024/34) – applicable from 19.5.2025

The European Supervisory Authorities (EBA, EIOPA and ESMA) have issued Joint Guidelines (JC/GL/2024/34) on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554 (DORA).

The Financial Supervisory Authority has confirmed that it will comply with the Guidelines.

In accordance with Article 16(3) of the EBA/ESMA/EIOPA Regulation¹ the supervised entities shall make every effort to comply with the EBA/ESMA/EIOPA Guidelines.

Subject matter

These guidelines clarify how the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554 (DORA) is reported to the supervisors. Supervised entities within the scope of application of DORA must the report information for 2025 in accordance with these Guidelines via the Financial Supervisory Authority’s electronic reporting system by 28 February 2026.

Date of application

The Guidelines will apply from 19 May 2025.

For further information, please contact

Pasi Korhonen, Chief Specialist, telephone +358 9 183 5514 or pasi.korhonen(at)fiva.fi

Appendix

Joint guidelines

See also

Financial Supervisory Authority website: Guidelines of the European Supervisory Authorities

¹Regulation (EU) No 1093/2010 establishing the EBA, Regulation (EU) No 1095/2010 establishing ESMA, Regulation (EU) No 1094/2010 establishing EIOPA