Through ASF Instruction no. 1/2026, published in Official Gazette no. 474 of June 5, 2026, detailed rules are introduced for calculating and reporting to ASF the financial impact of major cyber incidents, in direct application of the DORA Regulation.
What does it stipulate?
The Instruction establishes a new obligation for financial entities to estimate and, at the request of the Financial Supervisory Authority (ASF), to report the aggregated annual costs and losses generated by major Information and Communication Technology (ICT) incidents. Reporting is not periodic, but is carried out only at the express request of the ASF for a specific reference year (closed financial year).
The calculation methodology is precisely defined and is based on data reflected in the company’s financial statements (profit and loss account). The process involves three sequential stages: 1) estimating gross costs and losses for each major incident individually; 2) estimating financial recoveries for each incident (e.g., compensation from insurance policies); 3) aggregating all costs, losses, and recoveries at the reference year level. Entities must also include in the calculation the accounting provisions related to these incidents.
The aggregated calculation for a reference year includes all major incidents for which a final report was submitted to the authorities in that year. Additionally, costs and losses recorded in the reference year that originate from major incidents that occurred in previous years, but which continue to generate an economic impact, will also be included. This mechanism ensures a complete picture of the long-term financial consequences of an incident.
The report to the ASF must comply with a standard format, provided in the annex to the instruction. It will contain a breakdown of costs, losses, and recoveries for each major incident individually. It is mandatory for each incident listed in this financial report to use the same reference code as that in the initial technical report, submitted in accordance with the obligations of the DORA Regulation.
To whom does it apply?
The obligations apply exclusively to financial entities regulated and supervised by the ASF. These include:
- Insurance and/or reinsurance companies;
- Insurance and/or reinsurance intermediaries (brokers, agents);
- Private pension fund administrators;
- Financial investment services companies (SSIF);
- Alternative investment fund managers (AFIA) and undertakings for collective investment in transferable securities (UCITS);
- Market operators and central depositories (e.g., Bucharest Stock Exchange, Central Depository).
What should you do?
- Implement an internal calculation methodology. Establish a clear procedure, involving the Finance and IT departments, to quantify the financial impact of ICT incidents according to ASF rules (gross costs, recoveries, provisions) and to ensure their traceability in accounting records.
- Ensure granular data collection. For each incident classified as major, you must separately collect and document all costs, losses, and any financial recoveries. An aggregated calculation at the end of the year is not sufficient; data must be available per incident.
- Prepare the reporting format. Familiarize the responsible team with the standard form in the annex to the instruction. Ensure that internal systems can quickly generate a report according to this model, at the request of the ASF.
- Correlate financial reporting with technical reporting. Check the internal workflow to ensure that each incident in the financial report to the ASF uses the same unique reference code used in the initial technical report submitted under the DORA Regulation.
Source: Official Gazette, Part I, no. 474 of June 5, 2026.
Note: This material is strictly for informational purposes and does not constitute legal, tax, or business advice. As the interpretation and application of legal provisions can vary significantly depending on the specific circumstances of each entity, we recommend seeking specialized legal assistance before adopting any operational decisions based on these changes.