ICT Incident Reporting (DORA)

Under DORA, financial entities are required to classify and report major ICT-related incidents to the relevant financial supervisory authorities. Reporting follows a three-phase structure with prescribed deadlines and standardised formats.

Back to Dictionary

Classification of incidents

DORA Chapter III sets out the requirements for managing and reporting ICT-related incidents. Financial entities must classify incidents as either "ICT-related incidents" or "major ICT-related incidents" based on specific criteria defined in the regulation.

An incident is classified as major based on criteria such as:

Number of affected clients or counterparties: The more clients affected, the higher the severity classification.
Duration of the disruption: Prolonged outages carry greater weight in the classification assessment.
Geographical spread: Incidents affecting multiple jurisdictions are more likely to be classified as major.
Data loss: Impact on confidentiality, integrity or availability of data.
Criticality of affected services: Disruptions to critical financial services elevate the severity.
Financial losses: Direct and indirect economic impact of the incident.

Reporting deadlines

DORA's reporting framework follows a three-phase system:

Initial notification: Within 4 hours of the incident being classified as major (and no later than 24 hours after first detection).
Intermediate report: Within 72 hours of first detection, including updated information and a preliminary root-cause analysis.
Final report: Within 1 month of submitting the intermediate report, containing a complete analysis and remediation measures.

Standardised formats: DORA requires financial entities to use standardised reporting templates established by the European Supervisory Authorities (EBA, ESMA, EIOPA). This ensures consistent data quality across the EU's financial sector and enables effective cross-border coordination.

Who do you report to?

Reporting under DORA is directed to the competent supervisory authority for the financial entity in question:

Credit institutions: The national financial supervisory authority (and for systemically important banks: the ECB).
Insurance companies: The national financial supervisory authority.
Investment firms: The national financial supervisory authority.

The financial supervisory authorities forward anonymised incident information to the national CSIRTs and to the European Supervisory Authorities.

Frequently Asked Questions about ICT Incident Reporting (DORA)

When must an ICT incident be reported under DORA?

Under DORA, major ICT-related incidents must be reported. The initial notification must be submitted within 4 hours of classification as major and no later than 24 hours after first detection. This is followed by an intermediate report within 72 hours and a final report within 1 month.

Do you need to report under both DORA and NIS2?

No. For financial entities, DORA applies as lex specialis in relation to NIS2. Reporting under DORA satisfies the corresponding NIS2 reporting requirements. Financial supervisory authorities coordinate with the national CSIRTs.

What qualifies as a major ICT-related incident?

An incident is classified as major based on criteria including the number of affected clients, duration of the disruption, geographical spread, data loss, criticality of affected services and financial losses. The European Supervisory Authorities have issued technical standards specifying exact thresholds.

What happens if a financial entity fails to report an incident on time?

Failure to comply with DORA's reporting obligations may result in administrative penalties imposed by the competent supervisory authority. The specific sanctions vary by Member State but can include fines and public censure.

Can voluntary reporting of significant cyber threats also be made under DORA?

Yes. DORA Article 19 allows financial entities to voluntarily notify significant cyber threats to the competent authority when they consider the threat relevant to the financial system, even if the threat has not yet resulted in an incident.