DORA Incident Reporting: Classification and Notification

Article 18 of DORA establishes a harmonised classification framework for ICT-related incidents. Financial entities must classify incidents based on defined criteria to determine whether an incident qualifies as 'major' and thus triggers mandatory reporting obligations under Article 19.

The classification criteria specified in Article 18(1) include: (a) the number of clients, financial counterparts, and transactions affected, (b) the duration of the incident, including service downtime, (c) the geographical spread and impact across member states, (d) the data losses that the incident entails in terms of availability, authenticity, integrity, or confidentiality, (e) the criticality of the services affected, including the entity's transactions and operations, and (f) the economic impact, including direct and indirect costs and losses, of the incident.

An incident is classified as major when it meets certain thresholds across these criteria, as further specified in the Regulatory Technical Standards (RTS) developed by the European Supervisory Authorities. Financial entities must also classify and document non-major ICT-related incidents, maintaining records that can demonstrate to competent authorities that the entity has an effective incident management process. Article 18(2) requires the ESAs, through the Joint Committee, to develop draft RTS specifying the precise thresholds for major incident classification, ensuring uniform application across the financial sector.

Article 19 establishes a three-stage reporting regime for major ICT-related incidents with strict timelines that financial entities must adhere to. The reporting process is structured to balance the need for timely supervisory awareness with the practical realities of incident investigation.

The initial notification must be submitted within 4 hours from the moment the ICT-related incident is classified as major, and no later than 24 hours from the moment the financial entity becomes aware of the incident. This initial notification must include sufficient information for the competent authority to assess the significance of the incident and its potential cross-border impact. It is critical to note that the 4-hour clock starts from classification, not from the moment of incident occurrence — this distinction is significant because there may be a period between detection and classification.

The intermediate report must be submitted within 72 hours of the initial notification, or when regular activity has been recovered (whichever comes first). This report must provide updated information on the incident including root cause analysis (where known), impact assessment, and mitigation measures taken or planned.

The final report must be submitted within one month of the submission of the intermediate report. This comprehensive report must include: root cause analysis, the actual impact assessment (including financial losses), the remediation measures implemented, and conclusions on whether similar incidents could be prevented in the future.

Article 19(3) introduces an obligation that extends beyond supervisory reporting: where a major ICT-related incident has or may have an impact on the financial interests of clients, financial entities must inform their affected clients without undue delay about the incident and about the measures that have been taken to mitigate its adverse effects.

The client notification obligation is designed to enable affected parties to take their own protective measures where necessary — for example, changing passwords, monitoring accounts for suspicious activity, or activating their own business continuity arrangements if they depend on the affected financial entity's services. The notification must be proportionate to the severity of the incident and the potential impact on the client.

Financial entities must also inform clients about the measures available to them to mitigate the adverse effects of the incident. This dual requirement — notification of the incident itself and guidance on mitigation — reflects DORA's broader objective of ensuring that the financial sector's operational resilience extends to protecting end users and counterparties, not merely satisfying supervisory reporting requirements.

Article 19(2) addresses the reporting of significant cyber threats — a category distinct from major ICT-related incidents. While major incident reporting is mandatory, the notification of significant cyber threats is voluntary. Financial entities may notify their competent authority when they identify a significant cyber threat that they consider relevant to the financial system, service users, or clients.

The voluntary nature of threat notification is a deliberate policy choice: requiring mandatory reporting of all cyber threats would overwhelm supervisory authorities and discourage information sharing. Instead, DORA encourages a culture of proactive disclosure by enabling — but not mandating — financial entities to share threat intelligence with their supervisors. Competent authorities may then disseminate anonymised information to other relevant entities to enhance sector-wide preparedness.

In practice, supervisory authorities actively encourage financial entities to report significant cyber threats, and entities that consistently provide high-quality threat intelligence may benefit from a more constructive supervisory relationship. The threat notification mechanism also complements the information-sharing arrangements established under Article 45 (Chapter VI), creating a comprehensive intelligence ecosystem within the financial sector.

Article 20 mandates the European Supervisory Authorities — the EBA, ESMA, and EIOPA — acting through the Joint Committee, to develop draft Regulatory Technical Standards (RTS) specifying the detailed content, templates, and timelines for incident reports. These RTS are critical for achieving the harmonised reporting that DORA envisions, as they translate the Regulation's high-level requirements into operationally specific standards.

The draft RTS must specify: the content of reports for the initial notification, intermediate report, and final report; standardised templates for uniform reporting across all financial entity types; and the procedures for reporting aggregated costs and losses resulting from major ICT-related incidents. The use of standardised templates is essential for enabling competent authorities to efficiently process incident reports, identify cross-border impacts, and coordinate responses across jurisdictions.

The European Commission has adopted the RTS as delegated acts, making them binding on all financial entities in scope. These standards draw on existing incident reporting frameworks — including the EBA's Guidelines on ICT and Security Risk Management, ESMA's cloud outsourcing guidelines, and EIOPA's guidelines on ICT security and governance — while harmonising them into a single, cross-sectoral framework. The resulting reporting system replaces the previous patchwork of sector-specific incident reporting requirements with a unified approach.