DORA Incident Reporting
Detailed guide to DORA's ICT-related incident reporting obligations, covering classification criteria, the three-stage reporting timeline, and comparison with NIS2 incident reporting requirements.
- 1
DORA incident classification under Article 18 uses specific quantitative thresholds — entities must have pre-defined decision trees for rapid classification.
- 2
The three-stage timeline is tight: initial notification within 4 hours of classification (24-hour backstop), intermediate within 72 hours, final within one month.
- 3
DORA is lex specialis to NIS2 — financial entities report ICT incidents under DORA, not NIS2, though non-financial activities may retain NIS2 obligations.
- 4
Pre-populated reporting templates and a dedicated reporting officer (separate from the incident commander) are essential to meet the 4-hour initial notification window.
Major ICT-Related Incident Classification (Article 18)
DORA Article 18 requires financial entities to classify ICT-related incidents according to specific criteria, and it is the classification outcome that determines whether reporting obligations are triggered. The classification criteria include: the number of clients or financial counterparties affected, the duration of the incident, the geographical spread, the data losses involved, the criticality of the services affected, and the economic impact. An incident is classified as "major" when it meets or exceeds the thresholds defined in the related RTS.
The RTS on incident classification (delegated under Article 18(3)) specifies quantitative and qualitative thresholds for each criterion. For example, an incident affecting more than 10% of clients, causing service unavailability for more than 2 hours on a critical function, or resulting in unauthorised access to data classified as confidential would typically meet the major incident threshold. Entities must assess each incident against all criteria — meeting the threshold on any single criterion can be sufficient to trigger major classification.
Financial entities must establish internal procedures for rapid incident assessment and classification. The classification decision must be documented, and the rationale must be defensible to supervisory authorities. In practice, this means having pre-defined decision trees, trained incident managers, and clear escalation paths. Delays in classification translate directly into delays in reporting, and late reporting is itself a compliance failure that competent authorities will address.
The Three-Stage Reporting Timeline
DORA establishes a three-stage reporting process for major ICT-related incidents under Article 19. The initial notification must be submitted to the competent authority within 4 hours of the incident being classified as major, and no later than 24 hours from the point the entity becomes aware of the incident. This initial report must contain the essential facts: what happened, when it was detected, which services are affected, and the estimated impact. The purpose is rapid awareness — not comprehensive analysis.
The intermediate report must be submitted within 72 hours of the initial notification, or sooner if the situation has materially changed. This report must update the initial notification with additional information: root cause analysis progress, the actual (rather than estimated) impact, the containment and mitigation measures taken, and any indicators of compromise identified. If the incident is resolved by the time of the intermediate report, the entity may combine the intermediate and final reports.
The final report must be submitted no later than one month after the intermediate report. This comprehensive document must include the root cause analysis, the chronology of the incident, the total impact assessment (including financial losses), the remediation measures implemented, and the lessons learned. The final report is the document that supervisory authorities will use to assess the entity's resilience posture and response effectiveness. Incomplete or superficial final reports will attract follow-up supervisory actions.
The 4-hour clock starts from the moment the incident is classified as major — not from detection. However, the backstop of 24 hours from awareness means entities cannot delay classification to buy reporting time. Competent authorities will scrutinise classification timestamps closely.
Reporting to Competent Authorities
Under Article 19, financial entities must report major ICT-related incidents to the relevant competent authority. For credit institutions, this is typically the national banking supervisor (or the ECB for entities under the Single Supervisory Mechanism). For insurance undertakings, it is the national insurance supervisor. For investment firms, the national securities supervisor. The ESAs have published joint guidelines clarifying which authority receives reports for entities supervised at multiple levels.
The reporting channel and format are specified by the ITS on incident reporting forms. Financial entities must use the standardised templates published by the ESAs, submitted through the designated reporting channels established by each competent authority. Most Member States have established electronic submission portals, and the ESAs are working toward a single EU reporting hub. Until that hub is operational, entities operating across multiple Member States may face the practical challenge of submitting to multiple authorities — though the content of the reports should be consistent.
Competent authorities are required to acknowledge receipt of the initial notification without undue delay and may provide feedback or guidance on the incident response. Importantly, under Article 19(4), competent authorities may, after receiving the initial report, provide the financial entity with anonymised information about similar threats or incidents to help in the response. This creates a bilateral information flow that, while still nascent in practice, is designed to improve sector-wide resilience.
Financial entities should establish a dedicated regulatory reporting function or assign clear ownership of incident reporting to a specific team. Scrambling to identify the correct authority, locate the right template, and compile the required data during an active incident is a recipe for late or incomplete reporting. Pre-established relationships with supervisory contacts, tested communication channels, and pre-populated reporting templates are baseline expectations.
Voluntary Notification of Cyber Threats
Beyond mandatory major incident reporting, Article 19(2) permits financial entities to voluntarily notify competent authorities of significant cyber threats that they consider relevant to the financial system, even if the threat has not materialised into an incident. This voluntary mechanism is designed to enhance collective intelligence across the financial sector and enable proactive supervisory responses.
Voluntary notifications can cover threat intelligence about emerging attack vectors, observed reconnaissance activity targeting financial infrastructure, or vulnerabilities discovered in widely used ICT components. The reporting threshold for voluntary notifications is intentionally lower than for mandatory major incident reports — the entity needs only to consider the threat potentially significant. There is no penalty for over-reporting through the voluntary channel, and competent authorities have indicated that they actively encourage this information sharing.
The practical value of voluntary notification depends on a functioning feedback loop. Competent authorities that receive threat intelligence should anonymise it and share relevant findings with other supervised entities. The ESAs have indicated that voluntary notification data will feed into sector-wide risk assessments and stress testing scenarios. For financial entities, participating in voluntary notification builds goodwill with supervisors and demonstrates a mature, proactive approach to threat management that can be advantageous during supervisory reviews.
Entities should establish internal criteria for what constitutes a "significant" threat warranting voluntary notification and should document the decision process regardless of whether a notification is ultimately submitted. This creates an auditable record of threat awareness and assessment capability.
Comparison with NIS2 Incident Reporting
For financial entities that fall within the scope of both DORA and NIS2 (Directive 2022/2555), understanding the interplay between the two incident reporting regimes is critical. Article 1(2) of DORA explicitly establishes it as lex specialis — DORA takes precedence over NIS2 for entities within its scope. This means financial entities report under DORA, not NIS2, for ICT-related incidents. However, NIS2 Article 4 contains a reciprocal provision recognising this relationship.
Despite the lex specialis carve-out, the reporting timelines are similar but not identical. NIS2 requires an early warning within 24 hours, a notification within 72 hours, and a final report within one month. DORA's initial notification is significantly tighter at 4 hours (with a 24-hour backstop). This reflects the systemic importance of the financial sector — regulators need faster awareness of ICT disruptions that could have cascading effects on financial stability.
The classification criteria also differ. NIS2 uses a "significant incident" threshold based on substantial operational disruption or financial loss, as well as impact on other natural or legal persons through material damage. DORA uses the more granular criteria in Article 18 and the related RTS, with quantitative thresholds specific to financial services. An incident that is "significant" under NIS2 may or may not meet the "major" threshold under DORA, and vice versa.
For dual-regulated entities — particularly financial entities that also provide essential services in other sectors — the practical approach is to implement a single incident classification and reporting workflow that satisfies the more demanding DORA requirements. If an entity meets DORA's obligations, it will generally exceed NIS2's requirements. However, entities should verify with legal counsel whether any residual NIS2 obligations apply to non-financial activities within the same legal entity.
DORA is lex specialis to NIS2 for financial entities. If your entity is in DORA scope, you report ICT incidents under DORA, not NIS2. However, if your entity also operates non-financial essential services, those activities may still fall under NIS2 reporting obligations.
Practical Incident Reporting Workflow
Building an effective DORA incident reporting workflow requires integrating several operational capabilities: detection, classification, escalation, drafting, submission, and follow-up. The workflow should be documented in the ICT incident response policy, tested through simulation exercises, and reviewed at least annually.
The detection phase feeds into a triage function that applies the Article 18 classification criteria. At this point, the incident manager must make a binary determination: is this a major incident or not? If yes, the 4-hour clock starts and the initial notification template must be populated with available information. The template should be pre-structured with fields matching the ITS reporting form, and pre-populated with static entity information (LEI, entity name, competent authority details, primary contact) to minimise the time required to complete it.
During the response phase, a designated reporting officer (distinct from the incident commander) should continuously update the intermediate report as new information becomes available. This parallel-track approach — one stream managing the incident, another managing the regulatory reporting — prevents reporting obligations from competing with response activities for attention and resources. The intermediate report should be reviewed by legal and compliance functions before submission to ensure accuracy and consistency with the initial notification.
The final report is a substantive analytical document that should be treated as a deliverable of the post-incident review process. It must demonstrate that the entity understands what happened, why it happened, what the impact was, and what structural improvements have been made or are planned. Financial entities should resist the temptation to submit boilerplate final reports — supervisory authorities use these reports to assess institutional resilience, and a weak final report can trigger on-site inspections or enhanced supervisory measures.
Regular simulation exercises — at minimum annually — should test the entire workflow end-to-end, including populating templates under time pressure, contacting the competent authority's reporting desk, and coordinating between incident response, communications, legal, and compliance teams. These exercises should be documented and their findings fed into the continuous improvement cycle required by Article 15.
What triggers the 4-hour reporting clock under DORA?
The 4-hour clock starts from the moment the financial entity classifies an ICT-related incident as major under Article 18 criteria. However, there is a backstop: the initial notification must be submitted no later than 24 hours from the moment the entity first becomes aware of the incident, regardless of when classification occurs. This prevents entities from delaying classification to extend the reporting window.
Do we need to report incidents to both our national supervisor and the ESAs?
Financial entities report directly to their competent authority (e.g., national banking supervisor or the ECB for SSM-supervised entities). The competent authority is then responsible for sharing relevant information with the ESAs and, where appropriate, with ENISA. Entities do not typically report directly to ESAs unless specifically instructed to do so by their competent authority.
How does DORA incident reporting interact with GDPR breach notification?
DORA incident reporting and GDPR data breach notification (Article 33/34 GDPR) are separate obligations with separate timelines and authorities. A major ICT incident that involves personal data may trigger both DORA reporting to the financial supervisor and GDPR notification to the data protection authority (within 72 hours). The two processes run in parallel and must both be addressed. Financial entities should ensure their incident response procedures cover both tracks.
What happens if we miss the reporting deadline?
Late reporting is a compliance failure that competent authorities can address through their supervisory powers. Depending on the jurisdiction and the authority involved, consequences can range from supervisory findings and enhanced monitoring to administrative penalties. DORA Article 50 empowers competent authorities to impose administrative penalties and remedial measures. The severity of consequences typically depends on the degree of delay, whether it was a systemic failure, and whether it compounded the impact of the incident.
Can we combine the intermediate and final reports?
Yes. If the incident is fully resolved by the time the intermediate report is due (72 hours), the financial entity may submit a combined intermediate-final report. However, the combined report must meet all the content requirements of both the intermediate and final reports, including root cause analysis, full impact assessment, and lessons learned. In practice, most major incidents are not fully resolved within 72 hours, so the combined report is the exception rather than the rule.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.