DORA: ICT Incident Reporting
ICT-Related Incident Management and Reporting [Art 17-23]
Rule: Financial entities must detect, manage, classify, and report ICT-related incidents. Major incidents must be reported to competent authorities within strict timelines.
Incident Classification [Art 18]
Classify incidents based on impact criteria:
| Criterion | Assessment |
|---|---|
| Clients affected | Number and relevance of clients/counterparties |
| Duration | Period of disruption |
| Geographic spread | Member States affected |
| Data losses | Availability, authenticity, integrity, confidentiality impacts |
| Critical services | Services critically affected |
| Economic impact | Direct and indirect costs/losses |
Major vs Non-Major Incidents
| Classification | Definition | Reporting Required? |
|---|---|---|
| Major | High adverse impact on systems supporting critical/important functions | Yes — to competent authority |
| Significant cyber threat | Potential material impact if crystallized | Yes — voluntary |
| Non-major | Limited impact | Internal logging only |
Reporting Timeline [Art 19]
| Report | Deadline | Content |
|---|---|---|
| Initial notification | Within 4 hours of classification as major (max 24h from awareness) | Basic incident details |
| Intermediate report | Within 72 hours of initial notification | Updated information, impact assessment |
| Final report | Within 1 month of last intermediate report | Root cause, impact, remediation, lessons learned |
Initial Notification Content
Must include:
- Incident type and summary
- Time of detection
- Services affected
- Countries/clients affected
- Preliminary impact assessment
- Actions taken/planned
Intermediate Report Content
Must include:
- Updated incident information
- Classification criteria applied
- Severity and impact assessment
- Business continuity measures activated
- Stakeholders notified
Final Report Content
Must include:
- Root cause analysis
- Full timeline of events
- Impact (financial, reputational, operational)
- Remediation measures taken
- Lessons learned
- Whether incident reported to law enforcement
To Whom to Report [Art 19]
Report to:
- Competent authority (national supervisor — e.g., FCA, BaFin, AMF)
Authority may share with:
- Other relevant authorities
- ESAs (EBA, EIOPA, ESMA)
- ECB, ESRB (systemic risks)
- ENISA (cyber threats)
Client/Third-Party Notification [Art 19(4)]
Where major incident impacts clients:
- Notify affected clients
- Explain measures to mitigate adverse effects
- Point to information sources if needed
Cyber Threats Reporting [Art 19(2)]
May voluntarily report significant cyber threats to competent authority:
- If threat could materially impact financial entity
- Helps authorities assess systemic risks
- No penalty for voluntary reporting
ICT Incident Management Process [Art 17]
Must have documented process for:
| Stage | Activities |
|---|---|
| Detection | Monitor systems, detect anomalies |
| Classification | Assess against criteria, determine if major |
| Response | Contain, eradicate, recover |
| Communication | Internal escalation, external notification |
| Documentation | Log all actions and findings |
| Post-incident | Root cause analysis, lessons learned |
Recording Incidents [Art 17(3)]
Maintain records of:
- All ICT-related incidents (major and non-major)
- Significant cyber threats
- Response actions taken
- Timeline of events
- Lessons learned
Reporting to Management [Art 17(4)]
Management body must receive:
- Reports on major incidents
- Information on root causes
- Lessons learned
- Recommendations for improvements
Centralized Reporting
Some Member States may establish single reporting hubs:
- One portal for incident reports
- Competent authority forwards to relevant supervisors
Comparison with Other Frameworks
| Framework | Initial Deadline | Full Report |
|---|---|---|
| DORA | 4h (max 24h from awareness) | 1 month |
| NIS2 | 24h early warning | 1 month |
| GDPR | 72h (personal data breach) | No specific final report |
| PSD2 (major ops) | Same day | Various |