ComparisonDORA and PSD2 incidents

DORA vs PSD2 incident reporting

A source-grounded comparison of DORA major ICT-related incident reporting and PSD2 major operational or security payment-related incident reporting.

Use it to separate which incident clock, report template, competent authority route, and evidence pack applies when a payment-service incident is also an ICT incident.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
3

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

DORA changes the practical comparison with PSD2 incident reporting for payment service providers that are financial entities under DORA. DORA says PSD2 incident reporting should cease to apply to those payment service providers from the DORA application date, and that they should report operational or security payment-related incidents under DORA instead, whether or not the incident is ICT-related.

Side-by-side comparison

DORA major ICT-related incident reporting vs PSD2 payment-incident reporting

Use these rows to decide whether an incident belongs in the DORA incident-reporting chapter, a payment-incident analysis, or both evidence labels inside one coordinated incident file.

Review all sources
First framework
DORA major ICT-related incidents

DORA covers financial entities and requires major ICT-related incidents to be classified, reported to the relevant competent authority, and handled through DORA report stages and templates.

Second framework
PSD2 operational or security payment incidents

For DORA-scoped payment service providers, DORA states that PSD2 incident reporting ceases and that operational or security payment-related incidents are handled under the DORA reporting chapter.

Comparison row 1

Scope boundary

DORA major ICT-related incidents

Financial entities under DORA, including payment institutions, electronic money institutions, account information service providers, credit institutions, and other listed financial entities when an ICT-related incident affects their services, operations, clients, counterparts, data, or critical functions.

Regulation (EU) 2022/2554 (DORA)Sources 1
PSD2 operational or security payment incidents

Payment-service operational or security incidents for payment service providers. For payment service providers that are within DORA, the supported rule is that PSD2 incident reporting gives way to DORA reporting for those incidents.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

For a DORA-scoped payment service provider, classify the incident under DORA first and preserve a payment-related incident label where the facts show payment-service operational or security impact.

Regulation (EU) 2022/2554 (DORA)Sources 1
Comparison row 2

Covered actors

DORA major ICT-related incidents

DORA uses the financial-entity scope in Article 2 and Article 23. The payment-service fallback matters only for credit institutions, payment institutions, account information service providers, and electronic money institutions that are inside DORA.

Regulation (EU) 2022/2554 (DORA)Sources 1
PSD2 operational or security payment incidents

PSD2 is the fallback reporting route for payment service providers that are not in DORA scope. DORA Article 23 says the PSD2 reporting requirement stops only for in-scope firms.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

First check DORA scope. If the firm is covered by DORA, use DORA reporting for major payment-related incidents; if not, keep using the PSD2 regime.

Regulation (EU) 2022/2554 (DORA)Sources 1
Comparison row 3

Trigger

DORA major ICT-related incidents

DORA has specified clocks: initial report as early as possible, within four hours after major classification and no later than 24 hours after awareness; intermediate report within 72 hours after the initial notification; final report within one month after the intermediate report or latest updated intermediate report.

Delegated Regulation (EU) 2025/301 on DORA incident report content and time limitsSources 1
PSD2 operational or security payment incidents

For firms outside DORA, the PSD2 payment-incident trigger remains the relevant route because Article 23 only displaces PSD2 reporting for DORA-scoped payment service providers.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

Use the DORA clock for in-scope payment service providers and keep the awareness time, classification time, submission time, and any delay explanation in the incident file.

Delegated Regulation (EU) 2025/301 on DORA incident report content and time limitsSources 1
Comparison row 4

Core obligations

DORA major ICT-related incidents

DORA uses standard templates for initial, intermediate, and final reports, with data fields completed according to the reporting stage and submitted through the secure electronic channels made available by the competent authority.

Implementing Regulation (EU) 2025/302 on DORA reporting templatesSources 1
PSD2 operational or security payment incidents

PSD2 reporting can still apply for payment-service firms that are outside DORA. This page should not be read as saying PSD2 disappears for all payment incidents.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

Build one report workspace around the DORA template, but switch to PSD2 forms only when the firm is outside DORA scope.

Implementing Regulation (EU) 2025/302 on DORA reporting templatesSources 1
Comparison row 5

Evidence record

DORA major ICT-related incidents

Keep DORA classification evidence, incident logs, affected clients and transactions, downtime, Member State impact, data-loss assessment, critical-service impact, cost and loss estimates, business-continuity activation, report templates, and final root-cause and remediation evidence.

Delegated Regulation (EU) 2025/301 on DORA incident report content and time limitsSources 1
PSD2 operational or security payment incidents

Keep PSD2 evidence for out-of-scope payment incidents, including the payment-service impact, the applicable PSD2 trigger, and any separate national reporting steps.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

Use shared facts, but label each item. One incident file can support both views only if it shows the DORA classification basis and the payment-service impact separately.

Delegated Regulation (EU) 2024/1772 on incident classificationSources 1
Comparison row 6

Timing and deadlines

DORA major ICT-related incidents

DORA reports go to the relevant competent authority. Where an entity is supervised by more than one national competent authority, Member States designate a single competent authority for Article 19 reporting. Significant credit institutions report to the national competent authority, which transmits the report to the ECB.

Regulation (EU) 2022/2554 (DORA)Sources 1
PSD2 operational or security payment incidents

PSD2 timing still matters for payment-service providers that are not in DORA scope, because Article 23 only removes the PSD2 route for payment service providers that fall within DORA.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

Do not send duplicate reports just because an entity has multiple authorisations. Confirm the DORA relevant competent authority, and if the firm is outside DORA, use the PSD2 route instead.

Regulation (EU) 2022/2554 (DORA)Sources 1
Comparison row 7

Enforcement

DORA major ICT-related incidents

DORA empowers competent authorities to supervise and sanction breaches of the DORA reporting regime for in-scope financial entities.

Regulation (EU) 2022/2554 (DORA)Sources 1
PSD2 operational or security payment incidents

PSD2 remains relevant for payment-service firms outside DORA scope, so enforcement follows the regime that still applies to the firm.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

Use the enforcement route that matches scope: DORA for in-scope firms, PSD2 for out-of-scope payment-service providers.

Regulation (EU) 2022/2554 (DORA)Sources 1
Comparison row 8

Overlap and reuse

DORA major ICT-related incidents

One incident can sit in both ICT and payment files, but DORA and PSD2 should not be treated as interchangeable. DORA Article 23 is a scope rule, not a blanket replacement for all payment incidents.

Regulation (EU) 2022/2554 (DORA)Sources 1
PSD2 operational or security payment incidents

If the firm is outside DORA, PSD2 still does the reporting work. If the firm is inside DORA, use the DORA reporting chapter for payment-related incidents.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

Do not duplicate the legal analysis. First decide scope, then decide which reporting regime applies.

Regulation (EU) 2022/2554 (DORA)Sources 1
Comparison row 9

Practical decision rule

DORA major ICT-related incidents

If the firm is inside DORA, classify the incident under DORA and use the DORA report stages, templates, and competent authority route.

Regulation (EU) 2022/2554 (DORA)Sources 1
PSD2 operational or security payment incidents

If the firm is outside DORA, continue with PSD2 payment-incident reporting and any related national reporting steps.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

Start with scope. DORA displaces PSD2 only for payment service providers that fall within DORA.

Regulation (EU) 2022/2554 (DORA)Sources 1
Practical decision rule

Practical triage rule for DORA and PSD2 incident reporting

  • First, check whether the firm is in DORA scope. If it is, use DORA for major ICT-related incidents and for operational or security payment-related incidents under Article 23.
  • Second, if the firm is not in DORA scope, keep PSD2 as the reporting route for payment-service incidents and follow any applicable national steps.
  • Third, once DORA applies, use the DORA report stages, time limits, templates, and competent-authority submission route.
  • Fourth, keep a separate evidence label for payment-service impact so the file shows why the incident was treated under DORA or left under PSD2.
Regulation (EU) 2022/2554 (DORA)Sources 1Delegated Regulation (EU) 2025/301 on DORA incident report content and time limitsSources 2
Section 1

The main difference

PSD2 was the payment-services incident reporting route. DORA creates a financial-sector digital operational resilience regime and brings major ICT-related incidents, significant cyber-threat notifications, and major operational or security payment-related incidents into a harmonised DORA reporting chapter.

For payment institutions, electronic money institutions, account information service providers, and credit institutions that fall within DORA, do not run a legacy PSD2-only reporting analysis first. Start by asking whether DORA Article 23 applies to the payment incident and whether the incident is also a major ICT-related incident under the DORA classification criteria.

  • DORA Article 17 requires an ICT-related incident management process that records incidents and significant cyber threats, assigns roles, escalates major incidents, and supports response and recovery.
  • DORA Article 18 sets classification criteria for ICT-related incidents, including affected clients or transactions, duration, geographical spread, data losses, criticality of affected services, and economic impact.
  • DORA Article 23 applies the DORA incident-reporting chapter to operational or security payment-related incidents where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Supports the DORA rule that PSD2 incident reporting ceases for in-scope payment service providers and that operational or security payment-related incidents are handled under the DORA incident-reporting chapter.
Delegated Regulation (EU) 2024/1772 on incident classification
Specifies DORA classification criteria and materiality thresholds for major ICT-related incidents and major operational or security payment-related incidents.
Section 2

Reporting stages and clocks

DORA reporting is staged. A report pack can include an initial notification, an intermediate report, and a final report, using DORA templates and the secure electronic channels made available by the competent authority.

The grounded DORA timing rule is concrete: the initial report is due as early as possible, within four hours after classification as major and no later than 24 hours after awareness; the intermediate report is due within 72 hours after the initial notification; and the final report is due no later than one month after the intermediate report or the latest updated intermediate report.

  • Initial notification: incident reference, detection and classification information, description, classification criteria, impacted Member States, discovery route, origin where available, business-continuity activation, and reclassification information where applicable.
  • Intermediate report: occurrence and recovery timing, classification detail, incident type, threat techniques where applicable, affected business processes and infrastructure, client financial impact, other-authority reporting, temporary recovery measures, and indicators of compromise where applicable.
  • Final report: root causes, resolution timing, permanent resolution, resolution-authority information where applicable, direct and indirect costs and losses, recoveries, and recurring-incident information where applicable.
Sources for this answer
Delegated Regulation (EU) 2025/301 on DORA incident report content and time limits
Supports the DORA initial, intermediate, and final report content requirements and the four-hour, 24-hour, 72-hour, and one-month reporting limits.
Implementing Regulation (EU) 2025/302 on DORA reporting templates
Supports the requirement to use the DORA reporting template, competent-authority secure electronic channels, and the data glossary and instructions.
Section 3

Evidence to keep separate

A payment incident can share facts with an ICT incident, but the evidence labels should stay separate. DORA classification evidence must show how the Article 18 criteria and the 2024/1772 RTS were applied; payment-incident evidence should show why the event is an operational or security payment-related incident and whether Article 23 brings it into the DORA chapter.

Keep enough evidence to explain both the incident decision and the report content: logs, service downtime records, transaction impact, affected clients or financial counterparts, Member State impact, data-loss analysis, business-continuity activation, customer communications, other-authority reporting, root-cause analysis, remediation, and cost or loss estimates.

  • Label whether the incident was classified as a major ICT-related incident, a major operational or security payment-related incident, both, or neither.
  • Record the awareness time, classification time, report submission times, any delay explanation sent to the competent authority, and any reclassification from major to non-major.
  • Keep the template fields and source citations with the incident file so later reviewers can see why each reported field was required.
Sources for this answer
Delegated Regulation (EU) 2024/1772 on incident classification
Supports the classification evidence categories for clients, transactions, duration, geographical spread, data losses, critical services, and economic impact.
Delegated Regulation (EU) 2025/301 on DORA incident report content and time limits
Supports the report-content evidence fields for initial, intermediate, and final DORA incident submissions.
Incident reporting support

Turn this comparison into a report-ready incident workflow

Sorena can help structure DORA incident classification, payment-incident triage, report-stage evidence, and source citations for teams preparing regulator-facing incident records.

Research workflow
Open Research Copilot

Ask source-linked questions about DORA incident classification, report timing, templates, and payment-related incident overlap.

Explore next step
Talk to Sorena
Talk through implementation

Review your DORA and payment-service incident-reporting workflow, evidence labels, and source gaps with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Supports the DORA scope, Article 19 reporting route, and Article 23 payment-related incident coverage used in the triage rule.
"Reporting of major ICT-related incidents"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.