---
title: "DORA vs PSD2 incident reporting: major ICT and payment incidents"
canonical_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/dora-vs-psd2-incident-reporting"
source_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/dora-vs-psd2-incident-reporting"
author: "Sorena AI"
description: "Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "DORA incident reporting"
  - "PSD2 incident reporting"
  - "major ICT-related incidents"
  - "major operational or security payment-related incidents"
  - "DORA"
  - "PSD2"
  - "incident reporting"
  - "payment incidents"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# DORA vs PSD2 incident reporting: major ICT and payment incidents

Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.

*Comparison* *DORA and PSD2 incidents*

## DORA vs PSD2 incident reporting

A source-grounded comparison of DORA major ICT-related incident reporting and PSD2 major operational or security payment-related incident reporting.

Use it to separate which incident clock, report template, competent authority route, and evidence pack applies when a payment-service incident is also an ICT incident.

DORA changes the practical comparison with PSD2 incident reporting for payment service providers that are financial entities under DORA. DORA says PSD2 incident reporting should cease to apply to those payment service providers from the DORA application date, and that they should report operational or security payment-related incidents under DORA instead, whether or not the incident is ICT-related.

## DORA major ICT-related incident reporting vs PSD2 payment-incident reporting

Use these rows to decide whether an incident belongs in the DORA incident-reporting chapter, a payment-incident analysis, or both evidence labels inside one coordinated incident file.

- **DORA major ICT-related incidents**: DORA covers financial entities and requires major ICT-related incidents to be classified, reported to the relevant competent authority, and handled through DORA report stages and templates.
- **PSD2 operational or security payment incidents**: For DORA-scoped payment service providers, DORA states that PSD2 incident reporting ceases and that operational or security payment-related incidents are handled under the DORA reporting chapter.

| Dimension | DORA major ICT-related incidents | PSD2 operational or security payment incidents | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope boundary | Financial entities under DORA, including payment institutions, electronic money institutions, account information service providers, credit institutions, and other listed financial entities when an ICT-related incident affects their services, operations, clients, counterparts, data, or critical functions. | Payment-service operational or security incidents for payment service providers. For payment service providers that are within DORA, the supported rule is that PSD2 incident reporting gives way to DORA reporting for those incidents. | For a DORA-scoped payment service provider, classify the incident under DORA first and preserve a payment-related incident label where the facts show payment-service operational or security impact. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports applying the DORA reporting chapter to operational or security payment-related incidents concerning the listed payment-sector entities. |
| Covered actors | DORA uses the financial-entity scope in Article 2 and Article 23. The payment-service fallback matters only for credit institutions, payment institutions, account information service providers, and electronic money institutions that are inside DORA. | PSD2 is the fallback reporting route for payment service providers that are not in DORA scope. DORA Article 23 says the PSD2 reporting requirement stops only for in-scope firms. | First check DORA scope. If the firm is covered by DORA, use DORA reporting for major payment-related incidents; if not, keep using the PSD2 regime. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the decision rule for choosing between DORA and PSD2 based on DORA scope. |
| Trigger | DORA has specified clocks: initial report as early as possible, within four hours after major classification and no later than 24 hours after awareness; intermediate report within 72 hours after the initial notification; final report within one month after the intermediate report or latest updated intermediate report. | For firms outside DORA, the PSD2 payment-incident trigger remains the relevant route because Article 23 only displaces PSD2 reporting for DORA-scoped payment service providers. | Use the DORA clock for in-scope payment service providers and keep the awareness time, classification time, submission time, and any delay explanation in the incident file. | [Delegated Regulation (EU) 2025/301 on DORA incident report content and time limits](https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/eng?ref=sorena.io) - Supports recording delay explanations when the financial entity cannot submit within the specified limits.<br>[Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the PSD2 fallback by limiting DORA displacement to firms in DORA scope. |
| Core obligations | DORA uses standard templates for initial, intermediate, and final reports, with data fields completed according to the reporting stage and submitted through the secure electronic channels made available by the competent authority. | PSD2 reporting can still apply for payment-service firms that are outside DORA. This page should not be read as saying PSD2 disappears for all payment incidents. | Build one report workspace around the DORA template, but switch to PSD2 forms only when the firm is outside DORA scope. | [Implementing Regulation (EU) 2025/302 on DORA reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj/eng?ref=sorena.io) - Supports completing stage-specific fields and updating prior information in later reports.<br>[Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports keeping PSD2 in place only where DORA does not apply to the payment service provider. |
| Evidence record | Keep DORA classification evidence, incident logs, affected clients and transactions, downtime, Member State impact, data-loss assessment, critical-service impact, cost and loss estimates, business-continuity activation, report templates, and final root-cause and remediation evidence. | Keep PSD2 evidence for out-of-scope payment incidents, including the payment-service impact, the applicable PSD2 trigger, and any separate national reporting steps. | Use shared facts, but label each item. One incident file can support both views only if it shows the DORA classification basis and the payment-service impact separately. | [Delegated Regulation (EU) 2025/301 on DORA incident report content and time limits](https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/eng?ref=sorena.io) - Supports the required information categories for DORA initial, intermediate, and final reports.<br>[Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports preserving payment-related incident context where DORA applies to operational or security payment-related incidents.<br>[Delegated Regulation (EU) 2024/1772 on incident classification](https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj/eng?ref=sorena.io) - Supports using classification evidence instead of a generic incident label. |
| Timing and deadlines | DORA reports go to the relevant competent authority. Where an entity is supervised by more than one national competent authority, Member States designate a single competent authority for Article 19 reporting. Significant credit institutions report to the national competent authority, which transmits the report to the ECB. | PSD2 timing still matters for payment-service providers that are not in DORA scope, because Article 23 only removes the PSD2 route for payment service providers that fall within DORA. | Do not send duplicate reports just because an entity has multiple authorisations. Confirm the DORA relevant competent authority, and if the firm is outside DORA, use the PSD2 route instead. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports checking national additional submission rules to competent authorities or CSIRTs under DORA Article 19. |
| Enforcement | DORA empowers competent authorities to supervise and sanction breaches of the DORA reporting regime for in-scope financial entities. | PSD2 remains relevant for payment-service firms outside DORA scope, so enforcement follows the regime that still applies to the firm. | Use the enforcement route that matches scope: DORA for in-scope firms, PSD2 for out-of-scope payment-service providers. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports applying the DORA reporting chapter to operational or security payment-related incidents concerning the listed payment-sector entities. |
| Overlap and reuse | One incident can sit in both ICT and payment files, but DORA and PSD2 should not be treated as interchangeable. DORA Article 23 is a scope rule, not a blanket replacement for all payment incidents. | If the firm is outside DORA, PSD2 still does the reporting work. If the firm is inside DORA, use the DORA reporting chapter for payment-related incidents. | Do not duplicate the legal analysis. First decide scope, then decide which reporting regime applies. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports applying the DORA reporting chapter to operational or security payment-related incidents concerning the listed payment-sector entities. |
| Practical decision rule | If the firm is inside DORA, classify the incident under DORA and use the DORA report stages, templates, and competent authority route. | If the firm is outside DORA, continue with PSD2 payment-incident reporting and any related national reporting steps. | Start with scope. DORA displaces PSD2 only for payment service providers that fall within DORA. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports applying the DORA reporting chapter to operational or security payment-related incidents concerning the listed payment-sector entities. |

Sources for Scope boundary - DORA major ICT-related incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Lists covered financial entities and sets the DORA incident-management and reporting chapter.
  - Quote: "ICT-related incident management process"

Sources for Scope boundary - PSD2 operational or security payment incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the transition from PSD2 incident reporting to DORA reporting for in-scope payment service providers.
  - Quote: "report pursuant to this Regulation"

Sources for Scope boundary - operational implication:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports applying the DORA reporting chapter to operational or security payment-related incidents concerning the listed payment-sector entities.
  - Quote: "operational or security payment-related incidents"

Sources for Covered actors - DORA major ICT-related incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Sets the DORA scope for payment-sector entities and the Article 23 carve-in for payment-related incidents.
  - Quote: "credit institutions, payment institutions, account information service providers, and electronic money institutions"

Sources for Covered actors - PSD2 operational or security payment incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the rule that PSD2 incident reporting ceases only for payment service providers that fall within DORA.
  - Quote: "the requirement for the incident reporting pursuant to Directive (EU) 2015/2366"

Sources for Covered actors - operational implication:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the decision rule for choosing between DORA and PSD2 based on DORA scope.
  - Quote: "shall also apply"

Sources for Trigger - DORA major ICT-related incidents:

- [Delegated Regulation (EU) 2025/301 on DORA incident report content and time limits](https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/eng?ref=sorena.io) - Supports the four-hour, 24-hour, 72-hour, and one-month DORA reporting deadlines.
  - Quote: "within four hours"

Sources for Trigger - PSD2 operational or security payment incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the PSD2 fallback by limiting DORA displacement to firms in DORA scope.
  - Quote: "fall within the scope of this Regulation"

Sources for Trigger - operational implication:

- [Delegated Regulation (EU) 2025/301 on DORA incident report content and time limits](https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/eng?ref=sorena.io) - Supports recording delay explanations when the financial entity cannot submit within the specified limits.
  - Quote: "explain the reasons for the delay"

Sources for Core obligations - DORA major ICT-related incidents:

- [Implementing Regulation (EU) 2025/302 on DORA reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj/eng?ref=sorena.io) - Supports use of the DORA template, secure electronic channels, data glossary, and update procedure.
  - Quote: "secure electronic channels"

Sources for Core obligations - PSD2 operational or security payment incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports keeping PSD2 in place only where DORA does not apply to the payment service provider.
  - Quote: "fall within the scope of this Regulation"

Sources for Core obligations - operational implication:

- [Implementing Regulation (EU) 2025/302 on DORA reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj/eng?ref=sorena.io) - Supports completing stage-specific fields and updating prior information in later reports.
  - Quote: "update any information"

Sources for Evidence record - DORA major ICT-related incidents:

- [Delegated Regulation (EU) 2025/301 on DORA incident report content and time limits](https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/eng?ref=sorena.io) - Supports the required information categories for DORA initial, intermediate, and final reports.
  - Quote: "Final reports"

Sources for Evidence record - PSD2 operational or security payment incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports preserving payment-related incident context where DORA applies to operational or security payment-related incidents.
  - Quote: "payment-related incidents"

Sources for Evidence record - operational implication:

- [Delegated Regulation (EU) 2024/1772 on incident classification](https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj/eng?ref=sorena.io) - Supports using classification evidence instead of a generic incident label.
  - Quote: "affected transactions"

Sources for Timing and deadlines - DORA major ICT-related incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports DORA Article 19 reporting to the relevant competent authority and onward transmission to ECB or other authorities where applicable.
  - Quote: "relevant competent authority"

Sources for Timing and deadlines - PSD2 operational or security payment incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the PSD2 fallback by limiting DORA displacement to firms in scope.
  - Quote: "fall within the scope of this Regulation"

Sources for Timing and deadlines - operational implication:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports checking national additional submission rules to competent authorities or CSIRTs under DORA Article 19.
  - Quote: "Member States may additionally determine"

Sources for Enforcement - DORA major ICT-related incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Lists covered financial entities and sets the DORA incident-management and reporting chapter.
  - Quote: "ICT-related incident management process"

Sources for Enforcement - PSD2 operational or security payment incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the transition from PSD2 incident reporting to DORA reporting only for in-scope payment service providers.
  - Quote: "report pursuant to this Regulation"

Sources for Enforcement - operational implication:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports applying the DORA reporting chapter to operational or security payment-related incidents concerning the listed payment-sector entities.
  - Quote: "operational or security payment-related incidents"

Sources for Overlap and reuse - DORA major ICT-related incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Lists covered financial entities and sets the DORA incident-management and reporting chapter.
  - Quote: "ICT-related incident management process"

Sources for Overlap and reuse - PSD2 operational or security payment incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the transition from PSD2 incident reporting to DORA reporting only for in-scope payment service providers.
  - Quote: "report pursuant to this Regulation"

Sources for Overlap and reuse - operational implication:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports applying the DORA reporting chapter to operational or security payment-related incidents concerning the listed payment-sector entities.
  - Quote: "operational or security payment-related incidents"

Sources for Practical decision rule - DORA major ICT-related incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Lists covered financial entities and sets the DORA incident-management and reporting chapter.
  - Quote: "ICT-related incident management process"

Sources for Practical decision rule - PSD2 operational or security payment incidents:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the transition from PSD2 incident reporting to DORA reporting only for in-scope payment service providers.
  - Quote: "report pursuant to this Regulation"

Sources for Practical decision rule - operational implication:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports applying the DORA reporting chapter to operational or security payment-related incidents concerning the listed payment-sector entities.
  - Quote: "operational or security payment-related incidents"

### Practical triage rule for DORA and PSD2 incident reporting

- First, check whether the firm is in DORA scope. If it is, use DORA for major ICT-related incidents and for operational or security payment-related incidents under Article 23.
- Second, if the firm is not in DORA scope, keep PSD2 as the reporting route for payment-service incidents and follow any applicable national steps.
- Third, once DORA applies, use the DORA report stages, time limits, templates, and competent-authority submission route.
- Fourth, keep a separate evidence label for payment-service impact so the file shows why the incident was treated under DORA or left under PSD2.

Sources for the practical decision rule:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the DORA scope, Article 19 reporting route, and Article 23 payment-related incident coverage used in the triage rule.
  - Quote: "Reporting of major ICT-related incidents"
- [Delegated Regulation (EU) 2025/301 on DORA incident report content and time limits](https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/eng?ref=sorena.io) - Supports the DORA reporting stages and time limits used in the triage rule.
  - Quote: "Time limits"

## The main difference

PSD2 was the payment-services incident reporting route. DORA creates a financial-sector digital operational resilience regime and brings major ICT-related incidents, significant cyber-threat notifications, and major operational or security payment-related incidents into a harmonised DORA reporting chapter.

For payment institutions, electronic money institutions, account information service providers, and credit institutions that fall within DORA, do not run a legacy PSD2-only reporting analysis first. Start by asking whether DORA Article 23 applies to the payment incident and whether the incident is also a major ICT-related incident under the DORA classification criteria.

- DORA Article 17 requires an ICT-related incident management process that records incidents and significant cyber threats, assigns roles, escalates major incidents, and supports response and recovery.
- DORA Article 18 sets classification criteria for ICT-related incidents, including affected clients or transactions, duration, geographical spread, data losses, criticality of affected services, and economic impact.
- DORA Article 23 applies the DORA incident-reporting chapter to operational or security payment-related incidents where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions.

Sources for this answer:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the DORA rule that PSD2 incident reporting ceases for in-scope payment service providers and that operational or security payment-related incidents are handled under the DORA incident-reporting chapter.
- [Delegated Regulation (EU) 2024/1772 on incident classification](https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj/eng?ref=sorena.io) - Specifies DORA classification criteria and materiality thresholds for major ICT-related incidents and major operational or security payment-related incidents.

## Reporting stages and clocks

DORA reporting is staged. A report pack can include an initial notification, an intermediate report, and a final report, using DORA templates and the secure electronic channels made available by the competent authority.

The grounded DORA timing rule is concrete: the initial report is due as early as possible, within four hours after classification as major and no later than 24 hours after awareness; the intermediate report is due within 72 hours after the initial notification; and the final report is due no later than one month after the intermediate report or the latest updated intermediate report.

- Initial notification: incident reference, detection and classification information, description, classification criteria, impacted Member States, discovery route, origin where available, business-continuity activation, and reclassification information where applicable.
- Intermediate report: occurrence and recovery timing, classification detail, incident type, threat techniques where applicable, affected business processes and infrastructure, client financial impact, other-authority reporting, temporary recovery measures, and indicators of compromise where applicable.
- Final report: root causes, resolution timing, permanent resolution, resolution-authority information where applicable, direct and indirect costs and losses, recoveries, and recurring-incident information where applicable.

Sources for this answer:

- [Delegated Regulation (EU) 2025/301 on DORA incident report content and time limits](https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/eng?ref=sorena.io) - Supports the DORA initial, intermediate, and final report content requirements and the four-hour, 24-hour, 72-hour, and one-month reporting limits.
- [Implementing Regulation (EU) 2025/302 on DORA reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj/eng?ref=sorena.io) - Supports the requirement to use the DORA reporting template, competent-authority secure electronic channels, and the data glossary and instructions.

## Evidence to keep separate

A payment incident can share facts with an ICT incident, but the evidence labels should stay separate. DORA classification evidence must show how the Article 18 criteria and the 2024/1772 RTS were applied; payment-incident evidence should show why the event is an operational or security payment-related incident and whether Article 23 brings it into the DORA chapter.

Keep enough evidence to explain both the incident decision and the report content: logs, service downtime records, transaction impact, affected clients or financial counterparts, Member State impact, data-loss analysis, business-continuity activation, customer communications, other-authority reporting, root-cause analysis, remediation, and cost or loss estimates.

- Label whether the incident was classified as a major ICT-related incident, a major operational or security payment-related incident, both, or neither.
- Record the awareness time, classification time, report submission times, any delay explanation sent to the competent authority, and any reclassification from major to non-major.
- Keep the template fields and source citations with the incident file so later reviewers can see why each reported field was required.

Sources for this answer:

- [Delegated Regulation (EU) 2024/1772 on incident classification](https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj/eng?ref=sorena.io) - Supports the classification evidence categories for clients, transactions, duration, geographical spread, data losses, critical services, and economic impact.
- [Delegated Regulation (EU) 2025/301 on DORA incident report content and time limits](https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/eng?ref=sorena.io) - Supports the report-content evidence fields for initial, intermediate, and final DORA incident submissions.

*Incident reporting support*

*Placement: before sources*

## Turn this comparison into a report-ready incident workflow

Sorena can help structure DORA incident classification, payment-incident triage, report-stage evidence, and source citations for teams preparing regulator-facing incident records.

- [Open Research Copilot](/solutions/research-copilot.md): Ask source-linked questions about DORA incident classification, report timing, templates, and payment-related incident overlap.
- [Talk through implementation](/contact.md): Review your DORA and payment-service incident-reporting workflow, evidence labels, and source gaps with Sorena.

## Primary sources

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the DORA scope, Article 19 reporting route, and Article 23 payment-related incident coverage used in the triage rule.
  - Quote: "Reporting of major ICT-related incidents"
- [Delegated Regulation (EU) 2024/1772 on incident classification](https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj/eng?ref=sorena.io) - Supports using classification evidence instead of a generic incident label.
  - Quote: "affected transactions"
- [Delegated Regulation (EU) 2025/301 on DORA incident report content and time limits](https://eur-lex.europa.eu/eli/reg_del/2025/301/oj/eng?ref=sorena.io) - Supports the DORA reporting stages and time limits used in the triage rule.
  - Quote: "Time limits"
- [Implementing Regulation (EU) 2025/302 on DORA reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj/eng?ref=sorena.io) - Supports completing stage-specific fields and updating prior information in later reports.
  - Quote: "update any information"

## Related Topic Guides

- [DORA Critical or Important Functions: mapping ICT dependencies and evidence](/artifacts/eu/digital-operational-resilience-act/critical-and-important-functions.md): How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
- [DORA deadlines and compliance calendar for financial entities](/artifacts/eu/digital-operational-resilience-act/deadlines-and-compliance-calendar.md): Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
- [DORA ICT Third-Party Contract Remediation Workflow](/artifacts/eu/digital-operational-resilience-act/contract-remediation-workflow.md): A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
- [DORA ICT Third-Party Contracts FAQ](/artifacts/eu/digital-operational-resilience-act/faq/ict-third-party-contracts.md): What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
- [DORA ICT third-party risk and contract clauses guide](/artifacts/eu/digital-operational-resilience-act/third-party-risk-and-contract-clauses.md): Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
- [DORA incident classification forms: criteria, fields, and reporting clocks](/artifacts/eu/digital-operational-resilience-act/incident-classification-forms.md): Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
- [DORA incident clock workflow: classification, reports, deadlines, and evidence](/artifacts/eu/digital-operational-resilience-act/incident-clock-workflow.md): Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
- [DORA major ICT incident reporting: classification, reports, and timing](/artifacts/eu/digital-operational-resilience-act/major-incident-reporting.md): Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
- [DORA major ICT incident thresholds: what triggers reporting?](/artifacts/eu/digital-operational-resilience-act/faq/major-incident-thresholds.md): FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
- [DORA Register of Information FAQ: ICT Third-Party Arrangements](/artifacts/eu/digital-operational-resilience-act/faq/register-of-information.md): FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
- [DORA Register of Information Import and Build Workflow](/artifacts/eu/digital-operational-resilience-act/roi-import-and-build-workflow.md): Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
- [DORA Register of Information Template: ICT Provider Fields and Evidence](/artifacts/eu/digital-operational-resilience-act/dora-register-of-information-template.md): A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
- [DORA TLPT selection: who can be required to test?](/artifacts/eu/digital-operational-resilience-act/faq/tlpt-selection.md): FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
- [DORA vs EBA outsourcing guidelines: ICT third-party risk comparison](/artifacts/eu/digital-operational-resilience-act/dora-vs-eba-outsourcing-guidelines.md): Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
- [DORA vs ISO 22301: ICT resilience and business continuity compared](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-22301.md): Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
- [DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-27001.md): Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
- [DORA vs NIS2: financial-sector obligations, overlap, and evidence](/artifacts/eu/digital-operational-resilience-act/dora-vs-nis2.md): Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
- [EU DORA Applicability Test for Financial Entities and ICT Providers](/artifacts/eu/digital-operational-resilience-act/applicability-test.md): A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
- [EU DORA Compliance Checklist for Financial Entities](/artifacts/eu/digital-operational-resilience-act/checklist.md): A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
- [EU DORA Compliance Obligations and Evidence Guide](/artifacts/eu/digital-operational-resilience-act/compliance.md): A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
- [EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence](/artifacts/eu/digital-operational-resilience-act/faq.md): Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
- [EU DORA ICT risk management control baseline](/artifacts/eu/digital-operational-resilience-act/ict-risk-management-control-baseline.md): A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
- [EU DORA ICT subcontracting chain controls for critical functions](/artifacts/eu/digital-operational-resilience-act/subcontracting-chain-controls.md): DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
- [EU DORA penalties and fines: enforcement powers and limits](/artifacts/eu/digital-operational-resilience-act/penalties-and-fines.md): Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
- [EU DORA Register of Information Data Model: templates, fields, and evidence](/artifacts/eu/digital-operational-resilience-act/register-of-information-data-model.md): Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
- [EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk](/artifacts/eu/digital-operational-resilience-act/requirements.md): A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
- [EU DORA Scope and Covered Entities: financial entities and ICT providers](/artifacts/eu/digital-operational-resilience-act/scope-and-covered-entities.md): Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
- [EU DORA Scope and Proportionality Workflow](/artifacts/eu/digital-operational-resilience-act/scope-and-proportionality-workflow.md): Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
- [EU DORA testing and TLPT readiness guide](/artifacts/eu/digital-operational-resilience-act/testing-and-tlpt-readiness.md): A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
- [EU DORA TLPT eligibility workflow for financial entities](/artifacts/eu/digital-operational-resilience-act/tlpt-eligibility-workflow.md): Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
- [EU DORA TLPT Runbook: scope, providers, reports, and remediation](/artifacts/eu/digital-operational-resilience-act/tlpt-runbook.md): Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
- [How does proportionality work under EU DORA?](/artifacts/eu/digital-operational-resilience-act/faq/proportionality.md): A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
- [How to build a DORA register of information](/artifacts/eu/digital-operational-resilience-act/register-of-information-how-to-build.md): Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/dora-vs-psd2-incident-reporting