FAQEU DORA

DORA major ICT incident thresholds

A DORA incident is not reported as major just because it is disruptive; it must be classified against the EU criteria and materiality thresholds.

Use this FAQ to separate reportable major ICT-related incidents from ordinary incident handling, recurring non-major incidents, voluntary significant cyber-threat notifications, and evidence needed for the report file.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Under EU DORA, financial entities classify ICT-related incidents using the criteria in DORA Article 18 and the materiality thresholds in Delegated Regulation (EU) 2024/1772. A major classification triggers reporting to the relevant competent authority under DORA Article 19 and the later reporting time limits and templates. Timings in this page are source-linked; verify current legal source language before implementation decisions.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 2

Which materiality thresholds should the incident team test?

Delegated Regulation (EU) 2024/1772 gives the main measurable thresholds. The incident team should record each criterion as met, not met, unknown, or estimated, and keep the data source for each answer.

Several criteria are not simple numeric tests. Reputational impact can be met through media coverage, repeated complaints, inability or likely inability to meet regulatory requirements, or likely material client or counterparty loss. Data-loss impact is assessed against availability, authenticity, integrity, and confidentiality.

  • Clients: more than 10% of all clients using the affected service, or more than 100,000 affected clients, meets the client threshold.
  • Financial counterparts: more than 30% of financial counterparts carrying out activities related to the affected service meets the threshold.
  • Transactions: more than 10% of the daily average number of transactions or more than 10% of the daily average value of transactions related to the affected service meets the threshold.
  • Duration and downtime: incident duration longer than 24 hours, or service downtime longer than 2 hours for ICT services supporting critical or important functions, meets the threshold.
  • Geographical spread: impact in two or more Member States meets the threshold.
  • Data losses: adverse impact on business objectives or regulatory compliance from availability, authenticity, integrity, or confidentiality loss meets the threshold; successful malicious unauthorised access that may result in data loss is separately material.
  • Economic impact: direct and indirect costs and losses exceeding, or likely to exceed, EUR 100,000 meet the threshold.
Citations
Question 3

How do recurring incidents affect the threshold decision?

Recurring non-major incidents can become one major incident collectively. Delegated Regulation (EU) 2024/1772 applies this where the incidents occur at least twice within 6 months, have the same apparent root cause, and collectively satisfy the major-incident test.

Financial entities must assess recurring incidents monthly. The recurring-incident rule does not apply to microenterprises and to the financial entities listed in DORA Article 16(1), based on the RTS text.

  • Track apparent root cause, affected service, classification criteria, timestamps, and recurrence count for incidents closed as non-major.
  • Run a monthly recurrence review before treating repeated low-impact incidents as permanently non-reportable.
  • If repeated incidents collectively meet the major-incident test, preserve the dates and times of occurrence because the final report template asks for recurring-incident information.
Citations
Question 4

What happens once the DORA major threshold is met?

Once the incident is classified as major, the reporting clock starts. Delegated Regulation (EU) 2025/301 requires the initial notification as early as possible, within 4 hours from major classification, and no later than 24 hours from awareness of the ICT-related incident. If classification as major happens later than 24 hours after awareness, the initial notification is due within 4 hours from that later classification.

The same RTS requires an intermediate report within 72 hours from the initial notification, updated intermediate reporting without undue delay when regular activities recover, and a final report no later than one month after the intermediate report or latest updated intermediate report. If a deadline cannot be met, the financial entity must inform the competent authority without undue delay and explain why before the relevant deadline.

  • Initial notification evidence: incident reference code, detection date and time, classification date and time, incident description, classification criteria met, impacted Member States, discovery route, origin if available, business-continuity activation, and any reclassification.
  • Intermediate report evidence: occurrence time, recovery time if applicable, how the classification criteria were fulfilled, incident type, threats and techniques, affected business processes and infrastructure, client financial-interest impact, other authority reporting, recovery actions, and indicators of compromise where applicable.
  • Final report evidence: root cause, resolution summary, dates when the incident and root cause were resolved, direct and indirect costs and losses, recoveries, and recurring-incident information where applicable.
  • Client communication is separate from competent-authority reporting: where a major ICT-related incident affects clients' financial interests, DORA requires informing affected clients without undue delay about the incident and mitigation measures.
Citations
Regulation (EU) 2022/2554 (DORA)

Article 19 covers major ICT-related incident reporting, voluntary significant cyber-threat notification, and client information where financial interests are affected.

Recommended next step

Classify incidents against the DORA RTS before the reporting clock is missed

Use the cited sources listed here to verify obligations and the supporting evidence requirements.

Research workflow
Open Research Copilot for EU DORA

Verify the following areas from the cited sources: major ICT-related incident classification, reporting time limits, and evidence fields using the cited EU texts.

Explore next step
Talk to Sorena
Review a DORA incident workflow

Map incident intake, classification, recurrence checks, competent-authority reporting, and client communication to the DORA RTS and ITS.

Explore next step
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Article 19 covers major ICT-related incident reporting, voluntary significant cyber-threat notification, and client information where financial interests are affected.
"Reporting of major ICT-related incidents"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.