Template GuideEU DORA

DORA incident classification forms

A practical form structure for classifying ICT-related incidents under DORA before deciding whether a major-incident report or voluntary significant cyber-threat notification is needed.

Use it to capture the classification criteria, materiality thresholds, reporting-stage fields, time-limit evidence, estimates, and reclassification notes that competent-authority submissions depend on.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

DORA incident classification forms should be more than ordinary security tickets. They should show, from the first triage record, which Delegated Regulation (EU) 2024/1772 criteria were tested, whether Article 8 makes the incident reportable as a major ICT-related incident, which Implementing Regulation (EU) 2025/302 form fields are ready, and which reporting clock under Delegated Regulation (EU) 2025/301 is running.

Section 1

Classify the event before opening a major-incident report

The classification form should start with a structured yes/no assessment against the DORA criteria: clients, financial counterparts and transactions; reputational impact; duration and service downtime; geographical spread; data losses; criticality of services affected; and economic impact.

A major ICT-related incident is not triggered by every threshold in isolation. Under Delegated Regulation (EU) 2024/1772, the incident must affect critical services and either meet the malicious unauthorised-access data-loss threshold or meet two or more of the listed materiality thresholds. Non-major recurring incidents can also be treated as one major incident when they occur at least twice within six months, share the same apparent root cause, and collectively meet the major-incident test.

  • Record affected service, critical or important function, authorisation or supervisory status, and whether there was successful malicious unauthorised access.
  • Capture client, financial-counterparty, transaction-number, and transaction-value impacts, including whether values are actual or estimated from comparable reference periods.
  • Measure duration from occurrence, detection, or log evidence as applicable; measure service downtime until regular service or delayed service is restored.
  • Treat cross-Member-State impact, data availability, authenticity, integrity, confidentiality, and economic costs as separate evidence lines rather than a single severity label.
Sources for this answer
Delegated Regulation (EU) 2024/1772 on ICT incident classification
Defines the DORA classification criteria, major-incident test, recurring-incident aggregation, and materiality thresholds.
Regulation (EU) 2022/2554 (DORA)
Establishes the Article 19 obligation to report major ICT-related incidents and the voluntary route for significant cyber threats.
Section 2

Use the materiality thresholds as form fields, not prose

The form should force the classifier to enter the threshold evidence that makes the incident reportable or not reportable. That means separating measurable thresholds from qualitative evidence, and recording estimates when exact values are not yet available.

The most useful form layout is one row per criterion: source of data, threshold tested, value observed or estimated, evidence link, owner, reviewer, and conclusion. This lets the team update the same record during the initial notification, intermediate report, and final report rather than rebuilding the classification from memory.

  • Clients: higher than 10 percent of all clients using the affected service, more than 100,000 affected clients, or relevant clients affected.
  • Financial counterparts and transactions: more than 30 percent of relevant financial counterparts, more than 10 percent of daily average transaction count, or more than 10 percent of daily average transaction value.
  • Duration, downtime, geography, data, and cost: more than 24 hours duration, more than 2 hours downtime for ICT services supporting critical or important functions, impact in at least two Member States, qualifying data-loss impact, or costs and losses exceeding or likely to exceed EUR 100,000.
  • Reputation: media reflection, repetitive complaints, inability or likely inability to meet regulatory requirements, or likely material loss of clients or financial counterparts.
Sources for this answer
Delegated Regulation (EU) 2024/1772 on ICT incident classification
Provides the numerical and qualitative materiality thresholds that should become rows in the classification form.
Section 3

Map classification output to the DORA reporting template

Once the incident is classified as major, Implementing Regulation (EU) 2025/302 requires financial entities to use the Annex I template for the initial notification, intermediate report, and final report. The same regulation allows fields required at a later stage to be supplied earlier when the information is already available.

The classification form should therefore mark each field as initial, intermediate, final, estimated, actual, not yet known, or not applicable. It should also preserve the incident reference code assigned by the financial entity and, when available, the reference code provided by the competent authority.

  • General fields: submission type, submitting entity, affected financial entity, LEI, financial-entity type, contact persons, parent undertaking where applicable, and reporting currency.
  • Initial notification fields: detection date and time, classification date and time, incident description, triggered classification criteria, impacted Member States, discovery route, origin if available, business-continuity activation, and other relevant information.
  • Intermediate-report fields: occurrence and recovery timestamps, client and counterparty impact, transaction impact, reputational impact, duration, downtime, Member-State impact, data-loss thresholds, critical-services assessment, incident type, threat techniques, affected functional areas, infrastructure components, client financial-interest impact, other-authority reporting, recovery measures, and indicators of compromise.
  • Final-report fields: root-cause classifications, root-cause narrative, resolution summary, root-cause and resolution timestamps, resolution-authority relevance, gross costs and losses, recoveries, recurring-incident status, and recurring-incident occurrence times.
Sources for this answer
Implementing Regulation (EU) 2025/302 on DORA incident reporting templates
Sets the standard forms, template fields, glossary, secure-channel procedure, reclassification field use, outsourced reporting notice, aggregated reporting conditions, and significant cyber-threat template.
Delegated Regulation (EU) 2025/301 on incident notification content and time limits
Specifies the content required in initial notifications, intermediate reports, final reports, and voluntary significant cyber-threat notifications.
Section 4

Add reporting clocks and delay evidence

The form should calculate deadlines from two timestamps: when the entity became aware of the ICT-related incident and when it classified the incident as a major ICT-related incident. These timestamps drive the initial-notification clock and help explain late classification.

Under Delegated Regulation (EU) 2025/301, the initial report is due as early as possible, within four hours from major classification, and no later than 24 hours from awareness. The intermediate report is due within 72 hours from the initial notification, with updates without undue delay and when regular activities recover. The final report is due no later than one month after the intermediate report or the latest updated intermediate report.

  • Save awareness time, detection time, classification time, occurrence time, recovery time, root-cause-addressed time, and final resolution time as separate fields.
  • If major classification happens after the first 24 hours from awareness, record why and submit the initial notification within four hours from classification.
  • If a deadline cannot be met, record the notification to the competent authority, the reason for delay, and the time that notice was sent.
  • Only apply the weekend or bank-holiday noon-next-working-day rule where the regulation allows it; the exception does not apply to the listed credit institutions, central counterparties, trading venues, and NIS2 essential or important entities for initial and intermediate reports.
Sources for this answer
Delegated Regulation (EU) 2025/301 on incident notification content and time limits
Provides the four-hour, 24-hour, 72-hour, one-month, delay-notice, and weekend or bank-holiday timing rules for DORA major-incident reports.
Section 5

Handle significant cyber threats separately from incidents

A significant cyber-threat notification is voluntary under DORA Article 19, and it is not the same record as a confirmed major ICT-related incident report. The form should keep a separate significant-threat tab for threats that have not materialised but may be relevant to the financial system, service users, or clients.

Delegated Regulation (EU) 2024/1772 treats a cyber threat as significant when all listed conditions are fulfilled: potential effect on critical or important functions or others in the ecosystem, high probability of materialisation based on available information, and potential to meet specified major-incident criteria or thresholds if materialised.

  • Capture the threat description, detection timestamp, threat status, changes in threat activity, and source of threat information.
  • Record potential impact on the financial entity, clients, and financial counterparts, plus the major-incident criteria that would have been triggered if the threat materialised.
  • Document vulnerabilities, threat-actor capability and intent where known, persistence, and knowledge from incidents affecting the entity, third-party providers, clients, or financial counterparts.
  • When available, include indicators of compromise such as IP addresses, URLs, domains, file hashes, malware data, network activity, email headers, DNS requests, account activity, or database requests.
Sources for this answer
Delegated Regulation (EU) 2024/1772 on ICT incident classification
Defines when a cyber threat is significant for DORA classification purposes.
Implementing Regulation (EU) 2025/302 on DORA incident reporting templates
Sets the Annex III significant cyber-threat notification template and Annex IV instructions.
Section 6

Evidence and decision record checklist

The classification decision should be reviewable after the incident. Keep the operational evidence beside the legal conclusion so a later reviewer can see why the incident was reported, not reported, updated, aggregated, or reclassified.

The strongest record is a single evidence pack that links the SOC timeline, service-management timestamps, business-impact evidence, customer and counterparty counts, transaction baselines, loss estimates, communications, recovery measures, and competent-authority submissions.

When should a DORA incident classification form become a major-incident report?

When the incident affects critical services and meets the Article 8 test in Delegated Regulation (EU) 2024/1772: either successful malicious unauthorised access with possible data losses, or at least two other materiality thresholds. Recurring non-major incidents can also aggregate into one major incident when the regulation's recurrence conditions are met.

What fields should be ready for the first DORA initial notification?

At minimum, the form should hold the entity and contact fields, incident reference code, detection time, classification time, incident description, triggered classification criteria, impacted Member States, discovery route, available origin information, business-continuity activation status, and any other relevant information.

Can estimated numbers be used in a DORA incident classification form?

Yes. Delegated Regulation (EU) 2024/1772 allows estimates from comparable reference periods when affected clients, financial counterparts, transactions, or amounts cannot be determined, and Implementing Regulation (EU) 2025/302 allows estimated values where accurate data are not available for initial or intermediate reporting.

  • Keep the classification matrix showing every criterion tested, threshold result, data source, estimate method, owner, reviewer, and timestamp.
  • Preserve raw or exportable evidence: monitoring alerts, incident tickets, logs, service-status records, BCP activation record, client-complaint evidence, media monitoring, transaction baselines, affected Member-State analysis, and cost or loss calculations.
  • For outsourced or aggregated reporting, retain the competent-authority notice, third-party submitter identity and contact details, permission for aggregation where relevant, and the individual entity impact data if requested.
  • If the incident is reclassified from major to non-major, record the further assessment, why the Article 8 criteria and thresholds were never fulfilled, the template fields used for the reclassification notice, and the date the competent authority was notified.
Sources for this answer
Implementing Regulation (EU) 2025/302 on DORA incident reporting templates
Supports evidence fields for estimates, template updates, secure channels, reclassification, outsourced reporting, and aggregated reporting.
Delegated Regulation (EU) 2024/1772 on ICT incident classification
Supports the criterion-by-criterion evidence pack and recurring-incident assessment.
Recommended next step

Build a classification record that supports DORA reporting

Sorena can help translate the DORA classification criteria, template fields, time limits, and evidence requirements on this page into a reusable incident intake and reporting workflow.

Research workflow
Open Research Copilot for EU DORA

Ask source-linked questions about DORA major-incident criteria, significant cyber-threat notifications, report fields, reporting clocks, and reclassification evidence.

Explore next step
Talk to Sorena
Talk through implementation

Review your DORA incident intake form, major-incident classification matrix, reporting-template field map, and evidence pack.

Explore next step
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Establishes the Article 19 obligation to report major ICT-related incidents and the voluntary route for significant cyber threats.
"reporting of major ICT-related incidents"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.