Classify ICT-related incidents, decide whether they are major, and prepare the initial notification, intermediate report, and final report required by DORA.
Grounded in DORA Article 19, the incident-classification RTS, the reporting-content RTS, and the standard reporting template ITS.
Structured answer sets in this page tree.
Cited legal and guidance references.
DORA major ICT-related incident reporting is a three-part supervisory workflow: classify the incident, notify the relevant competent authority, then update the authority through intermediate and final reporting as facts mature. It applies to the DORA-covered financial entities listed in Article 2, including credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, and ICT third-party service providers. The useful operating record is not a generic security ticket; it is a classification file that ties affected services, clients, transactions, Member States, data losses, downtime, economic impact, recovery actions, and root cause evidence to the DORA reporting template.
The initial notification is the fast supervisory alert. It should contain the shared general fields required across all three reporting stages, then the specific facts available at classification time.
The reporting-content RTS requires general information such as the type of submission, entity name, LEI code, submitting entity, aggregated entities where applicable, competent-authority contact details, parent undertaking where applicable, and reporting currency where monetary impact exists. The initial notification then adds the entity's incident reference code, detection and classification timestamps, incident description, classification criteria, impacted Member States, discovery method, available origin information, business-continuity activation, reclassification information where applicable, and other relevant information.
The intermediate report is where the incident record becomes operationally useful: it updates the competent authority on occurrence time, recovery status, fulfilled classification criteria, incident type, threat actor techniques where applicable, affected business processes and infrastructure, client financial-interest impact, other authority reporting, recovery measures, and indicators of compromise where applicable.
The final report closes the supervisory file once root cause analysis is complete and actual impact figures can replace estimates. It must cover root causes, resolution and root-cause remediation dates and times, incident resolution, resolution-authority information where applicable, direct and indirect costs and losses, recoveries, and recurring-incident information where applicable.
Yes. Implementing Regulation (EU) 2025/302 allows a financial entity to combine the initial notification, intermediate report, and final report where regular activities have recovered or the root cause analysis has been completed, provided the Article 5 time limits in Delegated Regulation (EU) 2025/301 are still met.
Yes. If further assessment shows that the incident never met the Delegated Regulation (EU) 2024/1772 classification criteria and thresholds, Implementing Regulation (EU) 2025/302 requires the financial entity to notify the competent authority of the reclassification in the reporting template.
DORA treats significant cyber threat notifications differently from major incident reports. A financial entity may notify a significant cyber threat voluntarily when it considers the threat relevant to the financial system, service users, or clients. The classification RTS treats a cyber threat as significant where it could affect critical or important functions or other relevant parties, has a high probability of materialisation, and could meet specified major-incident criteria or thresholds if it materialised.
The voluntary notification content is narrower than major-incident reporting. It covers general entity information, detection timestamps, threat description, potential impact, classification criteria that would have triggered a major report if the threat materialised, threat status, actions taken to prevent materialisation, and notification to other financial entities or authorities.
A useful DORA evidence file lets a reviewer reconstruct the classification and every report without reopening raw incident tooling. Keep the incident chronology, classification worksheet, evidence for each threshold, the submitted template versions, competent-authority acknowledgements or guidance, client communications, and the final root-cause and impact record together.
The evidence should distinguish estimates from actual values because the reporting template permits estimates in initial and intermediate stages, while the final report is expected once root cause analysis is complete and actual impact figures are available to replace estimates.
Keep the classification record, the completed standard template for each submitted stage, timestamp evidence for awareness, classification and reporting, competent-authority communications, client communications where applicable, and the final root-cause, resolution, cost, loss and recovery evidence.
Delegated Regulation (EU) 2025/301 grounds the initial notification timing, the 72-hour intermediate report timing, and the one-month final report timing. This page does not add Member State-specific routing details beyond the competent-authority workflow supported by DORA and the reporting RTS.
Sorena can help map incident evidence to the DORA classification criteria, reporting template fields, competent-authority route, and source-linked review record.
Ask source-linked questions about DORA incident classification, report timing, authority routing, and evidence fields using the cited sources on this page.
Review your DORA major ICT-related incident workflow, reporting roles, source gaps, and evidence file structure with Sorena.
"high probability of materialisation"
"all information necessary"
"complete and accurate"
"voluntary basis"