Skip to main content
DORA Auditor

ICT Incident Reporting under DORA

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

DORA's incident-reporting pillar (Articles 17–23) requires financial entities to detect, manage, classify, and report major ICT-related incidents to their competent authority using a harmonised template and defined timelines.

Classification

Incidents are assessed against criteria such as the number of clients affected, duration, geographic spread, data losses, and economic impact to determine whether they are major and therefore reportable.

Reporting timelines

Major incidents follow a three-stage flow, an initial notification, an intermediate report, and a final report, with deadlines set out in the regulatory technical standards. Our incident classifier helps estimate whether an incident is reportable.

Frequently asked questions

What counts as a major incident under DORA?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex