Article 18: Classification of ICT-related incidents and cyber threats
Last updated: 1 authoritative sourceDORA Auditor Editorial Team
Article 18 requires entities to classify ICT-related incidents and determine their impact against criteria such as the number of clients affected, duration, geographical spread, data losses, and economic impact, determining whether an incident is 'major' and therefore reportable.
Chapter III, ICT-related incident management · Pillar: ICT Incident Reporting
Key points
- Sets the criteria for classifying incidents
- Defines the threshold for a 'major' incident
- Criteria detailed further in regulatory technical standards
How this fits DORA
Article 18 sits within the ICT Incident Reporting pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.
Read the official text
This is an editorial summary. Read the binding text of Article 18 in the consolidated regulation on EUR-Lex.