Skip to main content
DORA Auditor

Article 18: Classification of ICT-related incidents and cyber threats

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

Article 18 requires entities to classify ICT-related incidents and determine their impact against criteria such as the number of clients affected, duration, geographical spread, data losses, and economic impact, determining whether an incident is 'major' and therefore reportable.

Chapter III, ICT-related incident management · Pillar: ICT Incident Reporting

Key points

  • Sets the criteria for classifying incidents
  • Defines the threshold for a 'major' incident
  • Criteria detailed further in regulatory technical standards

How this fits DORA

Article 18 sits within the ICT Incident Reporting pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.

Read the official text

This is an editorial summary. Read the binding text of Article 18 in the consolidated regulation on EUR-Lex.

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex