DORA’s ICT-related incident reporting requirements are among the most operationally demanding elements of the regulation. The 4-hour window for initial notification of major ICT incidents is tight — significantly tighter than most existing regulatory notification timelines, and tight enough that financial entities without automated incident detection, clear classification processes, and pre-prepared notification procedures will struggle to meet it.
With fifteen months to go before the January 2025 compliance deadline, getting incident reporting right requires building both the classification methodology and the operational process now — not in 2024.
The Incident Classification Framework
Not all ICT incidents trigger DORA reporting obligations. The reporting requirements apply to “major ICT-related incidents” — a defined category that financial entities must classify incidents against. The classification criteria for major incidents include thresholds related to:
The number of clients affected and, for payment services, the number and value of transactions affected. The duration of the incident — incidents causing outages beyond a specified duration qualify as major. The geographic spread of the incident across EU member states. The reputational impact — incidents likely to cause significant reputational damage qualify as major. The criticality of the affected services — incidents affecting critical or important functions qualify at lower thresholds than incidents affecting non-critical systems.
The European Banking Authority (EBA), ESMA, and EIOPA are developing detailed regulatory technical standards (RTS) that will specify the precise thresholds for each classification criterion. Until these RTS are finalised, financial entities should build classification frameworks based on the criteria in the DORA text and the draft RTS published for consultation.
The Three-Stage Reporting Timeline
DORA requires three stages of reporting for major ICT incidents:
Initial notification — within 4 hours of classifying an incident as major, or within 4 hours of the incident being deemed a major incident based on its initial characteristics (and in any case no later than 24 hours of becoming aware of the incident). The initial notification is not expected to be comprehensive — it confirms that a major incident has occurred, provides initial information about its nature and impact, and initiates the regulatory dialogue.
Intermediate report — within 72 hours of the initial notification. The intermediate report provides an updated assessment of the incident — its scope, cause if known, impact on operations, and the response actions being taken. If the incident has been resolved, this report can serve as the final report.
Final report — within one month of the intermediate report, or within one month of incident resolution. The final report provides a comprehensive account of the incident — root cause analysis, full impact assessment, remediation actions taken, and lessons learned.
The Operational Challenge: 4 Hours Is Not Long
The 4-hour initial notification window is the element of DORA’s incident reporting requirements that most organisations underestimate. Four hours from incident classification to notification is tight under any circumstances. It is effectively impossible without pre-prepared notification procedures, pre-identified regulatory contacts, and an incident classification process that reaches classification decisions quickly.
Practical preparation requires: a documented incident classification decision tree that allows rapid classification against DORA’s major incident criteria; pre-prepared notification templates for initial, intermediate, and final reports; a defined escalation path to the executive or compliance function responsible for authorising regulatory notifications; and pre-established contacts and channels with relevant competent authorities.
Organisations that are building their incident response capability for DORA should test the end-to-end notification process — from incident detection through classification through initial notification — in a tabletop exercise that specifically challenges the 4-hour timeline.
At Bitsecura, we help financial entities design and implement DORA-compliant incident classification and reporting processes — including incident classification frameworks, notification procedure templates, and tabletop exercise programmes that test the reporting timeline under realistic incident conditions. Talk to us here if you want to get this right before January 2025.
Bitsecura provides DORA compliance consulting and ICT risk management services for financial entities. Learn more about our DORA services.