Transparency is a cornerstone of DORA. Articles 17–18 establish a structured framework for prompt and standardised incident reporting across the entire European financial sector.

What Constitutes a Major ICT Incident?

An incident must be classified as “major” and reported if it meets thresholds across these criteria:

  • Clients affected: Number of clients impacted or financial transactions affected
  • Reputational impact: Media coverage, client complaints, regulatory attention
  • Duration: Length of service disruption
  • Geographical spread: Number of Member States impacted
  • Data losses: Confidentiality, integrity, or availability breaches
  • Criticality of services: Impact on critical or important functions
  • Economic impact: Direct and indirect costs

Reporting Timelines

DORA establishes a three-stage reporting process:

  1. Initial notification: Within 4 hours of classifying the incident as major (and no later than 24 hours after detection)
  2. Intermediate report: Within 72 hours of the initial notification, with updates on the situation, root cause analysis progress, and mitigation measures taken
  3. Final report: Within 1 month of the intermediate report, containing full root cause analysis, total impact assessment, and remediation measures implemented

Who Do You Report To?

Reports must be submitted to your national competent authority (NCA). The NCA then shares relevant information with the ESAs. For incidents affecting multiple Member States, the ESAs coordinate the cross-border response.

Voluntary Reporting of Significant Cyber Threats

DORA also encourages (but does not mandate) reporting of significant cyber threats — threats that could potentially become major incidents. This intelligence sharing strengthens the collective defence of the financial sector.

Common Mistakes to Avoid

  • Delayed classification: Not recognising an incident as “major” quickly enough
  • Incomplete initial reports: Missing required fields in the notification
  • No pre-established templates: Building reports from scratch during a crisis wastes critical time
  • Failing to update: Not providing intermediate updates within the 72-hour window

Practical Steps

  1. Pre-build incident report templates aligned with DORA requirements
  2. Train your incident response team on classification criteria
  3. Run tabletop exercises simulating the full reporting timeline
  4. Establish a direct communication channel with your NCA
  5. Automate where possible — manual reporting is too slow for the 4-hour window