Incident reporting is a critical component of DORA compliance. The regulation establishes clear timelines and procedures for reporting ICT-related incidents to supervisory authorities.

What Qualifies as a Reportable Incident?

Under DORA, reportable incidents include:

  • Incidents impacting data confidentiality, availability, or integrity
  • Service disruptions affecting critical business functions
  • Incidents involving critical third-party service providers
  • Significant cyber attacks or threats

Reporting Timeline

DORA establishes a three-stage reporting process:

Initial Notification (within 4 hours)

Financial entities must submit an initial notification as soon as they become aware of a major incident. This includes:

  • Description of the incident
  • Time of detection
  • Suspected root cause (if known)
  • Immediate impact assessment

Intermediate Report (within 72 hours)

A more detailed report must follow, containing:

  • Updated impact assessment
  • Indicators of compromise
  • Actions taken or planned
  • Preliminary root cause analysis

Final Report (within 1 month)

The final report should include:

  • Comprehensive root cause analysis
  • Detailed impact assessment
  • Recovery actions taken
  • Measures to prevent recurrence
  • Lessons learned

Classification System

Incidents must be classified by severity:

  • Major Incidents: Require full reporting protocol
  • Significant Incidents: Simplified reporting
  • Minor Incidents: Internal tracking only

Implementation Checklist

  1. Establish incident detection capabilities
  2. Define incident classification criteria
  3. Create escalation procedures
  4. Designate reporting responsibilities
  5. Set up communication channels with authorities
  6. Implement incident tracking systems
  7. Train staff on reporting procedures
  8. Conduct regular incident response drills

Common Challenges

  • Fast Detection: Meeting the 4-hour initial notification requires robust monitoring
  • Classification: Determining incident severity in the early stages
  • Coordination: Managing communication between technical teams and compliance
  • Documentation: Maintaining detailed records during crisis situations

Best Practices

  • Automate detection and alerting where possible
  • Maintain pre-approved communication templates
  • Conduct regular tabletop exercises
  • Establish clear roles and responsibilities
  • Create playbooks for common incident types
  • Integrate with existing incident management tools

Integration with Pillar 3

Incident reporting under DORA is closely linked to the incident management requirements of Pillar 3. Organizations should ensure their incident management framework addresses:

  • Detection and monitoring
  • Response and recovery
  • Communication and reporting
  • Learning and improvement

Technology Solutions

Consider implementing:

  • Security Information and Event Management (SIEM) systems
  • Incident response platforms
  • Automated reporting tools
  • Threat intelligence feeds