What is the DORA 4-hour incident notification deadline?

Under DORA Article 19 and RTS 2025/301, financial entities must submit an initial notification of a major ICT-related incident to their competent authority within 4 hours of the incident being classified as major. Classification itself must be performed without undue delay (in practice within 24 hours of detection).

What are the DORA incident reporting timelines?

DORA defines three reporting deadlines for major ICT-related incidents: (1) Initial notification within 4 hours of classification (max 24 hours after detection); (2) Intermediate report within 72 hours of classification, or as soon as the situation is stable; (3) Final report no later than one month after the intermediate report. RTS 2025/301 sets out the harmonised templates.

What makes an incident major under DORA?

RTS 2024/1772 defines 7 classification criteria: (1) clients/financial counterparts/transactions affected, (2) reputational impact, (3) duration and service downtime, (4) geographical spread, (5) data losses, (6) criticality of services affected, (7) economic impact. An incident is major if it triggers at least 2 primary criteria or 1 plus the economic threshold (EUR 100 000 gross direct/indirect costs).

Do I need to report significant cyber threats?

Yes - voluntary under DORA Article 19(2). Financial entities may notify their competent authority of significant cyber threats they consider relevant to the financial system. RTS 2025/301 provides the threat notification template. ESAs encourage reporting to support sector-wide intelligence sharing.

What is the Register of Information reporting frequency?

Per ITS 2024/2956, financial entities must submit their Register of Information annually to the competent authority by 30 April each year (for the previous year). The submission uses the harmonised xBRL-CSV format. Material updates to ICT third-party arrangements must also be notified during the year.

DORA Incident Reporting 2026: Timelines, Templates & Templates

TL;DR

DORA imposes three reporting streams: (1) major ICT-related incidents — initial notification within 4h of classification, intermediate within 72h, final within 1 month; (2) significant cyber threats — voluntary notification under Article 19(2); (3) the Register of Information — annual submission by 30 April. Templates are harmonised by RTS 2025/301 and ITS 2024/2956. Failure to report on time is a sanctionable breach of Article 19.

Major Incident Reporting Timeline

Once an ICT-related incident is classified as major (per RTS 2024/1772), the financial entity must follow this three-stage reporting path with the competent authority. The clock starts at the moment of classification, not at detection.

4 hours after classification

Initial notification

Notify the competent authority that a major incident has occurred. The notification must use the harmonised template from RTS 2025/301 Annex II and contain the basic facts: when, where, type, services affected, preliminary impact, contact point. Classification must itself be done without undue delay — in practice within 24 hours of detection.

72 hours after classification

Intermediate report

Submit detailed information on the incident's evolution: root cause analysis (preliminary), business and operational impact (clients, transactions, services, third parties involved), measures taken to contain/recover, and forward-looking actions. May be sent earlier if the situation is stable.

Within 1 month of the intermediate report

Final report

Provide the full root-cause analysis, total quantitative and qualitative impact, lessons learned, and a description of the corrective/preventive actions implemented. The competent authority then forwards aggregated information to ESAs, ECB and ENISA per Article 19(6).

The 7 Classification Criteria (RTS 2024/1772)

Commission Delegated Regulation (EU) 2024/1772 sets out the criteria, thresholds and approach for classifying ICT-related incidents and significant cyber threats. An incident is major if it meets at least 2 primary criteria or 1 primary criterion plus the economic-impact threshold.

Clients, counterparts & transactions

Number affected, percentage of total, presence of relevant clients (e.g. central counterparties).

Reputational impact

Media coverage, repeated complaints, loss of clients, regulatory enforcement, contagion risk.

Duration & service downtime

Duration of the incident vs. recovery time objective; downtime of services supporting Critical or Important Functions.

Geographical spread

Number of Member States affected; cross-border services or third-country impact.

Data losses

Confidentiality, integrity or availability impact on personal data, sensitive financial data, or business-critical data.

Criticality of services affected

Impact on Critical or Important Functions (CIFs) or services delegated to ICT third-party providers.

Economic impact

Gross direct and indirect costs and losses — threshold of EUR 100 000 triggers the economic criterion.

Three Reporting Streams under DORA

Stream	Trigger	Template / Format	Deadline
Major ICT incident Art. 19	Classification per RTS 2024/1772	RTS 2025/301 Annex II (initial / intermediate / final)	4h / 72h / 1 month
Significant cyber threat Art. 19(2)	Voluntary — institution judges threat is relevant	RTS 2025/301 Annex III (threat notification template)	As soon as practicable
Register of Information Art. 28(3)	All ICT third-party arrangements	ITS 2024/2956 (xBRL-CSV harmonised template)	Annually, by 30 April
Operational/Security PSP incidents PSD2 art. 96	Payment institutions only — consolidated under DORA from 17 Jan 2025	RTS 2025/301 (single channel with DORA)	Aligned with major-incident timeline

Single channel: per Article 19(1), each Member State designates one competent authority as the entry point. Reports may be transmitted via national portals or the ESAs' joint platform once operational.

Operational Tool

Automate the 4h / 72h / 1m clock with Resiplan

Resiplan triggers the reporting workflow the moment an incident is classified as major: pre-filled RTS 2025/301 templates, automatic deadline countdown, evidence chain, multi-stakeholder approval, and direct submission to the competent authority. Built for EU financial institutions.

See the incident workflow

Common Pitfalls to Avoid

Confusing detection with classification. The 4h clock starts at classification, but classification itself must happen without undue delay. Internal SLAs of 24h are reasonable; 72h is too late.
Ignoring third-party incidents. Under Article 17, a major incident at a critical ICT third-party that affects your CIFs must be reported even if you only learn about it indirectly.
Underreporting cumulative impact. Recurring related incidents must be aggregated when assessing economic impact — not analysed in isolation.
Missing the 30 April RoI deadline. The Register of Information is a separate annual filing — not bundled with incident reporting. xBRL-CSV format is mandatory.
Forgetting client notification. Article 19(3): when a major incident affects financial interests of clients, the entity must inform clients without undue delay and indicate measures taken.
No dual-language plan. Reports must be filed in the official language(s) of the host Member State; some authorities also accept English. Plan templates accordingly.

Related DORA References

RTS on Incident Reporting — deep-dive guide — full text walk-through of RTS 2025/301
Critical or Important Functions (CIF) — the materiality concept that drives "criticality of services affected"
All DORA RTS & ITS — complete index of technical standards
TLPT (Threat-Led Penetration Testing) — how testing findings inform incident-readiness
DORA Compliance Software — SaaS to operationalise reporting
Server Hardening Requirements — preventive controls that reduce incident likelihood

Core Pillars

Need Help?

DORA Incident Reporting Requirements