The complete reference for DORA reporting obligations: classification, 4h / 72h / 1-month timelines, harmonised templates from RTS 2025/301, threat notifications and Register of Information submissions.
DORA imposes three reporting streams: (1) major ICT-related incidents — initial notification within 4h of classification, intermediate within 72h, final within 1 month; (2) significant cyber threats — voluntary notification under Article 19(2); (3) the Register of Information — annual submission by 30 April. Templates are harmonised by RTS 2025/301 and ITS 2024/2956. Failure to report on time is a sanctionable breach of Article 19.
Once an ICT-related incident is classified as major (per RTS 2024/1772), the financial entity must follow this three-stage reporting path with the competent authority. The clock starts at the moment of classification, not at detection.
Notify the competent authority that a major incident has occurred. The notification must use the harmonised template from RTS 2025/301 Annex II and contain the basic facts: when, where, type, services affected, preliminary impact, contact point. Classification must itself be done without undue delay — in practice within 24 hours of detection.
Submit detailed information on the incident's evolution: root cause analysis (preliminary), business and operational impact (clients, transactions, services, third parties involved), measures taken to contain/recover, and forward-looking actions. May be sent earlier if the situation is stable.
Provide the full root-cause analysis, total quantitative and qualitative impact, lessons learned, and a description of the corrective/preventive actions implemented. The competent authority then forwards aggregated information to ESAs, ECB and ENISA per Article 19(6).
Commission Delegated Regulation (EU) 2024/1772 sets out the criteria, thresholds and approach for classifying ICT-related incidents and significant cyber threats. An incident is major if it meets at least 2 primary criteria or 1 primary criterion plus the economic-impact threshold.
Number affected, percentage of total, presence of relevant clients (e.g. central counterparties).
Media coverage, repeated complaints, loss of clients, regulatory enforcement, contagion risk.
Duration of the incident vs. recovery time objective; downtime of services supporting Critical or Important Functions.
Number of Member States affected; cross-border services or third-country impact.
Confidentiality, integrity or availability impact on personal data, sensitive financial data, or business-critical data.
Impact on Critical or Important Functions (CIFs) or services delegated to ICT third-party providers.
Gross direct and indirect costs and losses — threshold of EUR 100 000 triggers the economic criterion.
| Stream | Trigger | Template / Format | Deadline |
|---|---|---|---|
| Major ICT incident Art. 19 | Classification per RTS 2024/1772 | RTS 2025/301 Annex II (initial / intermediate / final) | 4h / 72h / 1 month |
| Significant cyber threat Art. 19(2) | Voluntary — institution judges threat is relevant | RTS 2025/301 Annex III (threat notification template) | As soon as practicable |
| Register of Information Art. 28(3) | All ICT third-party arrangements | ITS 2024/2956 (xBRL-CSV harmonised template) | Annually, by 30 April |
| Operational/Security PSP incidents PSD2 art. 96 | Payment institutions only — consolidated under DORA from 17 Jan 2025 | RTS 2025/301 (single channel with DORA) | Aligned with major-incident timeline |
Single channel: per Article 19(1), each Member State designates one competent authority as the entry point. Reports may be transmitted via national portals or the ESAs' joint platform once operational.
Resiplan triggers the reporting workflow the moment an incident is classified as major: pre-filled RTS 2025/301 templates, automatic deadline countdown, evidence chain, multi-stakeholder approval, and direct submission to the competent authority. Built for EU financial institutions.
See the incident workflowUnder Article 19(1), each Member State designates a single competent authority as the entry point for major incident reports. The submission channel and specific portal vary by jurisdiction. The reporting entity submits to its home NCA, which forwards aggregated information to the relevant ESA, the ECB (where applicable for SSM-supervised banks) and ENISA per Article 19(6).
| Country | Authority | Portal | Languages accepted |
|---|---|---|---|
| Germany | BaFin | BaFin MVP (Meldungen und Veröffentlichungen Plattform) | German, English (case-by-case) |
| France | ACPR (banks & insurers) AMF (markets) | OneGate (ACPR), GECO (AMF) | French (English secondary) |
| Italy | Banca d'Italia / IVASS / CONSOB | Infostat-Reg portal | Italian, English |
| Spain | Banco de España / DGSFP / CNMV | e-Sede portal | Spanish, English |
| Netherlands | DNB / AFM | DLR (Digitaal Loket Rapportages) | Dutch, English |
| Belgium | NBB / FSMA | OneGate Belgium | Dutch, French, English |
| Austria | FMA | FMA Incoming portal | German, English |
| Ireland | Central Bank of Ireland | ONR (Online Reporting) | English |
| Luxembourg | CSSF / CAA | eDesk portal | French, German, English |
| Sweden | Finansinspektionen | FI Reporting Portal | Swedish, English |
Practical recommendation: identify your home NCA portal during normal-operations preparation, not during an incident. Pre-register access credentials, conduct a dry-run submission with a test incident, and document the portal walkthrough in the incident response playbook. Many incidents are reported late simply because the submitter could not retrieve the portal credentials at 3 AM during the outage.
To make the classification process tangible, here is a fictional but representative incident at a mid-size EU bank, followed by the application of the RTS criteria, the classification decision, and the reporting timeline.
At 14:32 CET on a Wednesday, the online banking platform of Bank Alpha (€18bn total assets, 1.2 million retail clients in Germany and France) becomes unresponsive. By 15:00 the SOC confirms a denial-of-service attack against the load balancer fronting the customer portal. The mobile app and web banking are unavailable; bill payments queued during the outage are not processed; SMS authentication for high-value transfers is also affected (different downstream system). At 16:45 the load balancer is failed over to the DR region; service is restored by 17:30 with limited residual lag. Total downtime: 2h 58min during peak banking hours. No data confidentiality compromise.
Decision: Multiple primary criteria triggered (1, 4, 6) plus economic threshold (7). Classification: major incident. The 4h clock starts at the classification decision (assume 16:00 same day after SOC confirmation).
Article 19(2) introduces a voluntary notification mechanism for "significant cyber threats" — threats observed by the entity that have not yet materialised as incidents but are considered relevant to the financial system. The aim is sector-wide intelligence sharing: an early warning from one entity can help others harden defences.
The RTS on classification (RTS 2024/1772) clarifies the criteria for "significant" status:
Notification is made via the same NCA portal as incident reports, using RTS 2025/301 Annex III (threat notification template). The template captures: threat description, TTPs observed, indicators of compromise (IOCs), affected functions/systems, mitigation actions taken, intelligence sharing recommendation. The NCA may forward the threat brief to ESAs and to other entities via trusted information sharing arrangements (Article 45).
Practical recommendation: establish a Threat Notification Decision Committee in the SOC governance — typically 3-5 people meeting weekly to review observed threats and decide whether to notify. Most banks find that 10-30 threats per year qualify for voluntary notification under Article 19(2).
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.