1. Incident details
Timeline
Incident detected (date & time) Classified as major (date & time) Deadlines are computed from this.
Reporting entity
Reporting financial entity Legal name of the financial entity submitting the report. LEI code 20-character Legal Entity Identifier of the reporting entity. Type of financial entity - select - Credit institution Payment institution Electronic money institution Investment firm Crypto-asset service provider Central securities depository Central counterparty Trading venue Trade repository Insurance or reinsurance undertaking Insurance intermediary Institution for occupational retirement provision Credit rating agency Crowdfunding service provider ICT third-party service provider Other Category of financial entity as defined in DORA Article 2. Competent authority The national competent authority to which the report is submitted. Incident reference code Unique reference assigned by the entity to track the incident across all reports. Type of report - select - Initial notification Intermediate report Final report Major incident reclassified as non-major Indicate which of the three report stages this submission represents. Reporting currency - select - EUR BGN CZK DKK HUF PLN RON SEK GBP Other Currency used for all monetary amounts in the report. Submitting entity (if different) Name and LEI of the third party submitting on behalf of the entity, if applicable.
Classification criteria (Art. 18 / RTS 2024/1772)
Clients, financial counterparts and transactions affected — Assess the absolute number and relative share of clients, financial counterparts and transactions impacted, and whether they are material to the entity's operations.Reputational impact — Assess whether the incident has been reflected in media, generated complaints, or risks losing clients or breaching legal or regulatory obligations.Duration and service downtime — Measure the length of the incident and the total downtime of the affected ICT services from detection to restoration.Geographical spread — Assess whether the incident affects two or more EU Member States and the significance of activities in those areas.Data losses (availability, authenticity, integrity, confidentiality) — Assess any impact on the availability, authenticity, integrity or confidentiality of data caused by the incident.Criticality of services affected — Assess whether critical or important functions, or services subject to authorisation or supervision, were impacted.Economic impact — Estimate the gross direct and indirect costs and losses, judged in absolute terms and relative to the entity's size.No criteria selected yet.
Initial notification fields
Date and time of detection When the entity first became aware of the incident. Date and time of classification as major When the incident was assessed as meeting the major-incident thresholds. Date and time the incident occurred Best estimate of when the incident actually started, if known. Description of the incident Concise summary of what happened and how it was discovered. Has the incident been reclassified? - select - No Yes - upgraded to major Yes - downgraded to non-major State whether the classification changed after initial assessment. Classification criteria triggered List which of the seven materiality criteria led to the major classification. Affected functions and services Identify the business functions and ICT services impacted, noting any critical or important functions. Are other financial entities affected? - select - No Yes Not yet known Indicate whether the incident has or may have spread to other entities. Origin of the incident - select - Internal to the entity Third-party provider Unknown at this stage Preliminary indication of where the incident originated. Business continuity measures activated? - select - No Yes Activation in progress State whether business continuity or disaster recovery plans have been triggered. Is the incident still ongoing? - select - Yes - ongoing No - resolved Temporarily contained Current status of the incident at the time of notification. Contact person details Name and contact information of the person handling the incident.
Intermediate report fields
Updated classification assessment Confirm or revise the criteria triggered and any change in severity. Current incident status - select - Ongoing Temporarily resolved Permanently resolved Recurring State the operational status of the incident at the time of this report. Type of incident - select - Cybersecurity-related Process failure System failure Human error External event Third-party related Other Best categorisation of the nature of the incident. Preliminary root cause Initial findings on what caused the incident, even if not yet confirmed. Affected ICT assets and infrastructure Describe the systems, networks, applications and data assets impacted. Updated affected functions and services Revised list of impacted functions, confirming critical or important functions affected. Impact on clients and financial counterparts Quantify clients, counterparts and transactions affected with updated figures. Impact on financial interests Describe any impact on clients' financial interests, funds or data. Geographical spread List the Member States and regions affected by the incident. Temporary remediation actions taken Describe interim measures applied to contain or mitigate the incident. Has the incident recurred? - select - No Yes Risk of recurrence identified State whether the incident has happened again since the initial notification. Indicators of compromise Provide any technical indicators relevant to a malicious incident, if applicable.
Final report fields
Root cause analysis Detailed and confirmed explanation of the underlying cause of the incident. Confirmed classification Final confirmation of the criteria met and the major status of the incident. Permanent resolution measures Describe the corrective actions that permanently resolved the incident. Date and time of permanent resolution When normal operations were fully and permanently restored. Total duration and downtime Total elapsed duration of the incident and cumulative service downtime. Gross economic impact Total gross direct and indirect costs and losses caused by the incident. Net economic impact Costs net of any financial recoveries such as insurance or recovered funds. Financial recoveries and insurance Detail any amounts recovered through insurance, clawbacks or other means. Final data losses assessment Confirm any loss of availability, authenticity, integrity or confidentiality of data. Recurrence prevention measures Describe permanent measures put in place to prevent the incident recurring. Lessons learned Summarise key takeaways and improvements to processes, controls or governance. Other authorities or parties informed List any other authorities, law enforcement or affected parties notified.
2. Your report drafts
Initial due
- fill timeline -
within 4 hours of classifying the incident as major, and no later than 24 hours after becoming aware of it · intermediate: within 72 hours of the initial notification, and again whenever there is a relevant status update · final: no later than one month after the latest intermediate report, once the root cause has been addressed and actual impact figures are available
Initial notification
Fill the form and press Generate .
The initial (4h) draft is free. The licence (€99, one-off) unlocks the intermediate & final drafts and clean print/PDF export — reusable for every incident.
Drafts are generated locally in your browser. This tool is a professional aid, not legal advice; verify against your competent authority's current template before filing.