EU Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Explainer

Incident reporting under DORA: when and how to report?

Adopted 2026-06-28 · ≈ 1 min read · Dirk Baaijen

DORA requires financial entities to classify and report major ICT incidents to the competent supervisor, with an initial, intermediate and final report. Significant cyber threats may be reported voluntarily.

Short answer: DORA requires you to manage, classify and report ICT incidents. Major ICT incidents are reported to the competent supervisor through a phased process: an initial notification, an intermediate update and a final report. Significant cyber threats may be reported voluntarily.

Classify first

Not every incident is reportable. You assess incidents against harmonised classification criteria — including the number of clients and transactions affected, duration and downtime, geographical spread, data impact and economic consequences. If an incident exceeds the thresholds, it counts as major and reporting is mandatory. The ESAs have set out these criteria in technical standards.

The phased report

For a major incident the report proceeds in steps: an initial notification shortly after detection, an intermediate report when the situation materially changes or within the set deadline, and a final report with root-cause analysis once the incident is resolved. The exact deadlines and templates are in the implementing standards; design your internal process to meet them.

One reporting stream

DORA aims to streamline: where possible you report through a single channel to your supervisor, which shares information with the relevant authorities. Align your incident process with your business continuity (see the ICT risk framework) so detection, response and reporting connect.

Lees ook: DORA guide and ICT risk management under DORA.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2022/2554/oj
    Regulation (EU) 2022/2554 (DORA), Chapter III — management, classification and reporting of ICT-related incidents.
  2. https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-dora
    ESAs — RTS/ITS on classification criteria and reporting templates for major ICT incidents.

Share on LinkedIn

Read next

W

DORA readiness: a roadmap to prepare

DORA has applied since 17 January 2025. A practical roadmap to get a grip: determine scope, map ICT dependencies and the register, set up risk management and incident reporting, plan resilience testing, and review your vendor contracts.

U

Does my firm fall under DORA?

DORA applies to an exhaustively listed set of financial entities — from banks and insurers to payment institutions, crypto providers and their critical ICT providers. Small, non-interconnected entities may use a simplified framework. This explainer helps you determine whether you are in scope.

W

DORA guide: does it apply to you and what must you arrange?

DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025 to financial entities and their critical ICT providers. Five pillars: ICT risk management, incident reporting, resilience testing, third-party ICT risk and information sharing. This guide points the way per pillar.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.