DORA

DORA Incident Reporting Requirements

4 min readUpdated 24 June 2026

DORA introduces the strictest incident reporting timelines of any EU regulation — stricter than NIS2 and stricter than GDPR. For major ICT-related incidents, the initial notification to the relevant financial authority must happen within 4 hours. This requires a pre-built, pre-tested reporting capability. You cannot assemble the process during an active incident.

What Is a Reportable DORA Incident?

Not every technical issue is a reportable DORA incident. The regulation distinguishes between:

Major incidents — must be reported to competent authorities Significant cyber threats — should be notified on a voluntary basis

Criteria for a major incident (DORA Article 18):

A major incident is determined by assessing impact criteria. EBA's technical standards (RTS on ICT risk management) specify thresholds. Key indicators:

  • Clients and transactions affected: Number of clients or financial transactions impacted (absolute or as a % of total)
  • Duration: How long services are disrupted or impaired
  • Geographical spread: Whether the impact crosses EU member state borders
  • Data integrity: Loss, alteration, or unavailability of data
  • Reputational impact: Risk of significant media coverage
  • Systemic importance: Whether the incident affects critical payment infrastructure

Specific thresholds for different financial entity types are set in EBA/ESMA/EIOPA regulatory technical standards. The relevant standard for your entity type determines the exact numeric thresholds.

The Three-Stage DORA Reporting Process

Stage 1: Initial Notification — Within 4 Hours

Within 4 hours of classifying an incident as major (and within 4 hours of the incident being detected if classification is clear):

  • Submit an initial notification to your relevant competent authority
  • This notification is brief: it establishes that a major incident has occurred and triggers the regulatory response
  • Content: incident type, approximate time of occurrence, initial assessment of impact category, whether the incident is ongoing or resolved, whether the entity suspects it is malicious

Recipients: The relevant competent authority (EBA-supervised entities report to EBA; entities supervised by national competent authorities report to them). For cross-border incidents, coordination with authorities in affected member states.

This 4-hour window is tight. You must have a pre-established relationship with the reporting authority and a pre-populated notification template that can be completed quickly.

Stage 2: Intermediate Report — Within 72 Hours

Within 72 hours of the initial notification, submit an intermediate report:

  • Updated assessment of the incident
  • Impact scope — number of clients, transactions, affected geographies
  • Root cause analysis progress
  • Actions taken so far
  • Whether the incident is resolved or ongoing

Stage 3: Final Report — Within One Month

Within one month of the final resolution of the incident:

  • Complete technical description of the incident
  • Root cause analysis
  • All measures implemented in response
  • Cross-border impact assessment (if applicable)
  • Improvements made to prevent recurrence

Cyber Threat Voluntary Notification

In addition to mandatory incident reporting, DORA encourages (but does not require) financial entities to notify competent authorities of significant cyber threats — situations where a major incident has not occurred but there is a credible threat that could lead to one.

This voluntary notification enables authorities to share threat intelligence and help other financial entities prepare. The information can be shared at the entity's discretion with anonymisation.

What Your Incident Reporting Process Needs

To meet DORA's reporting timelines, your process must:

1. Enable rapid incident classification

  • Pre-defined criteria for "major incident" aligned to EBA/ESMA RTS thresholds
  • A decision matrix that can be applied within minutes of an incident being detected
  • Named person with authority to make the major incident determination

2. Pre-populated notification templates

  • Initial notification template ready to complete — EBA/ESMA publish standard formats
  • Contact details for the reporting authority saved in an accessible location (including if primary IT systems are compromised)

3. Out-of-band communication

  • Phone numbers and email contacts for the relevant authority
  • A channel for submitting the notification that does not depend on compromised systems

4. Incident documentation system

  • Real-time incident log starting from initial detection
  • Timeline of events, decisions, and actions
  • This log populates the intermediate and final reports

DORA vs GDPR Incident Reporting: Dual Obligations

An ICT incident may trigger both DORA and GDPR reporting obligations:

RegulationTriggerRecipientStage 1 deadline
DORAMajor ICT incidentCompetent financial authority4 hours
GDPRPersonal data breachSupervisory DPA72 hours
NIS2 (if applicable)Significant incidentNational CSIRT24 hours

When a cyberattack disrupts services and compromises customer data, all three may apply simultaneously. Coordinate the notifications — they go to different authorities — but ensure the DORA 4-hour deadline drives the immediate response.

ComplyOne maps your DORA obligations, tracks your readiness across all five pillars, and maintains your audit evidence.

Run your DORA compliance check →

Related guides

DORA Compliance Checklist for Fintechs

DORA — the Digital Operational Resilience Act — has applied to financial entities in the EU since 17 January 2025.

DORA ICT Third-Party Risk Management Explained

ICT third-party risk management is one of the most operationally demanding aspects of DORA.

Operational Resilience Testing Under DORA

DORA mandates digital operational resilience testing for all financial entities.

View all guides in this module