At the triage stage of any cybersecurity incident, a multi-regime decision tree is activated. Four questions are answered in sequence. Does the incident meet DORA’s major ICT-related incident criteria? If yes, the four-hour clock starts. Does it meet NIS2’s significant incident criteria? If yes, the 24-hour clock starts. Does it involve an actively exploited vulnerability in a CRA-scoped product? If yes, the CRA 24-hour clock starts. Does it meet Article 3(49)'s serious incident definition? If yes, the applicable Article 73 clock starts (2, 10, or 15 days depending on severity).

The triage process classifies the incident across four dimensions: the model-related, data-related, infrastructure-related, or human-oversight-related nature of the incident (determining the response team composition); the severity (determining the escalation path); the affected regime(s) (determining the reporting obligations); and the fundamental rights dimension (determining whether Article 73 applies even when other regime reporting covers the event). This multi-dimensional triage should be rehearsed through tabletop exercises at least annually.

A shared incident fact sheet is prepared immediately, containing fields common to all regimes. Regime-specific annexes are attached as each reporting deadline approaches. The incident management platform should support tagging incidents with applicable regimes and tracking each regime’s deadline independently.

Key outputs

• Multi-regime decision tree activated at triage
• Four-question sequential regime assessment
• Shared fact sheet with regime-specific annexes
• Module 9 and Module 12 AISDP documentation