For financial entities subject to DORA, major ICT-related incidents are reported to the competent financial authority (national financial supervisor). The reporting follows a structured timeline: an initial notification within four hours of classifying the incident as major (or within 24 hours of becoming aware of the incident, whichever is earlier), an intermediate report within 72 hours, and a final report within one month.
DORA’s four-hour deadline is the most aggressive of all applicable regimes and drives the operational cadence of incident response. The initial notification requires the incident classification under Article 18’s criteria and the financial impact assessment. Pre-drafted templates reduce preparation time. Content must be consistent with any parallel reports to other authorities; contradictory statements create legal exposure.
If the system is not subject to DORA (because the deploying entity is not a financial entity), this article is documented as not applicable.
Key outputs
- DORA reporting stream (4h/72h/1mo) to financial supervisor
- Pre-drafted templates with financial-sector-specific fields
- Content consistency with parallel reporting streams
- Module 9 AISDP documentation