Art. 18

ICT Incident Classification Criteria

Art. 18 of DORA establishes the framework for classifying ICT-related incidents. The detailed classification criteria are set out in Commission Delegated Regulation (CDR) 2024/1772, which defines what separates a minor ICT incident from a major one that triggers mandatory reporting to the NCA.

Classification is based on multiple criteria that assess the severity and impact of the incident. These criteria are designed to be objective and measurable, reducing the risk of inconsistent classification across the sector.

1
Clients Affected
CDR 2024/1772 — Impact on clients

The number of clients affected by the incident is a primary classification criterion. An incident is more likely to be classified as major if it affects more than 10% of the entity's total client base, or more than 100,000 clients in absolute terms. Both direct clients (who experience service disruption) and indirect clients (whose data or transactions are affected) are counted.

2
Service Downtime
CDR 2024/1772 — Duration of disruption

The duration of service disruption contributes to the classification. Incidents that cause downtime exceeding the entity's defined tolerance levels, or that affect services for more than 2 hours during peak operating periods, are more likely to meet the major incident threshold. The clock starts from when the service first became unavailable or degraded, not from when the incident was detected.

3
Data Loss or Integrity
CDR 2024/1772 — Data impact

Incidents involving data loss, data corruption, or unauthorised access to data carry additional weight in the classification. The sensitivity of the data affected (personal data, financial data, confidential business data), the volume of records compromised, and whether the data can be recovered are all relevant factors. Any incident involving confirmed data breach may trigger parallel reporting obligations under GDPR.

4
Geographic Spread and Economic Impact
CDR 2024/1772 — Cross-border and financial criteria

Incidents that affect operations or clients across more than two EU member states, or that have an economic impact exceeding defined monetary thresholds, receive additional classification weight. The economic impact includes both direct costs (remediation, fines, compensation) and indirect costs (reputational damage, lost revenue). Impact on critical or important functions also elevates the classification.

Classification threshold: An incident is classified as major when it meets or exceeds thresholds across at least two of the criteria above, or one criterion by a significant margin. Entities must have documented procedures for applying these criteria consistently. The classification decision must be documented and defensible. For a broader view of DORA compliance, see our complete guide.
RTS criteria

Major Incident Thresholds

The Regulatory Technical Standards accompanying DORA provide specific quantitative thresholds that help entities determine when an incident crosses from significant to major. While the full threshold tables are detailed in CDR 2024/1772, the key principles are designed to be applied quickly during an active incident.

The classification must happen rapidly because it triggers the 4-hour reporting clock. This means the classification criteria and thresholds must be embedded in your incident response procedures, not looked up during an event. Your incident management team should be trained to apply the criteria and make a classification decision within the first hour of an incident being detected.

Entities should maintain pre-calculated reference values for percentage-based thresholds. For example, knowing that 10% of your client base equals a specific number means you can assess the client impact criterion immediately when an incident occurs, rather than needing to calculate it under pressure.

Where an incident initially appears to be below the major threshold but subsequently worsens, the classification must be reassessed. If the incident is reclassified as major after initially being categorised as non-major, the 4-hour reporting clock starts from the point of reclassification. This means ongoing monitoring and reassessment during the incident lifecycle is essential.

Art. 19

Reporting Timelines

Once an incident is classified as major, DORA triggers a structured three-stage reporting process. The timelines are strict and begin automatically from the classification decision. Missing these deadlines is a compliance failure that NCAs will note.

Within 4 hours of classification
Critical deadline
Initial Notification
The initial notification must be filed with the NCA within 4 hours of the entity classifying the incident as major, and in any case no later than 24 hours after the incident was first detected. This report provides the basic facts: what happened, when, which services and functions are affected, the estimated number of clients impacted, and the initial severity assessment. It does not require a root cause analysis at this stage.
Within 72 hours of initial notification
Intermediate deadline
Intermediate Report
The intermediate report must be submitted within 72 hours of the initial notification. It provides an updated and more detailed picture: refined impact assessment, preliminary root cause analysis, remediation actions taken and planned, updated client impact numbers, and any changes to the severity classification. If the incident is still ongoing, the report must describe the current state and expected resolution timeline.
Within 1 month of incident closure
Final deadline
Final Report
The final report must be submitted within one month of the incident being closed. It contains the complete root cause analysis, total impact assessment (clients, financial, operational), full timeline of events and actions, lessons learned, and remediation measures implemented to prevent recurrence. This report becomes part of the entity's audit record and may inform NCA supervisory actions.
ITS 2024/2956

ITS Reporting Templates

All incident reports submitted to NCAs must use the structured format defined in ITS 2024/2956. This means you cannot submit a free-form email or PDF. The report must follow a specific template with mandatory fields that the NCA's systems can process.

The ITS templates cover all three reporting stages (initial, intermediate, final) and include fields for incident identification, classification criteria met, impact metrics, affected services and functions, timeline of events, root cause, remediation actions, and client communication. The format supports both XML and JSON submission, depending on your NCA's requirements.

Having these templates pre-prepared is essential for meeting the 4-hour initial notification deadline. If your compliance team has to figure out the template format during a live incident, you will not meet the deadline. The templates should be pre-populated with standing data (entity details, NCA contact information, standard service descriptions) and ready to be completed with incident-specific details.

DORA GRC pre-populates ITS reporting templates directly from the incident record. When an incident is logged and classified, the initial notification template is automatically populated with the incident details, affected assets, linked functions, and provider information. The compliance team reviews and submits, rather than building the report from scratch.

Art. 17

Incident Management Process Requirements

Art. 17 requires financial entities to establish, implement, and maintain a documented ICT incident management process. This is not just about reporting to the NCA. It is about having a structured approach to detecting, classifying, responding to, and learning from ICT-related incidents.

Process Required Elements
Documented procedures for detecting, logging, and triaging ICT incidents, including automated monitoring and alerting Art. 17(1)
Classification framework aligned to CDR 2024/1772 criteria, with defined escalation paths for major incidents Art. 18
Defined roles and responsibilities for incident response, including who classifies, who reports, and who manages remediation Art. 17(2)
Communication procedures for notifying affected clients, counterparties, and relevant authorities during and after an incident Art. 17(3)
Post-incident review process that feeds lessons learned back into the ICT risk management framework and BCP plans Art. 17(4)
Incident register that records all ICT-related incidents (not just major ones), with classification, impact, and resolution details Art. 17(1)
Art. 19(2)

Voluntary Reporting of Significant Cyber Threats

In addition to mandatory incident reporting, DORA establishes a voluntary reporting mechanism for significant cyber threats under Art. 19(2). Financial entities may notify their NCA of cyber threats that they consider significant, even if the threat did not result in a major incident.

The purpose of voluntary threat reporting is to enable NCAs and the broader financial sector to build a more complete picture of the threat landscape. When multiple entities report similar threats, the NCA can issue sector-wide warnings and guidance. This collective intelligence function is a key part of DORA's approach to systemic resilience.

Voluntary threat notifications are not subject to the same strict timelines as mandatory incident reports, but they should be submitted promptly while the threat information is still actionable. The entity should provide details of the threat, how it was detected, what indicators of compromise were identified, and what defensive measures were taken.

While voluntary, NCAs are likely to view active participation in threat reporting favourably during supervisory reviews. It demonstrates a mature approach to ICT risk management and a commitment to sector-wide resilience. For more on how DORA's five pillars work together, see the DORA compliance guide. To assess your current readiness, try the free DORA assessment.

Platform

How DORA GRC Supports Incident Reporting

DORA GRC includes a complete incident management module designed around the Art. 17-23 requirements. Here is what that covers in practice.

CDR 2024/1772 Classification

The incident register classifies incidents using the CDR 2024/1772 criteria automatically. Enter the impact data (clients affected, downtime, data loss, geographic spread, economic impact) and the system applies the classification thresholds to determine whether the incident qualifies as major. The classification is logged and timestamped for audit purposes.

ITS Template Pre-Population

When an incident is classified as major, the ITS 2024/2956 reporting templates are automatically pre-populated from the incident record, linked assets, affected functions, and provider data. Export in XML or JSON format. The compliance team reviews and submits rather than building reports from scratch under time pressure.

Deadline Tracking

The 4-hour, 72-hour, and 1-month reporting deadlines are tracked automatically from the moment the incident is classified. Countdown timers and notifications ensure your team does not miss a deadline. The system records when each report was submitted, creating an audit trail that demonstrates compliance with Art. 19 timelines.

Cross-Pillar Linkage

Incidents are linked to ICT assets, critical functions, providers, and risks. When an incident is logged, you can see which function it affects, which provider is involved, what risks were previously identified, and whether BCP plans exist for the affected function. This cross-pillar visibility is essential for effective incident response and for completing the ITS templates accurately. See all features.

Frequently asked questions

Incident Reporting FAQ

What qualifies as a major ICT incident under DORA?
A major ICT incident under DORA is classified using criteria defined in Commission Delegated Regulation (CDR) 2024/1772. An incident is considered major if it meets or exceeds thresholds across criteria including: the number of clients affected (more than 10% of all clients or more than 100,000 clients), service downtime exceeding the entity's defined tolerance, data loss or integrity breach, geographic spread across more than two EU member states, and economic impact exceeding defined monetary thresholds. An incident generally needs to breach thresholds on at least two criteria, or one criterion by a significant margin, to be classified as major. The classification decision must be made quickly because it triggers the 4-hour reporting deadline.
What are the DORA incident reporting timelines?
DORA requires three reports for major ICT incidents. The initial notification must be filed with the NCA within 4 hours of classifying the incident as major, and no later than 24 hours after the incident was first detected. This provides the basic facts: what happened, which services are affected, and the estimated impact. The intermediate report follows within 72 hours of the initial notification, with updated impact data, preliminary root cause analysis, and remediation actions. The final report is due within one month of the incident being closed, containing the complete root cause analysis, total impact assessment, lessons learned, and measures to prevent recurrence. All reports must use the ITS 2024/2956 format.
What format must incident reports use?
DORA incident reports must be submitted in the structured format defined by Implementing Technical Standards (ITS) 2024/2956. The ITS specifies templates with mandatory fields covering incident identification, classification criteria met, impact assessment (clients, services, data), affected functions and assets, timeline of events, root cause analysis, remediation actions, and client communication. Reports can be submitted in XML or JSON format depending on your NCA's requirements. Free-form submissions (emails, PDFs, ad hoc formats) are not acceptable. Having pre-populated templates ready before an incident occurs is essential for meeting the 4-hour initial notification deadline.
Do I need to report cyber threats under DORA?
Reporting significant cyber threats is voluntary under Art. 19(2) of DORA. Financial entities may notify their NCA of cyber threats they consider significant, even if the threat did not result in a major incident. This voluntary mechanism helps build sector-wide threat intelligence. If a cyber threat does result in a major ICT incident, the standard mandatory reporting timelines apply (4 hours initial, 72 hours intermediate, 1 month final). While voluntary, NCAs are likely to view active participation in threat reporting favourably during supervisory reviews, as it demonstrates a mature and proactive approach to ICT risk management and contributes to collective financial sector resilience.