GovernanceComplianceDORA

DORA Incident Reporting Requirements & Timeline – A Guide

On October 23rd 2024 the European Commission (EC) adopted two new regulatory and implementing technical standards (RTS/ITS) under the Digital Operational Resilience Act (DORA). These provide an outline for ‘DORA Incident Reporting’ and detail the reporting of content and time limits for reporting major ICT-related incidents:

Summary of Incident Reporting Requirements Under DORA

As detailed in the RTS, firms must adhere to harmonised requirements for reporting major ICT-related incidents to relevant authorities, as outlined in the Digital Operational Resilience Act (DORA). Key obligations include:

1. Prompt Notifications:

  • Initial Notification: Financial entities must notify authorities as soon as possible, but no later than four hours after classifying an ICT incident as major, and within 24 hours of awareness.
  • Intermediate Report: Due within 72 hours of the initial notification, it provides updated details, even if there are no changes to the incident’s status.
  • Final Report: To be submitted within one month after the intermediate report, including root cause analysis, resolution details, and impact assessment.

2. Content Requirements:

  • Reports must contain specified data, including the type of incident, affected areas, detection time, impact, and actions taken for resolution.
  • Voluntary reporting of significant cyber threats requires a reduced scope of information.

3. Flexibility & Proportionality:

  • Reporting timeframes account for weekends, holidays, and the specific nature of financial entities (e.g., microenterprises may receive adjusted obligations).
  • Authorities may adjust reporting obligations for entities deemed systemically important.

4. Data Protection:

  • All incident reporting must comply with relevant data protection regulations

The aim is to ensure the timely communication of major ICT incidents, balanced with firms’ ability to manage and resolve crises effectively.

Reporting of ICT-related Incidents

1. Utilise the Standardised Reporting Template

To streamline communication and ensure consistency, all financial entities must use the standardised reporting template outlined in the regulation. This template must be applied across the initial notification, intermediate report, and final report stages. Here’s how to approach it:

  • Initial Notification: Provide all mandatory fields as specified, with the option to fill in additional details if available for later stages.
  • Intermediate Report: Continue updating the data fields, including any new or corrected information.
  • Final Report: Ensure comprehensive reporting by completing all data fields, reflecting the incident’s resolution and analysis.

The firms not using Adoptech’s workflow to generate the reports – the standardised template can be found downloaded from HERE

2. Be Ready to Update Information

Incident reporting isn’t static. As a situation evolves, so does the available data. Entities must update information submitted in previous reports when providing intermediate or final updates. This flexibility ensures accurate, up-to-date details and allows for the reclassification of incidents from “major” to “non-major” if warranted after further review.

3. Handling Recurring or Aggregated Incidents

Sometimes, smaller, recurring incidents can collectively meet the criteria for a major incident. In such cases, report these incidents in an aggregated form, providing a holistic view of their cumulative impact. If a third-party ICT service provider causes an incident affecting multiple entities, a consolidated report can be submitted, provided:

  • The incident is classified as major by all affected entities.
  • Reporting covers financial entities within a single Member State under the same authority.
  • Competent authorities have given explicit approval for aggregated reporting.

4. Outsourcing Reporting Obligations? Keep Authorities Informed

If you outsource your incident reporting obligations to a third party, you must inform your competent authority about this arrangement prior to the first submission. Provide details such as the third-party’s name and contact information. This ensures transparency and the legitimacy of the reporting party.

5. Secure Channels for Submission

Security and confidentiality are paramount. Use the secure electronic channels provided by your competent authority to submit all reports. If circumstances prevent this, notify the authority and agree on an alternative secure method until you can use the standard channel again.

6. Flexibility in Combining Reports

In certain situations where operations have stabilised or a root cause analysis is completed, entities may combine the submission of initial, intermediate, and final reports. This can simplify processes, provided all relevant timelines are met.

7. Significant Cyber Threat Notifications

For significant cyber threats that don’t qualify as major incidents but require reporting, use the designated template and instructions. Ensure your submissions are complete and precise, following all specified data fields and definitions.

Conclusion

Effective reporting of ICT-related incidents isn’t just a regulatory requirement—it’s a vital practice for maintaining trust, transparency, and security within the financial ecosystem. By adhering to these structured steps and updating your reports as situations evolve, you can ensure regulatory compliance while minimising risks and maximising operational resilience.

How Adoptech can help you comply with DORA successfully?

Adoptech brings together a unique blend of skills, with our founders experienced in Financial Services, RegTech, Fintech and information security. We understand the requirements of DORA, its implications and how a blend of automation and expertise can help financial entities and their suppliers achieve and maintain compliance. 

We offer extensive expertise in compliance, information security, operational resilience and third-party risk management. Our expert team offers comprehensive solutions to help companies navigate the complexities of DORA implementation and establish robust frameworks for ongoing compliance and resilience.

Create, automate and monitor compliance

We can help you to create and automate the policies and processes you will need to comply with DORA, including:

Register of Information

Maintain your technology supplier register with ease. We’ve removed the complexity so you can export the data in DORA’s complex “Register of Information” format in seconds.

Invite your suppliers to maintain and share their Register Of Information with you and automatically gain a picture of your supply chain with no need to manually maintain the supplier data.

Risk & Control Tracking

Capture risks and automatically link controls and policies. Divide responsibility and track compliance against DORA’s ~400 rules that have been mapped out with guidance and can be directly tracked back to the legislation and technical standards.

Automated Compliance Management

Remove manual compliance checks by using our API integrations to run ongoing tests to confirm compliance with DORA controls. Tests can be set up for everything from employee background checks being completed to data being encrypted at rest.

Automated Document Management

Generate, track and share the 50 DORA aligned documents, policies, and reports through our centralised platform.

DORA Accredited

Adoptech’s DORA accreditation scheme is designed to show an organisation has a DORA compliant risk management framework in place. Self-certification and independent accreditation options are available.

Evidence compliance with DORA Accreditation and Audit Report

Demonstrate your organisation’s commitment to DORA compliance with an independent DORA Audit Report. Experienced independent auditors evaluate your controls and operational resilience, generating a detailed report that details your firm’s level of compliance with DORA’s standards. Such reports are essential for building trust with clients and demonstrating compliance to the Board and the regulators.

Avoid Costly Fines: Non-compliance can result in fines of up to 1% of average daily worldwide turnover per day until compliance is achieved—up to six months. Completing a DORA audit ensures you’re not only compliant but also prepared for potential disruptions.

Further articles

Looking to implement DORA?

Let us show you the future of security compliance and automation.

Need to know more about DORA?

Download ‘An Overview to DORA’ and learn how DORA applies to your business.