Incident Reporting

Incident reporting is a critical compliance obligation under both DORA and the NIS2 Directive, designed to ensure that competent authorities maintain situational awareness of cyber threats and can coordinate responses to large-scale incidents. Both frameworks establish structured notification procedures with strict timelines.

Under DORA (Articles 17-23), financial entities must classify ICT-related incidents based on criteria including the number of clients affected, duration, geographical spread, data losses, criticality of services impacted, and economic impact. Major ICT-related incidents must be reported to the relevant competent authority using a three-stage notification process: an initial notification within 4 hours of classification (and no later than 24 hours after detection), an intermediate report within 72 hours, and a final report within one month.

NIS2 (Article 23) imposes a similar tiered reporting regime for essential and important entities. Significant incidents must be reported with an early warning within 24 hours of becoming aware of the incident, an incident notification within 72 hours providing an initial assessment, and a final report within one month. For incidents with cross-border impact, the national CSIRT or competent authority must also inform other affected Member States and ENISA.

Both regulations emphasize the importance of having robust internal processes for incident detection and classification. Entities must maintain the capacity to identify incidents promptly, assess their severity, and escalate appropriately. The harmonisation of incident reporting across DORA and NIS2 is an ongoing effort, with the European Commission working to align templates and procedures to reduce the reporting burden on entities subject to both frameworks.