DORA Incident Reporting — Timelines, Classification, and Requirements

Under DORA Article 19, financial entities must submit an initial notification within 4 hours of classifying a major ICT-related incident, an intermediate report within 72 hours, and a final report within one month. The classification criteria, reporting content, and templates are defined in three delegated acts: RTS 2024/1772 (classification), RTS 2025/301 (reporting content), and ITS 2025/302 (templates).

The Problem

DORA incident reporting is the most operationally urgent requirement in the regulation. When a major ICT incident hits, you have 4 hours to classify and send the first notification — there is no time to be reading EUR-Lex. Teams need the reporting timeline, classification criteria, and required content memorized or instantly accessible.

The detailed requirements are spread across four legal texts: Articles 17-23 of the base regulation (2022/2554), RTS 2024/1772 for classification criteria, RTS 2025/301 for reporting content, and ITS 2025/302 for standardized templates. Cross-referencing these during a live incident is not realistic.

The Reporting Timeline

| Step | Deadline | Content Required | Legal Basis | |------|----------|-----------------|-------------| | Detection | — | Identify and log the ICT-related incident | Article 17 | | Classification | Without undue delay | Classify as major or non-major per RTS criteria | Article 18, RTS 2024/1772 | | Initial notification | 4 hours after classification | Basic facts, impact assessment, initial root cause | Article 19(4)(a), RTS 2025/301 | | Intermediate report | 72 hours after classification | Updated impact, root cause analysis, recovery status | Article 19(4)(b), RTS 2025/301 | | Final report | 1 month after classification | Full root cause, total impact, remediation measures, lessons learned | Article 19(4)(c), RTS 2025/301 |

If significant new information emerges after the final report, updated information must be submitted to the competent authority.

Classification Criteria (RTS 2024/1772)

An ICT-related incident is classified as major if it meets thresholds on these criteria:

| Criterion | Examples | |-----------|---------| | Clients affected | Number of clients and counterparties impacted | | Data impact | Integrity, confidentiality, or availability of data compromised | | Critical services affected | Impact on critical or important functions | | Economic impact | Direct and indirect costs, financial losses | | Geographic spread | Cross-border impact across member states | | Duration | How long the incident lasts or service is disrupted |

The specific thresholds are defined in RTS 2024/1772. An incident meeting the threshold on any single criterion qualifies as major and triggers the mandatory reporting timeline.

How Gibs Helps

Gibs indexes all 64 DORA articles plus all 12 delegated acts — 641 chunks total, scoring 90% accuracy on an expert-curated evaluation dataset. During a live incident, you can query specific reporting requirements and get cited answers in seconds.

import gibs

client = gibs.Client(api_key="sk-gibs-...")

# Quick reference during an incident
result = client.check(
    question="What information must be included in the DORA initial incident notification?",
    regulations=["dora"]
)

print(result.answer)
# "Under Article 19(4)(a), the initial notification must include:
#  a description of the incident, the classification criteria met,
#  the impact on the financial entity and its clients, the actions
#  taken and planned, and the estimated recovery time..."

print(result.sources)
# ["Article 19(4)(a)", "RTS 2025/301 Article 2"]

# Check classification criteria
result = client.check(
    question="When is an ICT incident classified as major under DORA?",
    regulations=["dora"]
)

print(result.sources)
# ["Article 18", "RTS 2024/1772 Article 4", "RTS 2024/1772 Article 5"]

All responses cite both the parent DORA articles and the specific delegated act provisions with their CELEX numbers.

Voluntary Notification of Significant Cyber Threats

Article 19(2) also allows financial entities to voluntarily notify competent authorities about significant cyber threats that have not yet materialized into incidents. This is separate from the mandatory incident reporting but uses the same reporting channels. While not mandatory, this sharing mechanism is encouraged to strengthen the financial sector's collective resilience.

Who This Is For

Try It Now

Free tier: 50 requests per month, no credit card required.

curl -X POST https://api.gibs.dev/v1/check \
  -H "Authorization: Bearer sk-gibs-..." \
  -H "Content-Type: application/json" \
  -d '{"question": "What is the DORA incident reporting timeline?", "regulations": ["dora"]}'

Get your API key | Read the docs | Try the MCP server

FAQ

What happens if I miss the 4-hour DORA reporting deadline?

Failure to report within DORA timelines is a compliance breach. Competent authorities can impose administrative penalties and remedial measures under the supervisory powers defined in DORA. The specific penalties vary by member state and are determined by national competent authorities under Articles 50-51.

Does DORA incident reporting overlap with GDPR breach notification?

Yes. If an ICT incident involves personal data, both DORA Article 19 (incident reporting to financial supervisory authorities) and GDPR Article 33 (breach notification to data protection authorities within 72 hours) may apply. The two notifications go to different authorities with different content requirements. Gibs supports cross-regulation queries and returns cited answers from both regulations in a single response, with clear attribution of which obligation comes from which regulation.

Do all ICT incidents need to be reported?

No. Only major ICT-related incidents require reporting to competent authorities. Non-major incidents must be logged and monitored internally under Article 17. The classification criteria in RTS 2024/1772 define the thresholds that distinguish major from non-major incidents. An incident meeting the threshold on any single criterion qualifies as major.

What is the ITS incident reporting template?

ITS 2025/302 provides standardized templates for initial notifications, intermediate reports, and final reports. Financial entities must use these templates when reporting to competent authorities. The templates ensure consistent reporting across the EU financial sector and are designed to capture all the information required by RTS 2025/301.

Can I also report significant cyber threats?

Yes. Article 19(2) allows voluntary notification of significant cyber threats to competent authorities. While not mandatory, this sharing mechanism is part of DORA's broader objective of strengthening digital operational resilience across the financial sector through collective intelligence sharing.

How does Gibs help during an actual incident?

Gibs provides instant, cited answers to regulatory questions about incident reporting requirements. During a live incident when the 4-hour clock is ticking, being able to quickly confirm what information is required, which delegated act defines the template, or how to classify the incident saves critical time. Every response cites both the parent DORA article and the specific delegated act provision, so your reporting team can trace every requirement to its legal basis.

How current is the DORA corpus?

The Gibs DORA corpus includes the base regulation (2022/2554) and all 12 delegated acts adopted through February 2026. The corpus contains 641 indexed chunks and is version-tracked — every API response includes the corpus version used to generate the answer. When new delegated acts or amendments are adopted, the corpus is updated, re-evaluated against the expert-curated dataset, and redeployed.

Last updated: 2026-02-19