DORA Article 19 ICT Incident Reporting: Classification

Frequently Asked Questions

01.What is the difference between an ICT incident and a major ICT incident under DORA Article 19?

Under DORA Article 19, an ICT incident is any unplanned event that disrupts ICT services or compromises data security. A major ICT incident meets one or more EBA RTS severity thresholds, for example a client impact exceeding one in ten clients or service unavailability exceeding 2 hours for critical systems, and triggers mandatory notification to competent authorities within 4 hours of classification.

02.What are the DORA Article 19 reporting deadlines for major ICT incidents?

DORA Article 19 sets three reporting deadlines. The initial notification must reach the competent authority within 4 hours of classifying an incident as major, and no later than 24 hours after first becoming aware. An intermediate report is required within 72 hours of the initial notification. A final report must be submitted within one month of the initial notification, detailing root cause, impact scope, and remediation steps taken.

03.Which financial entities are in scope for DORA Article 19 ICT incident reporting?

DORA Article 19 applies to all financial entities defined in Article 2 of Regulation EU 2022/2554, including credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central counterparties, trade repositories, and insurance undertakings operating within the EU. Micro-enterprises with fewer than 10 employees and annual turnover below EUR 2 million are exempt from certain provisions but retain baseline incident reporting obligations.