DORA Article 19: ICT Incident Reporting Classification Guide

Frequently Asked Questions

01.Which authority receives the DORA Article 19 notification first?

Financial entities submit the initial notification to their National Competent Authority, typically the national banking, insurance, or securities regulator in the entity's home member state. The NCA then immediately transmits the report to the relevant European Supervisory Authority: EBA for credit institutions and payment firms, ESMA for investment firms and crypto-asset service providers, or EIOPA for insurance undertakings. Significant credit institutions additionally route notifications to the ECB through their NCA.

02.What are the penalties for failing to report under DORA Article 19?

Non-compliance with DORA incident reporting obligations, including Article 19, can result in administrative penalties up to 2 percent of total annual worldwide turnover or 1 percent of average daily worldwide turnover. In cases involving natural persons or where turnover-based calculations are not applicable, fines can reach 10 million euros. National competent authorities may also impose temporary prohibitions on management and require public disclosure of violations.

03.What criteria determine whether an ICT incident is classified as major under DORA?

Commission Delegated Regulation EU 2024/1772 specifies six classification criteria derived from DORA Article 18: client and counterparty impact, data compromise including personal data loss, service downtime duration exceeding two hours for critical functions, geographic spread across two or more EU Member States, disruption to critical or important functions, and direct financial loss. An incident must breach the materiality thresholds of at least two criteria and must affect a critical or important function to qualify as major.

04.What are the three reporting timelines under DORA Article 19?

Article 19 mandates a three-stage reporting sequence. The initial notification must reach the National Competent Authority within 4 hours of classifying the incident as major and no later than 24 hours after first awareness. The intermediate report follows within 72 hours of initial notification and must reflect the latest containment and impact status. The final report is due no later than one month after the last intermediate report, containing root cause analysis, confirmed financial impact, and corrective action taken.

05.Who must report major ICT incidents under DORA Article 19?

DORA applies to 20 categories of financial entities operating in the EU, including credit institutions, payment institutions, insurance and reinsurance undertakings, investment firms, crypto-asset service providers, and central counterparties. Microenterprises with fewer than 10 employees and turnover below 2 million euros receive a simplified framework but are not fully exempt from incident reporting obligations under Article 19.