Today marks the effective date of the Digital Operational Resilience Act (DORA) and with it, additional incident reporting obligations for in-scope financial entities. 

With the aim of standardising the incident reporting process for financial entities throughout the EU, from today, in-scope financial entities must report any ‘major ICT-related incidents’ to their relevant competent authority. 1For the majority of financial entities within the scope of DORA in Ireland, this will be the Central Bank of Ireland while for others (such as pensions trustees) it will be the Pensions Authority. These new incident reporting obligations apply in addition to the ICT risk management obligations introduced by DORA.

In this article, we set out what constitutes a reportable incident to both competent authorities and clients and the timeframes for making reports.

What is a major ICT-related incident?

DORA characterises a ‘major ICT incident’ as an event or series of events which are unplanned by the financial entity and which compromises the security network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity. 

When classifying and determining the impact of an ICT-related incident, Article 18(1) of DORA requires financial entities to base their assessments on a set of overarching criteria, including (among other things) the critical nature of the services, reputational impact, data losses and geographical spread. Commission Delegated Regulation (EU) 2024/17722 then sets out a set of non-exhaustive materiality thresholds for each of the classification categories.

At a high-level, an incident will be considered to be a major incident where it has affected critical services and:

  1. malicious activity: there has been any successful, malicious and unauthorised access to network and information systems which may result in data losses; and
  2. two or more of the following are met:
    1. clients, financial counterparts and transactions: any of the following occur:
      1. the number of affected clients is higher than 10% of all clients using the service;
      2. the number of affected clients using the service is higher than 100,000;
      3. the number of affected financial counterparts is higher than 30% of all financial counterparts carrying out activities related to the provision of the service; 
      4. the number of affected transactions is higher than 10% of the daily average number of transactions carried out by the financial entity related to the service;
      5. the number of affected transactions is higher than 10% of the daily average value of transactions carried out by the financial entity related to the service; or
      6. certain clients or financial counterparts identified in the RTS have been affected. 
    2. reputational impact: any of the following occur:
      1. the incident has been reflected in the media; 
      2. the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; 
      3. the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; or 
      4. the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident. 
    3. duration and service downtime: either:
      1. the duration of the incident is longer than 24 hours; or 
      2. the service downtime is longer than 2 hours for ICT services that support critical or important functions. 
    4. geographical spread: if the incident has an impact in two or more Member States. 
    5. data losses: there is any impact on the availability, authenticity, integrity or confidentiality of data which has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements.
    6. economic impact: the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed €100,000. 

When do reports need to be made?

DORA requires that an initial report is made within 4 hours from the time the financial entity has classified the incident as major, and no later than 24 hours from the time the financial entity becomes aware of the incident. The Central Bank of Ireland has released information on how reports should be made, via its portal. 

An intermediate report then must be provided 72 hours from the submission of the initial notification, with any further updates to be provided every time a relevant status update is available. 

A final report must then be provided when the root cause analysis has been completed and, in any event, no later than one month from the submission of the latest intermediate report. 

When must clients be notified?

DORA also introduces requirements for in-scope financial entities to inform their clients when a major ICT-related incident occurs which has an impact on their financial interests. Notifications of this kind are required to be made without undue delay as soon as the financial entity becomes aware of the relevant incident, and must include information on the incident itself as well as any measures which have been taken to mitigate the adverse effects of the incident.

Is it a requirement to notify competent authorities of cyber threats?

DORA also provides for the voluntary notification of cyber threats. Cyber threats are any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons. A cyber threat is considered to be significant for the purposes of DORA if the technical characteristics of the cyber threat indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident that has a high adverse impact on the payment-related services provided. 

For more information about DORA incident reporting obligations, please get in touch with a member of our team.

  1. Article 19(1) of DORA. ↩︎
  2. Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents. ↩︎