Menu
Join my newsletter
3. Incident Management and Reporting
The Digital Operational Resilience Act (DORA) provides a unified framework for ensuring ICT resilience within EU financial entities. A key component of compliance is incident management and reporting, which focuses on establishing robust mechanisms for identifying, managing, and reporting ICT-related incidents. This guide explores the requirements and best practices for incident management under DORA, while referencing related topics covered in other guides.

by Sylvan Ravinet

The StratOps way to accelerate DORA
This guide on Incident Management and Reporting can help you achieve DORA compliance. Faster. Part of my 12-capabilities cyber framework.
Before continuing, make sure you are subscribed to StratOps!
Get weekly insights in your email
My StratOps newsletter helps cybersecurity experts achieve more, faster.
It's Free! For now.
Have feedback? Connect with me on Linkedin
1. Overview of Incident Management and Reporting under DORA
Incident management under DORA aims to ensure that financial entities can:
  • Detect and respond to ICT-related incidents efficiently
  • Mitigate the impact of incidents on critical services
  • Ensure regulatory compliance by reporting major incidents to relevant authorities
Key regulatory sources:
  • DORA Regulation (EU 2022/2554): Articles 15-17 specifically cover incident management and reporting
  • RTS 2024/1772: Defines incident classification criteria and reporting requirements
  • RTS 2024/1774: Details incident detection and response requirements
2. Incident Classification Framework
2.1. Major Incident Criteria
Per RTS 2024/1772 Article 8, an incident is considered major when it meets either:
  • Impact on critical services AND materiality threshold for criticality, OR
  • Two or more materiality thresholds from other categories
2.2. Incident Categories
(Based on RTS 2024/1774)
By Source:
  • Internal System Failures
  • Hardware malfunctions
  • Software bugs or errors
  • Configuration issues
  • Capacity problems
  • External Attacks
  • Cyber attacks (e.g., malware, ransomware)
  • Denial of service
  • Data breaches
  • Social engineering
  • Third-Party Incidents
  • Service provider outages
  • Supply chain compromises
  • Cloud service disruptions
  • Process Failures
  • Human error
  • Procedural mistakes
  • Control failures
By Impact Type:
  • Availability Incidents
  • Service outages
  • System downtime
  • Performance degradation
  • Integrity Incidents
  • Data corruption
  • Unauthorized modifications
  • System compromise
  • Confidentiality Incidents
  • Data leaks
  • Information disclosure
  • Privacy breaches
2.3. Materiality Thresholds
Based on RTS 2024/1772 Article 9
Quantitative Thresholds:
  • Client Impact: >10% of client base OR >100,000 clients affected
  • Duration: >24 hours of incident duration
  • Service Disruption: >2 hours for critical functions
  • Economic Impact: >100,000 EUR direct/indirect losses
Qualitative Thresholds:
  • Geographic Spread: Impact across 2+ Member States
  • Data Integrity: Loss affecting business objectives
  • Reputational Impact: Significant media coverage
  • Regulatory Breach: Non-compliance with obligations
3. Incident Management Process
3.1. Detection Requirements
(RTS 2024/1774 Art. 23)
  • Implement automated detection mechanisms for:
  • System anomalies and performance issues
  • Security breaches and unauthorized access
  • Configuration changes and system modifications
  • Third-party service disruptions
  • Establish 24/7 monitoring capabilities
  • Enable user reporting channels
3.2. Response Procedures
  • Document incident management workflows including:
  • Initial assessment and triage
  • Escalation paths based on severity
  • Communication protocols
  • Evidence preservation requirements
  • Maintain incident response teams with defined roles
  • Integrate with crisis management procedures
3.3. Reporting Requirements
(RTS 2024/1772)
Initial Notification:
  • Submit within 4 hours of detection for major incidents
  • Include preliminary impact assessment
  • Describe immediate containment measures
Intermediate Updates:
  • Provide at least daily status updates
  • Report significant developments
  • Update impact assessments
Final Report:
  • Submit within 1 month of resolution
  • Include detailed root cause analysis
  • Document lessons learned and improvements
4. Integration with Other DORA Domains
4.1. Asset Management Integration
  • Map incidents to affected ICT assets
  • Prioritize response based on asset criticality
  • Update asset risk assessments post-incident
4.2. Third-Party Risk Management
  • Include third-party incident notification requirements
  • Coordinate response with service providers
  • Monitor provider incident management capabilities
4.3. Business Continuity
  • Align incident response with continuity plans
  • Test incident scenarios in BC/DR exercises
  • Update recovery procedures based on incidents
4.4. Security Operations
  • Integrate with security monitoring
  • Automate incident detection
  • Coordinate with threat management
5. Communication in Incident Management
5.1. Integration with Crisis Communication
  • Align incident response with the organization's crisis communication framework
  • Follow established communication procedures for major incidents
  • Ensure proper handoff between incident teams and communication teams
5.2. Incident-Specific Communication
  • Document communication requirements in incident playbooks:
  • Internal escalation paths
  • Regulatory reporting chains
  • Service provider notifications
  • Maintain up-to-date contact lists for incident response
5.3. Cross-Border Coordination
  • Establish procedures for incidents affecting multiple jurisdictions
  • Coordinate reporting to different national competent authorities
  • Maintain consistent technical details across all reports
6. Governance and Oversight
6.1. Management Body Responsibilities
  • Approve incident management framework
  • Review major incident reports
  • Ensure adequate resource allocation
  • Oversee continuous improvement
6.2. Information Sharing and Collaboration
  • Participate in sectoral information sharing networks
  • Share anonymized threat intelligence
  • Collaborate with peers on emerging threats
  • Coordinate with regulators on sector-wide incidents
7. Testing and Validation
7.1. Required Testing
(RTS 2024/1774)
  • Conduct quarterly incident response exercises
  • Test major incident scenarios annually
  • Validate reporting procedures
  • Exercise crisis communication plans
7.2. Continuous Improvement
  • Review incident metrics quarterly
  • Update procedures based on lessons learned
  • Incorporate emerging threats
  • Enhance detection capabilities
8. Documentation Requirements
8.1. Mandatory Documentation
  • Incident management policy and procedures
  • Classification and escalation criteria
  • Response playbooks and workflows
  • Communication templates
  • Testing and exercise records
8.2. Incident Records
  • Maintain detailed incident logs
  • Document response actions
  • Preserve incident evidence
  • Track metrics and KPIs
9. Key Success Factors
Clear incident classification criteria
Automated detection capabilities
Well-defined response procedures
Regular testing and validation
Integration with other capabilities
Comprehensive documentation
Management oversight
Effective crisis communication
Strong governance oversight
Active information sharing
Stakeholder engagement
Links to Related DORA Compliance Themes
For a comprehensive understanding of DORA compliance, this guide aligns with the following related topics:
For detailed implementation guidance, refer to DORA's RTS and ITS documentation and related guides within this compliance series.
The StratOps way to accelerate DORA
CISO & Advisor | My StratOps newsletter helps cybersecurity experts achieve more, faster.

I hope this guide on Governance, Organization, Resources for ICT Risk will help your team achieve DORA compliance.
Have feedback? Let’s connect on LinkedIn
Not yet a member? Get insights & more resources in the StratOps newsletter
🚀 Accelerate your DORA implementation with StratOps
Implementation kits are a great start, but real resilience requires structured execution.
Join my StratOps trainings to master DORA’s 12 capabilities and fast-track compliance.