DORA compliance Part 2: Managing ICT-related incidents

By Katalin Jakucs DORA
DORA compliance Part 2: Managing ICT-related incidents

As of January 17, 2025, the EU’s Digital Operational Resilience Act (DORA) became legally binding. It ensures that organizations in the financial industry are better protected against digital threats. The second central pillar of DORA is comprised of standards for managing ICT-related incidents. 

Increasing digitalization and interconnectedness have made financial companies more efficient but also more vulnerable to cyberattacks and technical malfunctions. Articles 17 to 23 of the 3rd Chapter of DORA stipulate how organizations must handle ICT-related incidents. This subarea aims to set uniform standards for identifying, reporting, and resolving of such incidents across the entire EU financial sector.

As financial companies embrace digitalization and interconnected systems, they gain efficiency — but also face greater risks from cyberattacks and technical failures. Articles 17 to 23 of DORA’s third chapter stipulate how organizations must handle ICT-related incidents. This subarea aims to set uniform standards for identifying, reporting, and resolving of such incidents across the entire EU financial sector.

The term “ICT-related incidents” refers to any event that impacts the availability, confidentiality, or integrity of IT systems within a company. This includes:

  • Cyberattacks such as phishing or ransomware
  • System failures caused by technical faults or human errors
  • Data leaks compromising sensitive customer or business data

Which obligations do companies have under DORA?

1.       Identification and classification of incidents

Companies must have mechanisms in place to quickly detect ICT-related incidents and assess their severity. DORA requires organizations to differentiate between major and non-major incidents. Major incidents are events which significantly impact the confidentiality, availability, or integrity of systems or disrupt operational processes. When classifying incidents, companies should consider factors such as:

  • the importance of the affected systems
  • the duration of the disruption
  • potential financial damage
  • reputational risks

2.       Incident response and management

With DORA now in effect, financial companies must establish structured response plans, regularly test them, and adapt as needed. These plans must address various types of incidents, prioritize data protection, and outline clear responsibilities and concrete steps for damage control and system recovery. To strengthen internal analysis and enhance resilience, organizations must also maintain thorough documentation of all ICT-related incidents, regardless of their severity.

3.       Reporting obligations and deadlines

A key requirement of DORA is the mandatory reporting of major ICT-related incidents to the appropriate authorities. This includes notifying the relevant national bodies and, if necessary, the European Banking Authority (EBA). Reporting is required when an incident significantly affects financial stability, disrupts business operations, compromises customer data, or threatens regulatory compliance.

Affected companies must adhere to clear processes and strict deadlines:

  • Initial notification: If a company identifies a major ICT-related incident, they must report it within 4 hours but no later than 24 hours. The notification must contain initial information, such as the type of incident, affected systems, and a first impact assessment.
  • Detailed report: Within 74 hours of the incident, organizations must submit a comprehensive report outlining the cause, scope, and corrective actions taken.
  • Final report: As soon as the incident has been resolved, a final report must be submitted, containing an evaluation of the impact and recommendations for preventing similar incidents in the future.

DORA compliance: reporting obligation checklist

  • Are all major ICT incidents in your company clearly defined?
  • Have you implemented a structured reporting procedure, including the required deadlines?
  • Are your employees trained in the requirements and processes?
  • Do you have systems in place to automate reporting?
  • Are incidents regularly documented and analyzed?

Building a strong security infrastructure

The DORA reporting obligations are an essential pillar for enhancing digital resilience in the financial sector. Financial entities that rigorously implement these requirements will benefit from a robust security infrastructure and avoid potential regulatory sanctions.

Learn more about how Tresorit can help financial organizations manage their data in a safe and compliant manner.

Suggested Articles