In the context of the Digital Operational Resilience Act (DORA), financial entities are required to submit three distinct types of reports to regulatory authorities following a major ICT-related incident.
These reporting stages ensure authorities can monitor systemic risks in real-time and that organizations perform thorough post-mortem analyses.
The 3 Stages of DORA Incident Reporting
Focus: A deep dive into the root cause, a detailed assessment of the actual impact, and “lessons learned” to prevent future occurrences.
Initial Notification
Purpose: The first “alert” to the competent authority to signal that a major incident has occurred.
Timeline: Must be submitted within 24 hours of detecting the incident.
Focus: High-level details about the incident’s nature and potential impact to allow authorities to assess broader financial stability risks.
Intermediate Report
Purpose: An update on the status of the incident as more information becomes available.
Timeline: Generally due within 72 hours of detection.
Focus: Details on the incident’s ongoing impact, current mitigation efforts, and any newly identified complexities.
Final Report
Purpose: The final, comprehensive analysis of the event after it has been resolved.
Timeline: Submitted within one month of the incident’s resolution.