Under DORA, financial entities
Under the Digital Operational Resilience Act (DORA), which became fully applicable on January 17, 2025, financial entities must manage and, in some cases, notify authorities about “Significant Cyber Threats”. They are actually encouraged to voluntarily report significant cyber threats — those that could potentially result in a major incident but have not yet materialized — to help identify trends and improve overall security.
What is a Significant Cyber Threat?
A cyber threat is classified as significant if its technical characteristics indicate a high potential to cause a major ICT-related incident or a major operational/security payment-related incident. Classification is based on:
- Criticality of the services at risk.
- Number/relevance of targeted clients or financial counterparts.
- Geographical spread of the areas at risk.
Reporting Obligations
Unlike major ICT incidents, which are mandatory to report, notifying “Significant Cyber Threats” is generally voluntary.
- Voluntary Notification: Entities may notify their relevant competent authority if they deem the threat relevant to the financial system, clients, or service users.
- Mandatory Internal Recording: Even if not reported externally, entities must record all significant cyber threats internally as part of their ICT risk management.
- Client Information: If a significant threat poses a risk to clients, entities must inform them of appropriate protection measures they can take.
Report Content & Templates
When submitting a voluntary report, entities typically use standardized templates provided by their national regulator.
The report must include:
Indicators of Compromise (IoC): Technical markers used for identification.
Threat Description: Technical details and timestamps of detection.
Potential Impact: Analysis of what would have happened if the threat had materialized.
Mitigation Actions: Steps already taken to prevent the threat from becoming an incident.