DORA Chapter III: incident reporting, where the clock is measured in hours¶
This is the chapter that changed daily life for financial entities. Articles 17 to 23 turn "we had an outage" into a regulated reporting process with statutory deadlines. Miss the classification in post 5 and you miss the clock here. Today, incident management and the reporting cascade, with the exact hours from the RTS.
Article 17: the process¶
Article 17 requires entities to "define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents", and to record all incidents. This is the operational plumbing: a process that takes a detected anomaly, runs it through classification (Article 18, and the RTS 2024/1772 thresholds from post 5), and decides whether the reporting duty in Article 19 is triggered.
The recording requirement is easy to underrate. DORA wants a log of all incidents, not just the major ones, because the minor ones are how supervisors and you spot patterns. An incident register that only contains the disasters is missing the point.
Article 19: the cascade¶
Once an incident is classified major, Article 19 sets a reporting cascade to the competent authority. The content and, crucially, the timing come from RTS 2025/301. The deadlines, verbatim from that RTS, are:
The initial notification is due within four hours from the classification of the incident as major, and no later than 24 hours from the moment the entity became aware of it. The intermediate report follows within 72 hours from the initial notification. The final report is due no later than one month after.
Four hours from classification. That is the number to internalise. It means your classification decision is itself on a clock, because the four hours starts the moment you decide "this is major". A slow, careful classification does not buy you time; it spends it.
The whole flow¶
Detection (Article 10) feeds the incident process (Article 17), which applies the classification criteria (Article 18) against the RTS 2024/1772 thresholds, which if crossed triggers the Article 19 cascade on RTS 2025/301 timing, using the templates in ITS 2025/302. Five instruments, one flow. If any link is weak, the whole chain misses the deadline.
The artefact: the reporting clock¶
Print this. It is the timeline your incident process has to beat.
| Step | Deadline (RTS 2025/301) |
|---|---|
| Classify incident as major | Starts the clock |
| Initial notification | Within 4 hours of classification, and within 24 hours of awareness |
| Intermediate report | Within 72 hours of the initial notification |
| Final report | No later than one month after |
| Templates to use | ITS 2025/302, Annexes I to IV |
One honest caveat: the four-hour and 24-hour limits interact, and there are specifics for significant credit institutions and for weekends and reporting windows. Read RTS 2025/301 and ITS 2025/302 directly, both linked from the DORA resource library, before you set your internal SLAs.
Next in this series: Chapter IV, digital operational resilience testing and TLPT, where "at least every three years" hides a lot of scope.