Digital Operational Resilience Act (DORA) — Incident Reporting

Yes. Digital Operational Resilience Act (DORA) addresses Incident Reporting through 1 provision.

Does Digital Operational Resilience Act (DORA) require Incident Reporting?

European Union • enforcing

Yes — 1 provision

This regulation imposes 4 specific requirements for Incident Reporting across 1 provision:

Classify incidents — Classify ICT-related incidents using ESA criteria
Major incident reporting — Notify competent authorities of major ICT incidents
Reporting thresholds — >24 hours duration, >2 hours critical service disruption, ≥2 EU states affected, or >EUR 100,000 economic impact
Voluntary threat reporting — Encouraged to report significant cyber threats

Obligation:

enforcing

Effective:

Jan 17, 2025

Risk tier:

all

Scope:

providers, deployers

Requirement	Details
Classify incidents	Classify ICT-related incidents using ESA criteria
Major incident reporting	Notify competent authorities of major ICT incidents
Reporting thresholds	>24 hours duration, >2 hours critical service disruption, ≥2 EU states affected, or >EUR 100,000 economic impact
Voluntary threat reporting	Encouraged to report significant cyber threats

Violation	Fine
Non-compliance	Determined by national competent authorities per member state law