DORA reporting deadlines: the 4-hour rule for major ICT incidents

Once an ICT-related incident is classified as major, a cascade of three reports with hard deadlines begins. The core provision is Art. 19 DORA (Regulation (EU) 2022/2554); the precise deadlines sit in Art. 5 of the regulatory technical standards (RTS) — Delegated Regulation (EU) 2025/301 ^[1][3].

Initial notification: as early as possible, in any case within 4 hours of classification as major — and no later than 24 hours after the entity became aware of the incident. Intermediate report: within 72 hours of the initial notification, even if the status or handling has not changed. Final report: no later than one month after the (latest updated) intermediate report ^[3].

The most common misconception concerns when the clock starts. The 4-hour deadline begins not with the incident but with its classification as major; the 24-hour limit from awareness is the outer cap. Classify quickly and you have only four hours from classification; classify slowly and the 24-hour awareness cap bites. The real operational challenge is therefore fast, defensible classification.

The criteria are in the classification RTS — Delegated Regulation (EU) 2024/1772. Its structure is often misstated: the criticality of services affected (Art. 6) is not a counted threshold but the gateway condition. An incident is major only if it first affected critical services — and then either the data-loss trigger in Art. 9(5)(b) alone is met or at least two of the other thresholds are reached (Art. 8) ^[2].

The other thresholds (Art. 9) include: affected clients above 10% of the service’s users or more than 100,000 clients; affected financial counterparts above 30%; affected transactions above 10% of the daily average; incident duration over 24 hours or downtime over 2 hours for critical or important functions; geographical impact in two or more Member States; economic impact above EUR 100,000 ^[2].

The three reports under DORA Art. 19(4) build on one another. The initial notification is a fast first alert. The intermediate report updates the status; in addition, an updated intermediate report without undue delay is required once regular operations have been restored. The final report follows when the root-cause analysis is complete ^[1][3].

Standard forms govern submission: Implementing Regulation (EU) 2025/302 (ITS) lays down the templates and procedures. A common adjacent mix-up: Regulation (EU) 2024/2956 concerns not incident reporting but the register of information on ICT third-party providers (DORA Art. 28) — a different set of duties ^[4].

Two special rules in Art. 5 of RTS 2025/301 are easy to miss. Late classification (Art. 5(2)): if an incident is classified as major only after the 24 hours from awareness have elapsed, the initial notification is due within 4 hours of that classification. Weekend/holiday rule (Art. 5(4)): where a deadline falls on a weekend or a bank holiday, reporting may be done by noon of the next working day ^[3].

The weekend relief does not, however, apply to the initial and intermediate reports of certain actors: credit institutions, central counterparties, operators of trading venues, and entities classified as “essential” or “important” under Art. 3 of the NIS2 Directive must report on time even at weekends (Art. 5(5)) ^[3].

The reporting duty falls on the financial entities under DORA Art. 2 — from credit institutions through payment and e-money institutions, investment firms, CASPs and fund managers to insurance and reinsurance undertakings and institutions for occupational retirement provision. Reports go to the competent authority under Art. 46: for most, national (e.g. BaFin, FMA); for significant credit institutions, via the national authority to the ECB ^[1].

Alongside mandatory reporting of major incidents, Art. 19(2) permits the voluntary notification of significant cyber threats where the entity deems the threat relevant. Where an entity is supervised by more than one authority, Member States designate a single competent authority for these reports ^[1].

In practice, DORA incident reporting is decided not at the template but at the speed of classification. The 4-hour clock from classification leaves no room for manual coordination loops; classification logic, escalation paths and templates must be in place and tested in advance. The auditable trail — when awareness arose, when classification happened, when the report went out — is the first thing a supervisory inspection wants to see.

And the rulebook moves: RTS 2025/301 and ITS 2025/302 only entered into force in 2025, the classification RTS 2024/1772 was sharpened in 2024, and ESA Q&As continually refine thresholds and reporting channels. Implement the first version but fail to track the follow-on changes at the source, and in a real incident you report against outdated requirements. That is exactly where horizon scanning comes in: detect the relevant changes, classify them, and route them to the responsible team.