DORA Art.20-21: Incident Reporting Harmonisation and the Centralised Reporting Hub — Developer Guide 2026
Post #502 in the sota.io EU Cyber Compliance Series
DORA Chapter III ends with two articles that are easy to overlook when Art.19's 4-hour deadline is dominating your incident response planning. That is a mistake. Art.20 and Art.21 determine how you report — the format, the content, the routing — while Art.19 determines when you report. Together, they define the full mechanics of DORA incident reporting. More importantly for teams subject to multiple EU financial regulations, these articles resolve the reporting duplication problem: one major incident can simultaneously trigger DORA, NIS2, GDPR, and sector-specific obligations. Art.20-21 are the regulatory answer to that duplication.
1. Where Art.20-21 Fit in the DORA Chapter III Chain
The Chapter III incident reporting chain is sequential:
| Article | Function | Trigger |
|---|---|---|
| Art.17 | ICT incident management process | Ongoing process obligation |
| Art.18 | Classification decision (major vs. non-major) | Any ICT incident |
| Art.19 | Reporting timelines (4h/72h/30d) and content | "Major" classification from Art.18 |
| Art.20 | Harmonised reporting formats and ITS | Defines Art.19 content requirements |
| Art.21 | Centralised reporting hub | Routes Art.19 reports to correct authorities |
| Art.22 | Supervisory feedback on incident reports | After Art.19 final report |
| Art.23 | Voluntary notification of significant cyber threats | Optional, Art.18(3) assessment |
Art.20 and Art.21 are not standalone obligations in the same sense as Art.17-19. They are implementing mechanisms — Art.20 defines what goes into the reports that Art.19 requires, and Art.21 defines where those reports go and how the supervisory information flow works downstream.
2. Scope: Which Entities Are Affected
The same ~22,000 EU financial entities subject to Art.17-19 are subject to Art.20-21. The practical impact varies by entity type:
| Entity Type | Art.20 Impact | Art.21 Impact |
|---|---|---|
| Credit institutions (banks) | Must comply with EBA ITS reporting formats | Report to ECB/national CA; ECB routes to EBA + ENISA |
| Investment firms | Must comply with ESMA ITS formats | Report to national CA; routed to ESMA |
| Insurance / reinsurance | Must comply with EIOPA ITS formats | Report to national CA; routed to EIOPA |
| Payment institutions / EMIs | EBA ITS; previous PSD2 reporting now consolidated | Single report replaces PSD2 STS incident reporting |
| Crypto-asset service providers (CASPs) | ESMA ITS from Dec 2024 | National CA routes to ESMA |
| Central counterparties (CCPs), CSDs | ESMA ITS; systemic importance = heightened scrutiny | Report treated as potential systemic event |
| Multi-sector financial groups | Most complex: must identify lead ESA | Art.21 routing determines which ESA leads |
Multi-sector groups: A banking group that also operates an insurance subsidiary and a payment institution faces EBA, EIOPA, and EBA (payment) reporting obligations. Art.21's centralised routing matters most for these entities — one report can satisfy multiple supervisory chains once the routing authority is established.
3. Art.20: Harmonisation of Reporting Requirements
The Core Obligation
Art.20(1) requires the Joint Committee of the three European Supervisory Authorities (EBA, EIOPA, ESMA) to develop draft implementing technical standards (ITS) that specify:
- The content of major ICT-related incident reports submitted under Art.19
- The formats and templates to be used
- The procedures for the voluntary notification of significant cyber threats under Art.19(2)
- The timeframes for implementation of corrective measures following supervisory feedback
The Commission adopts these ITS by delegated regulation, making them legally binding across all member states and replacing any national variations in reporting format.
What the ITS Defines: Report Content Requirements
The ITS establishes distinct content requirements for each of the three Art.19 reporting phases:
Initial Notification (≤4 hours after major classification)
The initial notification is deliberately minimal — the ITS requires only what a competent authority needs to assess urgency and systemic risk. Required fields:
| Field | Content | Format Requirement |
|---|---|---|
| Entity identification | LEI code, entity name, DORA registration ID | ISO 17442 (LEI) |
| Classification timestamp | Detection timestamp (Art.17 process start), not acknowledgement | ISO 8601 UTC |
| Incident category | Primary classification: cyber-attack, system failure, third-party failure, etc. | Taxonomy from ITS Annex |
| Major trigger criterion | Which Art.18(1) criterion was met (or Art.18(2) cyber-attack override) | Enumerated value |
| Estimated client impact | Number of affected clients at time of notification | Integer; "unknown" permitted at t+4h |
| Services affected | List of ICT services impacted | Service catalogue reference |
| Initial containment status | Whether incident is ongoing or contained | Boolean + narrative (max 500 chars) |
Critical point: The classification timestamp for the 4-hour clock is the moment your Art.18 assessment determined "major" — not when the incident was first detected, not when the on-call engineer acknowledged the alert. If your SIEM fires at 14:00 and the on-call determines major at 14:45, the initial notification is due by 18:45.
Intermediate Report (≤72 hours after initial classification)
The intermediate report provides a fuller picture of the incident's scope and evolution:
| Field | Content |
|---|---|
| Incident timeline | Chronological log from detection through current status |
| Root cause assessment | Preliminary root cause (can be updated in final report) |
| Updated impact figures | Confirmed client numbers, transaction volumes affected, geographic scope |
| Financial impact | Estimated financial loss (quantified to the extent possible) |
| Containment and recovery actions | Steps taken, RTO/RPO progress against Art.12 commitments |
| Third-party involvement | Whether an ICT third-party provider (Art.28-30) contributed |
| Regulatory cross-triggers | Whether GDPR Art.33, NIS2 Art.23, or sector-specific obligations were also triggered |
| Corrective measures planned | Initial remediation plan with target completion dates |
Final Report (≤30 calendar days after initial notification)
The final report is the definitive regulatory record of the incident. NCAs use it for supervisory assessments and systemic risk analysis:
| Field | Content |
|---|---|
| Complete root cause analysis | Confirmed root cause, contributing factors, failure mode taxonomy |
| Full impact assessment | Final client, financial, and reputational impact quantification |
| Recovery completion | Confirmation of service restoration with actual vs. target RTO/RPO |
| Corrective measures implemented | Completed remediation steps with evidence references |
| Systemic risk assessment | Whether the incident revealed risks to other financial entities |
| Lessons learned | Documented process improvements (feeds Art.13 ICT risk framework update) |
| Third-party disclosure | Whether the ICT third-party provider's Art.30(4) contract was triggered |
| Recurrence risk assessment | Probability assessment of recurrence and residual risk |
Harmonisation with Other EU Reporting Frameworks
The ITS explicitly addresses harmonisation with three other EU reporting frameworks:
NIS2 Art.23-24 (for entities that are also NIS2 "important entities"):
Most DORA-scoped financial entities that operate critical digital infrastructure are simultaneously subject to NIS2 Art.23 reporting. The ITS provides a mapping:
| DORA Report Phase | NIS2 Equivalent | Harmonised Content |
|---|---|---|
| Initial notification (≤4h) | Early warning (≤24h for significant incidents) | DORA initial report satisfies NIS2 early warning if it meets NIS2 threshold |
| Intermediate report (≤72h) | Incident notification (≤72h) | Direct equivalence — DORA report template includes NIS2 fields |
| Final report (≤30d) | Final report (≤1 month) | DORA final report satisfies NIS2 final report obligation |
In practice: if you submit a correctly-formatted DORA intermediate report within 72 hours, you have also satisfied NIS2 Art.23(4) — provided the competent authority routing under Art.21 includes the relevant NIS2 National Competent Authority.
GDPR Art.33 (data breach notification):
When a major ICT incident involves personal data, GDPR Art.33 requires notification to the Data Protection Authority (DPA) within 72 hours. The DORA ITS:
- Includes a
personal_data_affectedboolean anddata_categoriesfield in the intermediate report template - Designates the GDPR Art.33 notification as a parallel obligation (not merged into DORA — different authority, different regulatory basis)
- Notes that DORA Art.19 satisfies the format requirement for GDPR Art.33 to the extent the DPA accepts the DORA template
PSD2 STS Incident Reporting (legacy):
Before DORA, payment institutions and electronic money institutions reported major operational or security incidents under EBA Guidelines on major incidents reporting under PSD2 (EBA/GL/2017/10). DORA Art.20 explicitly supersedes these guidelines for DORA-scoped entities from the date of DORA application (Jan 17, 2025). The DORA ITS absorbed and superseded the PSD2 STS template — PSPs no longer file PSD2 STS reports separately if they are filing DORA major incident reports.
4. Art.21: Centralised Reporting Hub
The Reporting Multiplicity Problem
Without Art.21, a credit institution experiencing a major ICT incident would need to report to:
- ECB (for significant credit institutions under SSM)
- National Competent Authority (banking supervisor)
- EBA (the relevant ESA)
- ENISA (under DORA Art.19(6))
- NIS2 National Competent Authority (if also NIS2-scoped)
- Data Protection Authority (if personal data affected under GDPR Art.33)
That is six parallel reporting streams, each with different templates, different portals, and different contact points — during an active incident that your engineering team is simultaneously trying to contain. Art.21 addresses this directly.
Art.21(1): The Single Entry Point Principle
Art.21(1) provides that competent authorities shall be the single point of entry for major ICT incident reports. Financial entities report to their primary competent authority. The competent authority then:
- Acknowledges receipt and records the timestamp (this matters for your compliance audit trail)
- Routes the report to other relevant supervisors without requiring additional filings from the financial entity
- Coordinates with ESAs on any cross-border or systemic risk assessment
The routing logic is established at member state level, with ESA guidance:
Financial Entity
│
│ Single report via Art.21 hub
▼
Competent Authority (Primary Supervisor)
│
├──► EBA / EIOPA / ESMA (relevant ESA)
│
├──► ENISA (mandatory under Art.19(6))
│
├──► ECB (for significant credit institutions)
│
├──► NIS2 NCA (if dual-scoped)
│
└──► Other NCAs (if cross-border incident)
Art.21(2): ESA Assessment of EU-Level Centralisation
Art.21(2) requires EBA, EIOPA, and ESMA to submit a report to the European Parliament, the Council, and the Commission assessing the feasibility of further centralisation at EU level — a single EU Hub that would receive reports directly from financial entities rather than via national competent authorities.
The ESA feasibility report must assess:
- Whether a common EU Hub could reduce administrative burden
- Technical requirements for a unified submission platform
- Governance arrangements for data sharing between national and EU-level supervisors
- Timeline for implementation if feasible
Status as of 2026: The ESA joint report on the EU Hub feasibility was delivered per the DORA mandate. The Hub is not yet established as a live submission system. National competent authorities currently operate their own portals; ESMA, EBA, and EIOPA receive reports via structured data feeds from national authorities. Financial entities do not yet have a single EU URL to submit DORA reports — they use the portal of their primary national supervisor.
Art.21(3): Cross-Border Incident Coordination
When a major ICT incident has cross-border impact (affects clients or operations in multiple member states), Art.21(3) requires:
- The lead competent authority (the supervisor of the entity's home member state) notifies NCAs in affected member states
- NCAs in affected states may make supplementary requests for information, but the financial entity is not required to file additional initial reports
- ESAs coordinate through the Joint Committee when an incident poses systemic risk
The "one report, one routing" principle holds even for cross-border incidents — the administrative burden stays with supervisors, not with engineering teams managing the incident.
5. Implementation: Python Reporting Client
The following implementation covers the Art.20 ITS-compliant report structure and an Art.21-compatible submission flow. This is a skeleton that maps to the ITS fields described above — production use requires the actual API endpoint for your national competent authority's submission portal.
from dataclasses import dataclass, field, asdict
from datetime import datetime, timezone
from enum import Enum
import json
import uuid
class IncidentPhase(str, Enum):
INITIAL = "initial" # Art.19(4)(a) ≤4h
INTERMEDIATE = "intermediate" # Art.19(4)(b) ≤72h
FINAL = "final" # Art.19(4)(c) ≤30d
class RootCause(str, Enum):
CYBER_ATTACK = "cyber_attack"
SYSTEM_FAILURE = "system_failure"
THIRD_PARTY_FAILURE = "third_party_failure"
HUMAN_ERROR = "human_error"
NATURAL_EVENT = "natural_event"
UNKNOWN = "unknown"
class Art18Criterion(str, Enum):
CLIENTS_AFFECTED = "clients_affected"
SERVICE_DURATION = "service_duration"
GEOGRAPHIC_SPREAD = "geographic_spread"
DATA_INTEGRITY = "data_integrity"
ECONOMIC_IMPACT = "economic_impact"
REPUTATIONAL_IMPACT = "reputational_impact"
CYBER_ATTACK_OVERRIDE = "cyber_attack_override" # Art.18(2)
@dataclass
class DORAIncidentReport:
"""Art.20 ITS-compliant DORA major ICT incident report."""
# Entity identification
entity_lei: str # ISO 17442 LEI code
entity_name: str
dora_registration_id: str
# Incident identification
incident_id: str = field(default_factory=lambda: str(uuid.uuid4()))
phase: IncidentPhase = IncidentPhase.INITIAL
# Critical timestamps (ISO 8601 UTC — Art.18 clock starts at classification)
detection_timestamp: datetime = None
classification_timestamp: datetime = None # This starts the 4h clock
notification_timestamp: datetime = None
# Art.18 classification
major_trigger_criterion: Art18Criterion = None
root_cause: RootCause = RootCause.UNKNOWN
# Impact (required at initial; refined in intermediate/final)
clients_affected: int = None # None = "unknown" at initial notification
services_affected: list = field(default_factory=list)
geographic_scope: list = field(default_factory=list) # ISO 3166-1 alpha-2
is_contained: bool = False
# Financial impact (intermediate/final only)
estimated_financial_loss_eur: float = None
# Cross-regulatory flags
gdpr_art33_triggered: bool = False
nis2_art23_triggered: bool = False
third_party_involved: bool = False
third_party_name: str = None # Art.28-30 TPSP identifier
# Final report fields
corrective_measures: list = field(default_factory=list)
lessons_learned: str = None
recurrence_risk: str = None # "low" | "medium" | "high"
def notification_deadline_utc(self) -> datetime:
"""Returns the Art.19 notification deadline for this phase."""
from datetime import timedelta
if self.classification_timestamp is None:
raise ValueError("classification_timestamp required")
if self.phase == IncidentPhase.INITIAL:
return self.classification_timestamp + timedelta(hours=4)
elif self.phase == IncidentPhase.INTERMEDIATE:
return self.classification_timestamp + timedelta(hours=72)
elif self.phase == IncidentPhase.FINAL:
return self.classification_timestamp + timedelta(days=30)
def is_overdue(self) -> bool:
return datetime.now(timezone.utc) > self.notification_deadline_utc()
def minutes_remaining(self) -> float:
delta = self.notification_deadline_utc() - datetime.now(timezone.utc)
return delta.total_seconds() / 60
def to_its_payload(self) -> dict:
"""Serialises to Art.20 ITS-compliant JSON payload."""
base = {
"report_id": self.incident_id,
"phase": self.phase.value,
"entity": {
"lei": self.entity_lei,
"name": self.entity_name,
"dora_id": self.dora_registration_id,
},
"timestamps": {
"detection": self.detection_timestamp.isoformat() if self.detection_timestamp else None,
"classification": self.classification_timestamp.isoformat() if self.classification_timestamp else None,
"notification": datetime.now(timezone.utc).isoformat(),
},
"classification": {
"major_trigger": self.major_trigger_criterion.value if self.major_trigger_criterion else None,
"root_cause": self.root_cause.value,
},
"impact": {
"clients_affected": self.clients_affected,
"services": self.services_affected,
"geographic_scope": self.geographic_scope,
"is_contained": self.is_contained,
"financial_loss_eur": self.estimated_financial_loss_eur,
},
"cross_regulatory": {
"gdpr_art33": self.gdpr_art33_triggered,
"nis2_art23": self.nis2_art23_triggered,
"third_party_involved": self.third_party_involved,
"third_party_name": self.third_party_name,
},
}
if self.phase == IncidentPhase.FINAL:
base["final"] = {
"corrective_measures": self.corrective_measures,
"lessons_learned": self.lessons_learned,
"recurrence_risk": self.recurrence_risk,
}
return base
class DORAReportingClient:
"""
Art.21 hub-aware reporting client.
Submits to primary competent authority; authority routes downstream.
"""
def __init__(self, authority_portal_url: str, api_key: str, entity_lei: str):
self.portal_url = authority_portal_url
self.api_key = api_key
self.entity_lei = entity_lei
def submit(self, report: DORAIncidentReport) -> dict:
"""Submit report to Art.21 single entry point."""
import urllib.request
payload = report.to_its_payload()
data = json.dumps(payload).encode("utf-8")
req = urllib.request.Request(
f"{self.portal_url}/incidents",
data=data,
headers={
"Authorization": f"Bearer {self.api_key}",
"Content-Type": "application/json",
"X-Entity-LEI": self.entity_lei,
},
method="POST",
)
with urllib.request.urlopen(req, timeout=10) as response:
result = json.loads(response.read())
# Art.21(1): Authority acknowledges + timestamps receipt
return {
"submission_id": result.get("id"),
"authority_timestamp": result.get("received_at"),
"routing_status": result.get("routing"), # which authorities notified
}
# Usage example
classification_time = datetime(2026, 4, 21, 14, 45, 0, tzinfo=timezone.utc)
report = DORAIncidentReport(
entity_lei="529900HNOAA1KXQJUQ27",
entity_name="Example Bank AG",
dora_registration_id="DORA-DE-2025-001234",
phase=IncidentPhase.INITIAL,
detection_timestamp=datetime(2026, 4, 21, 14, 0, 0, tzinfo=timezone.utc),
classification_timestamp=classification_time,
major_trigger_criterion=Art18Criterion.CLIENTS_AFFECTED,
root_cause=RootCause.SYSTEM_FAILURE,
services_affected=["payment-processing", "customer-portal"],
geographic_scope=["DE", "AT", "CH"],
is_contained=False,
gdpr_art33_triggered=True,
third_party_involved=True,
third_party_name="CloudProvider GmbH (CTP-DE-2025-0042)",
)
print(f"Initial notification deadline: {report.notification_deadline_utc()}")
print(f"Minutes remaining: {report.minutes_remaining():.1f}")
print(f"Overdue: {report.is_overdue()}")
print(json.dumps(report.to_its_payload(), indent=2, default=str))
6. Cross-Framework Reporting Matrix
When a DORA major ICT incident also triggers other EU regulatory reporting obligations, the following matrix applies. The column "Art.21 routing covers?" indicates whether filing via the DORA Art.21 single entry point satisfies the parallel obligation:
| Framework | Trigger | Deadline | Authority | Art.21 Routing Covers? |
|---|---|---|---|---|
| DORA Art.19 (initial) | Major ICT classification | ≤4h | Primary CA | N/A — this is the primary submission |
| DORA Art.19 (intermediate) | Ongoing major incident | ≤72h | Primary CA → ESA | N/A |
| DORA Art.19 (final) | Incident closed | ≤30d | Primary CA → ESA | N/A |
| NIS2 Art.23 (early warning) | Significant incident | ≤24h | NIS2 NCA | Yes — CA routes to NIS2 NCA |
| NIS2 Art.23 (notification) | Significant incident | ≤72h | NIS2 NCA | Yes — DORA intermediate ≥ NIS2 notification |
| GDPR Art.33 | Personal data breach | ≤72h | DPA | Partial — separate DPA filing still required; DORA template accepted by many DPAs |
| ECB RIAD update | Systemic risk event | ASAP | ECB SSM | Yes — ECB receives via Art.21 routing |
| MiCA Art.70 | CASP major incident | ≤4h | ESMA / national CA | Yes — DORA ITS templates cover MiCA entities |
| Solvency II ORSA | Significant operational event | Annual (narrative) | EIOPA / national CA | No — ORSA is a separate annual process |
Important caveat — GDPR Art.33: Data Protection Authorities are not financial supervisors. They are not automatically included in the Art.21 routing chain unless member states specifically designate them in the national implementation of DORA. In practice, financial entities should assume GDPR Art.33 requires a separate parallel notification to the DPA, using the DORA template as evidence of the incident but filed directly.
7. Common Errors in Art.20-21 Implementation
Error 1: Confusing the "Single Entry Point" with "Single Report"
Art.21 creates a single entry point for filing, not a single report that satisfies all regulatory bases. The DORA report is filed once; the competent authority routes it. But the legal obligations (DORA, NIS2, GDPR) remain distinct — if routing fails, the financial entity is still responsible for the underlying reporting obligations. Build parallel fallback notification procedures.
Error 2: Treating PSD2 STS Reporting as Still Applicable
Payment institutions sometimes maintain separate PSD2 STS incident reporting workflows from pre-DORA implementation. These are superseded for DORA-scoped entities. Maintaining dual workflows creates inconsistency and can generate conflicting reports. Audit and retire PSD2 STS procedures for DORA-covered entities.
Error 3: Wrong Classification Timestamp → Wrong Deadline
The 4-hour initial notification clock starts at the Art.18 classification timestamp — the moment the incident was assessed as "major." This is not the detection timestamp, not the alert acknowledgement time, and not when the incident was reported to your CISO. If your Art.17 process includes a 45-minute triage window before classification, that 45 minutes is inside the 4-hour window. Systems that capture detection time but not classification time are non-compliant with the ITS timestamp requirements.
Error 4: Not Documenting the "Unknown" Assessment
At t+4h, some fields (client numbers, geographic scope) may genuinely be unknown. The ITS permits "unknown" as a valid value for the initial notification. What it does not permit is omitting the field entirely. Document your initial assessment, even if the assessment is "scope not yet determined." NCAs specifically audit whether initial notifications reflect genuine real-time knowledge or retrospectively inflated accuracy.
Error 5: Assuming Art.21 Hub Is Operational
As of 2026, the EU-level centralised Hub envisioned by Art.21(2) is not a live system. Financial entities submit to national competent authority portals. Do not wait for the EU Hub — implement national portal submission now.
8. NCA Audit Checklist — Art.20-21
Art.20: Reporting Format Compliance
- 1. Incident reporting system uses ITS-compliant fields for all three Art.19 phases
- 2. Classification timestamp (not detection timestamp) is captured and stored separately
- 3. LEI code is configured as the entity identifier in all report submissions
- 4. Initial notification template includes all mandatory ITS fields (partial data is acceptable; field omission is not)
- 5. Intermediate report captures preliminary root cause, even if "under investigation"
- 6. Final report includes Art.13-linked lessons learned with documented remediation
- 7. GDPR Art.33 trigger flag is assessed at the intermediate report stage
- 8. NIS2 Art.23 dual-trigger is assessed and documented in the intermediate report
- 9. Third-party involvement (Art.28-30 TPSP) is flagged and TPSP identifier included
- 10. PSD2 STS reporting workflow has been retired or consolidated into DORA ITS process
Art.21: Centralised Reporting Hub
- 11. Primary competent authority portal is identified and registered (not assumed)
- 12. API key / submission credentials for competent authority portal are stored in secrets management
- 13. Submission receipt acknowledgement is captured and retained per entity's Art.25 record-keeping obligation
- 14. Routing confirmation from competent authority is logged (which supervisors were notified)
- 15. GDPR Art.33 parallel DPA notification workflow exists (not assumed to be covered by Art.21 routing)
- 16. Fallback notification procedure exists if Art.21 portal is unavailable during incident
- 17. Cross-border routing is tested for entities with operations in multiple member states
- 18. Multi-supervisor entities (bank + insurer + PSP) have identified the lead competent authority for Art.21 routing
9. Key Regulatory References
| Document | Relevance |
|---|---|
| DORA Art.20 | Mandate for ESA ITS on reporting content, formats, and templates |
| DORA Art.21 | Centralised reporting hub — single entry point for Art.19 submissions |
| DORA Art.19 | Major incident reporting timelines and voluntary cyber threat notification |
| DORA Art.18 | Classification criteria — classification timestamp triggers Art.19 and Art.20-21 |
| Commission Implementing Regulation (ITS) on DORA incident reporting | Art.20 implementing act — exact templates and fields |
| EBA/GL/2017/10 | Superseded PSD2 STS incident reporting guidelines (no longer applies to DORA entities) |
| NIS2 Art.23-24 | Parallel reporting obligation for dual-scoped entities |
| GDPR Art.33 | Parallel DPA notification — not routed by Art.21 hub |
| DORA Art.22 | Supervisory feedback on incident reports (follow-up to Art.21 submission) |
| DORA Art.13 | Learning and evolving — final report feeds Art.13 ICT risk framework update |
10. See Also
- DORA Art.19: Major Incident Reporting 4h/72h/30-Day Timeline — Art.19 defines the reporting obligation; Art.20-21 define the format and routing
- DORA Art.17-18: ICT Incident Management Process and Classification — Art.18 classification triggers Art.19-21; read together for the full Chapter III chain
- EU Multi-Regulation Incident Reporting: NIS2 + GDPR + DORA — Cross-framework reporting when multiple regulations apply simultaneously
- NIS2 Art.23: Incident Notification Obligations — NIS2 parallel reporting obligations; Art.21 routing covers NIS2 for dual-scoped entities
- DORA Art.28-30: ICT Third-Party Risk and Contractual Provisions — Art.20 intermediate report requires third-party involvement flag; Art.30(4) contract must support this
- DORA Art.13: Learning and Evolving from ICT Incidents — Art.20 final report feeds Art.13 post-incident review and risk register update