DORA Art.19 Major ICT Incident Reporting: 4-Hour, 24-Hour, and 5-Day Timelines — Developer Implementation Guide
The EU Digital Operational Resilience Act (DORA, Regulation 2022/2554) has applied since 17 January 2025 across the EU financial sector. For the approximately 22,000 financial entities in scope — banks, insurers, investment firms, payment institutions, crypto-asset service providers, and critical ICT third-party service providers — Article 19 imposes one of the most demanding incident reporting regimes in financial regulation.
If your organisation suffers a major ICT incident, three consecutive clocks start immediately:
- 4 hours: Initial notification to competent authority (or as soon as practicable after classification, max 4h after becoming aware)
- 24 hours: Intermediate report with updated assessment
- 5 business days: Final report with root-cause analysis and remediation measures
These are not aspirational targets. Failure to report on time is a supervisory breach. The European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA) can impose administrative sanctions. For significant institutions, fines and public reprimand mechanisms apply under DORA Art.50.
This guide covers exactly what triggers Art.19 reporting, what each submission must contain, how to build the engineering infrastructure to survive a major incident while simultaneously filing, and what hosting choices reduce your jurisdictional exposure.
1. Who Is Subject to DORA Art.19
DORA Art.2(1) defines the scope. Financial entities covered include:
Core financial entities:
- Credit institutions (banks)
- Payment institutions and e-money institutions
- Investment firms (MiFID II)
- Insurance and reinsurance undertakings (Solvency II)
- Insurance intermediaries
- Crypto-asset service providers (MiCA)
- Central counterparties (CCPs) and central securities depositories (CSDs)
- Trading venues (regulated markets, MTFs, OTFs)
- Credit rating agencies
Infrastructure and services:
- Trade repositories
- Managers of alternative investment funds (AIFMs)
- UCITS management companies
- Crowdfunding service providers
- Data reporting service providers
- Critical ICT third-party service providers (CITPs) — designated under DORA Art.31
Exemptions (Art.2(3)–(4)): Microenterprises (< 10 employees and < €2M turnover) are exempt from some requirements including Art.19. However, they remain subject to the general ICT risk management framework (Art.5–16).
Even if you are a technology vendor not directly subject to DORA, your financial sector customers may contractually require you to support their Art.19 reporting obligations under DORA Art.30 (ICT third-party contracts).
2. What Is a "Major ICT Incident" (Art.18)
DORA Art.18 requires financial entities to classify ICT incidents before triggering Art.19 reporting. The classification determines whether you have a major incident (reportable) or a minor incident (internal logging only).
2.1 Classification Criteria (Art.18(1))
Financial entities must assess ICT incidents against the following criteria to determine if they are "major":
(a) Number of clients, financial counterparts affected (b) Duration of the ICT incident and service downtime (c) Geographic spread — number of Member States affected (d) Data losses (including availability, authenticity, integrity, and confidentiality of data) (e) Criticality of the services affected (f) Economic impact — direct and indirect costs
2.2 Joint Technical Standards (RTS under Art.18(3))
The Joint Committee of EBA, ESMA, and EIOPA published the final Joint Regulatory Technical Standards (JTS) on incident classification in 2024. The RTS provides quantitative thresholds that, if met, result in automatic major classification:
| Criterion | Threshold for Major Classification |
|---|---|
| Clients affected | >10% of total clients OR >10,000 clients affected |
| Duration | Transaction services down >30 min OR other services down >2 hours |
| Data affected | Any loss of data integrity or confidentiality affecting >10,000 records |
| Geographic spread | Incident affects operations in >2 EU Member States |
| Financial impact | Direct costs >€100,000 for the entity |
| Reputational impact | Publicly known or media-covered incident |
Critical caveat: Even if no single threshold is met, a combination of factors may still require major classification at the entity's judgment. Art.18(1) uses "taking into account" language — thresholds are guidance, not a complete safe harbour.
2.3 Significant Cyber Threat (Art.19(4))
DORA Art.19(4) also creates a voluntary notification pathway for significant cyber threats — threats that could cause a major ICT incident but have been contained before impact. This is distinct from Art.19(1) mandatory reporting.
3. The Art.19 Three-Stage Reporting Timeline
Once an incident is classified as major, Art.19(1) starts the three-stage mandatory reporting sequence.
Stage 1: Initial Notification — 4 Hours
Deadline: As soon as practicable, and no later than 4 hours after classification as a major incident (or 4 hours after the entity becomes aware it may be major).
Content required (Art.19(3)(a)):
- Identity of the financial entity
- Date and time of incident awareness
- Nature and initial description of the incident
- Services affected
- Whether the incident has been escalated for internal crisis management
- Whether the incident may have a cross-border impact
Key practical issue: The 4-hour clock runs from awareness and classification, not from the start of the incident. This creates a classification urgency: your on-call team must classify (major vs. minor) rapidly. Delaying classification to avoid the reporting clock is not compliant — DORA Art.18(1) requires classification to occur "without undue delay."
Who receives the report:
- Banks: Competent authority under CRR/CRD (national banking supervisor — e.g., BaFin, DNB, ACPR)
- Investment firms: MiFID II NCA (e.g., BaFin, AFM, AMF)
- Insurers: Solvency II supervisor (national insurance regulator)
- In addition: The EBA/ESMA/EIOPA single contact points receive a copy for cross-sectoral monitoring
Format: The JTS under Art.20 specify standardised templates. Most EU NCAs have implemented the EBA reporting templates. Your compliance team should pre-register on the relevant NCA's reporting portal before an incident occurs.
Stage 2: Intermediate Report — 24 Hours
Deadline: No later than 24 hours after the initial notification (i.e., approximately 28 hours from classification for entities that submitted the initial notification on time).
Content required (Art.19(3)(b)):
- Updated incident description including root cause hypothesis
- Impact assessment — confirmed affected services, clients, data
- Containment and mitigation measures taken
- Operational status (ongoing vs. contained)
- Whether law enforcement has been notified
- Updated cross-border impact assessment
Key practical issue: 24 hours is a very tight window for meaningful root-cause work. In practice, the intermediate report often still contains hypotheses rather than confirmed root causes. DORA regulators acknowledge this — the standard is updated best estimate, not certainty.
Revision of initial report: If the initial notification contained errors or was based on incomplete information, Art.19(3)(b) allows correction in the intermediate report. There is no penalty for updating earlier assessments when more information becomes available — but intentional misrepresentation is a different matter.
Stage 3: Final Report — 5 Business Days
Deadline: No later than 5 business days after the incident is closed (or 5 business days after the entity considers the incident sufficiently understood if it is ongoing). Note: business days, not calendar days.
Content required (Art.19(3)(c)):
- Full root-cause analysis
- Complete impact assessment (financial, operational, reputational)
- Remediation measures implemented and planned
- Lessons learned and process improvements
- Whether the incident affected the safety, soundness, or financial stability of the entity
- Whether the incident has been reported to other authorities (GDPR supervisory authority, law enforcement, other sector regulators)
Ongoing incidents: If the incident is still not resolved after 5 business days, the financial entity files an interim final report by the deadline and supplements it with a supplementary final report once the incident is fully closed.
4. DORA Art.19 vs NIS2 Art.23 vs GDPR Art.33 — Dual and Triple Reporting
Financial entities that are also NIS2 essential or important entities (most large banks, cloud-connected payment processors, digital infrastructure providers) and data controllers may face simultaneous reporting obligations to different authorities under three different regulations.
Comparison Table
| Dimension | DORA Art.19 | NIS2 Art.23 | GDPR Art.33 |
|---|---|---|---|
| Regulation | Regulation 2022/2554 | Directive 2022/2555 | Regulation 2016/679 |
| Scope | ~22,000 financial entities | ~160,000 critical infrastructure entities | All data controllers processing EU personal data |
| Trigger | Major ICT incident (Art.18 classification) | Significant cybersecurity incident | Personal data breach |
| Stage 1 deadline | 4 hours after classification | 24 hours (early warning) | 72 hours after awareness |
| Stage 2 deadline | 24 hours | 72 hours (incident notification) | — |
| Stage 3 deadline | 5 business days | 1 month | — |
| Recipient | Sectoral NCA (EBA/ESMA/EIOPA) | National competent authority (NIS2) | Data protection authority (DPA) |
| Fine regime | DORA Art.50 sanctions | Up to €10M/2% (EE) | Up to €20M/4% |
4.1 Coordination Mechanisms
DORA Art.19(6) explicitly requires that when an incident triggers both DORA Art.19 and NIS2 Art.23 obligations, the financial entity "shall, without undue delay, notify the competent authority designated under NIS2 and, where applicable, other competent authorities." This creates a mandatory cross-notification duty — you cannot fulfil one and ignore the other.
Practical approach: File DORA Art.19 initial notification first (stricter 4h deadline), then immediately notify the NIS2 NCA. Use the NIS2 early warning (which allows "incomplete" information) to satisfy the 24h NIS2 deadline without duplicating the full DORA intermediate report.
4.2 GDPR Art.33 and Personal Data Breaches
If the major ICT incident involves a personal data breach (most ransomware, exfiltration incidents), GDPR Art.33 adds a 72-hour DPA notification. The 72-hour GDPR clock runs independently from both DORA and NIS2 clocks.
Conflict: In a serious incident, you may need to file:
- DORA initial notification (4h from classification)
- DORA intermediate report (24h)
- NIS2 early warning (24h from awareness)
- GDPR DPA notification (72h from awareness)
- NIS2 incident notification (72h from awareness)
This is 5 regulatory submissions across 3 regulators within 72 hours of awareness. Engineering your incident response process before the incident is not optional — it is survivable only with automation.
5. CLOUD Act Jurisdiction Risk
For financial entities using US-based cloud providers (AWS, Azure, GCP), DORA Art.19 creates a material CLOUD Act exposure that is rarely discussed.
5.1 The Problem
Major ICT incidents almost always involve forensic data: log files, database snapshots, configuration records, network flow data. This data is generated during the incident and is needed for the Art.19 reports. If this forensic data is stored on US cloud infrastructure, it is subject to US CLOUD Act warrants:
18 U.S.C. § 2713 — "A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."
Under 18 U.S.C. § 2703, US law enforcement can obtain forensic data stored on US-cloud infrastructure without notifying the data subject or the EU data controller — potentially including the incident data you are simultaneously required to report to EU regulators under DORA Art.19.
5.2 Regulatory Implication
DORA Art.28(7) requires that ICT contracts with third-party providers include provisions ensuring "the financial entity can exercise its rights of termination" and "access to its data" without impediment. A CLOUD Act warrant served on your US cloud provider can impede your access to forensic data during a live incident.
Sovereign mitigation: EU-native cloud infrastructure (Frankfurt, Amsterdam, Paris data centres operated by EU-headquartered providers with no US parent) eliminates CLOUD Act jurisdiction over incident data. This is not merely a GDPR argument — for DORA Art.19 compliance under time pressure, data sovereignty is an operational resilience feature.
6. Python Implementation: DORARIncidentReporter
from dataclasses import dataclass, field
from datetime import datetime, timedelta
from enum import Enum
from typing import Optional
import json
class IncidentStage(Enum):
INITIAL = "initial_notification" # Stage 1: 4 hours
INTERMEDIATE = "intermediate_report" # Stage 2: 24 hours
FINAL = "final_report" # Stage 3: 5 business days
class IncidentStatus(Enum):
DETECTED = "detected"
CLASSIFIED = "classified_major"
ONGOING = "ongoing"
CONTAINED = "contained"
RESOLVED = "resolved"
@dataclass
class ICTIncidentClassification:
"""
DORA Art.18 classification assessment.
All criteria evaluated; major=True if any threshold exceeded.
"""
# Quantitative thresholds (from JTS under Art.18(3))
clients_affected: int = 0
total_clients: int = 1
service_downtime_minutes: int = 0
is_transaction_service: bool = False
data_records_affected: int = 0
data_integrity_compromised: bool = False
member_states_affected: int = 1
direct_financial_cost_eur: float = 0.0
publicly_known: bool = False
def is_major(self) -> bool:
"""
Returns True if any DORA Art.18 major incident threshold is met.
"""
client_pct = (
(self.clients_affected / self.total_clients) * 100
if self.total_clients > 0 else 0
)
if client_pct >= 10 or self.clients_affected >= 10_000:
return True
if self.is_transaction_service and self.service_downtime_minutes >= 30:
return True
if not self.is_transaction_service and self.service_downtime_minutes >= 120:
return True
if self.data_integrity_compromised and self.data_records_affected >= 10_000:
return True
if self.data_records_affected >= 10_000: # confidentiality breach
return True
if self.member_states_affected >= 2:
return True
if self.direct_financial_cost_eur >= 100_000:
return True
if self.publicly_known:
return True
return False
def classification_rationale(self) -> list[str]:
reasons = []
client_pct = (self.clients_affected / self.total_clients * 100
if self.total_clients > 0 else 0)
if client_pct >= 10:
reasons.append(f"Clients affected: {client_pct:.1f}% >= 10% threshold")
if self.clients_affected >= 10_000:
reasons.append(f"Clients affected: {self.clients_affected:,} >= 10,000 threshold")
threshold = 30 if self.is_transaction_service else 120
if self.service_downtime_minutes >= threshold:
reasons.append(
f"Downtime: {self.service_downtime_minutes}min >= {threshold}min threshold "
f"({'transaction' if self.is_transaction_service else 'non-transaction'} service)"
)
if self.data_integrity_compromised or self.data_records_affected >= 10_000:
reasons.append(f"Data affected: {self.data_records_affected:,} records")
if self.member_states_affected >= 2:
reasons.append(f"Cross-border: {self.member_states_affected} Member States")
if self.direct_financial_cost_eur >= 100_000:
reasons.append(f"Financial impact: €{self.direct_financial_cost_eur:,.0f}")
if self.publicly_known:
reasons.append("Publicly known / media coverage")
return reasons
@dataclass
class DORAIncidentReport:
"""
DORA Art.19 incident report — all three stages.
"""
entity_name: str
entity_lei: str # Legal Entity Identifier (ISO 17442)
competent_authority: str # e.g., "BaFin", "DNB", "ACPR", "BdE"
incident_reference: str
# Timing
incident_first_detected: datetime
incident_classified_major: Optional[datetime] = None
# Classification
classification: Optional[ICTIncidentClassification] = None
# Stage content
initial_notification: Optional[dict] = None
intermediate_report: Optional[dict] = None
final_report: Optional[dict] = None
# Cross-reporting flags
nis2_notified: bool = False
gdpr_dpa_notified: bool = False
law_enforcement_notified: bool = False
# Status
status: IncidentStatus = IncidentStatus.DETECTED
def deadline_initial(self) -> Optional[datetime]:
if self.incident_classified_major is None:
return None
return self.incident_classified_major + timedelta(hours=4)
def deadline_intermediate(self) -> Optional[datetime]:
if self.incident_classified_major is None:
return None
# 24h from initial notification, which should be within 4h of classification
# Conservatively: 24h from classification + 4h buffer = 28h from classification
# Per Art.19: 24h from initial notification
# We use 28h from classification as safe upper bound
return self.incident_classified_major + timedelta(hours=28)
def deadline_final_business_days(self, n_business_days: int = 5) -> Optional[datetime]:
"""5 business days from incident closure (not from classification)."""
if self.status not in [IncidentStatus.RESOLVED, IncidentStatus.CONTAINED]:
return None # Final report not yet due
# Simplified: skip weekends
closure_date = datetime.now()
count = 0
while count < n_business_days:
closure_date += timedelta(days=1)
if closure_date.weekday() < 5: # Mon-Fri
count += 1
return closure_date
def minutes_to_initial_deadline(self) -> Optional[float]:
if self.deadline_initial() is None:
return None
delta = self.deadline_initial() - datetime.now()
return delta.total_seconds() / 60
def time_remaining_summary(self) -> dict:
return {
"stage": "initial_notification",
"deadline": self.deadline_initial().isoformat() if self.deadline_initial() else None,
"minutes_remaining": self.minutes_to_initial_deadline(),
"is_overdue": (
self.minutes_to_initial_deadline() is not None
and self.minutes_to_initial_deadline() < 0
and self.initial_notification is None
),
}
def compliance_checklist(self) -> dict:
return {
"initial_filed": self.initial_notification is not None,
"initial_on_time": (
self.initial_notification is not None
and self.minutes_to_initial_deadline() is not None
and self.minutes_to_initial_deadline() >= 0
),
"intermediate_filed": self.intermediate_report is not None,
"final_filed": self.final_report is not None,
"nis2_cross_notified": self.nis2_notified,
"gdpr_dpa_cross_notified": self.gdpr_dpa_notified,
}
class DORAIncidentReporter:
"""
DORA Art.19 incident reporter — manages full three-stage reporting lifecycle.
"""
def __init__(self, entity_name: str, entity_lei: str, competent_authority: str):
self.entity_name = entity_name
self.entity_lei = entity_lei
self.competent_authority = competent_authority
self.incidents: dict[str, DORAIncidentReport] = {}
def detect_and_classify(
self,
incident_reference: str,
detected_at: datetime,
classification: ICTIncidentClassification,
) -> DORAIncidentReport:
"""
Register an ICT incident and classify it. Returns the report object.
Major incidents will have Art.19 deadlines set immediately.
"""
incident = DORAIncidentReport(
entity_name=self.entity_name,
entity_lei=self.entity_lei,
competent_authority=self.competent_authority,
incident_reference=incident_reference,
incident_first_detected=detected_at,
classification=classification,
)
if classification.is_major():
incident.incident_classified_major = datetime.now()
incident.status = IncidentStatus.CLASSIFIED
print(
f"[DORA ART.19] MAJOR INCIDENT CLASSIFIED: {incident_reference}\n"
f" Rationale: {classification.classification_rationale()}\n"
f" Initial notification deadline: {incident.deadline_initial()}\n"
f" *** FILE WITHIN {incident.minutes_to_initial_deadline():.0f} MINUTES ***"
)
self.incidents[incident_reference] = incident
return incident
def file_initial_notification(
self,
incident_reference: str,
description: str,
services_affected: list[str],
cross_border_impact: bool = False,
) -> dict:
incident = self.incidents[incident_reference]
payload = {
"stage": IncidentStage.INITIAL.value,
"entity_name": incident.entity_name,
"entity_lei": incident.entity_lei,
"incident_reference": incident_reference,
"filed_at": datetime.now().isoformat(),
"incident_detected_at": incident.incident_first_detected.isoformat(),
"incident_classified_at": (
incident.incident_classified_major.isoformat()
if incident.incident_classified_major else None
),
"description": description,
"services_affected": services_affected,
"cross_border_impact": cross_border_impact,
"status": incident.status.value,
"regulation": "DORA Art.19(1) Regulation 2022/2554",
"recipient": incident.competent_authority,
}
incident.initial_notification = payload
minutes_used = (
(datetime.now() - incident.incident_classified_major).total_seconds() / 60
if incident.incident_classified_major else None
)
if minutes_used and minutes_used > 240:
print(
f"[DORA ART.19 WARNING] Initial notification filed {minutes_used:.0f} minutes "
f"after classification — EXCEEDS 4-hour deadline!"
)
return payload
def file_intermediate_report(
self,
incident_reference: str,
root_cause_hypothesis: str,
impact_assessment: dict,
mitigation_measures: list[str],
status: IncidentStatus,
) -> dict:
incident = self.incidents[incident_reference]
incident.status = status
payload = {
"stage": IncidentStage.INTERMEDIATE.value,
"incident_reference": incident_reference,
"filed_at": datetime.now().isoformat(),
"root_cause_hypothesis": root_cause_hypothesis,
"impact_assessment": impact_assessment,
"mitigation_measures": mitigation_measures,
"current_status": status.value,
"law_enforcement_notified": incident.law_enforcement_notified,
"nis2_notified": incident.nis2_notified,
"gdpr_dpa_notified": incident.gdpr_dpa_notified,
}
incident.intermediate_report = payload
return payload
def file_final_report(
self,
incident_reference: str,
root_cause_confirmed: str,
full_impact: dict,
remediation_completed: list[str],
remediation_planned: list[str],
lessons_learned: list[str],
) -> dict:
incident = self.incidents[incident_reference]
incident.status = IncidentStatus.RESOLVED
payload = {
"stage": IncidentStage.FINAL.value,
"incident_reference": incident_reference,
"filed_at": datetime.now().isoformat(),
"root_cause_confirmed": root_cause_confirmed,
"full_impact": full_impact,
"remediation_completed": remediation_completed,
"remediation_planned": remediation_planned,
"lessons_learned": lessons_learned,
"cross_reports": {
"nis2_notified": incident.nis2_notified,
"gdpr_dpa_notified": incident.gdpr_dpa_notified,
"law_enforcement_notified": incident.law_enforcement_notified,
},
}
incident.final_report = payload
return payload
def get_compliance_status(self, incident_reference: str) -> dict:
incident = self.incidents.get(incident_reference)
if not incident:
return {"error": "Incident not found"}
return {
"incident_reference": incident_reference,
"is_major": incident.classification.is_major() if incident.classification else None,
"checklist": incident.compliance_checklist(),
"time_remaining": incident.time_remaining_summary(),
"classification_rationale": (
incident.classification.classification_rationale()
if incident.classification else []
),
}
7. 25-Item DORA Art.19 Compliance Checklist
Use this checklist before a major ICT incident. Preparation is the only way to meet Art.19 timelines.
Part 1: Pre-Incident Preparation (Items 1–7)
- 1. NCA reporting portal account created; entity registered under DORA (banks: SSM/national NCA; insurers: EIOPA NCA; investment firms: MiFID NCA)
- 2. EBA/ESMA/EIOPA standardised incident reporting templates downloaded and pre-filled with static entity information (LEI, contact details, supervision category)
- 3. Internal incident classification runbook documented: who classifies, how fast, using which Art.18 criteria and JTS thresholds
- 4. Incident response team roles defined: who drafts DORA report, who approves, who submits (authority chain with 24/7 availability)
- 5. NIS2 NCA and GDPR DPA contact details and portal access confirmed (for cross-notification under Art.19(6))
- 6. Legal Entity Identifier (LEI) verified and current (required on all DORA reports; LEI renewal is annual)
- 7. Escalation matrix documented: CISO → CTO → CEO → Board; who can approve emergency submissions at 3am
Part 2: Incident Detection and Classification (Items 8–12)
- 8. Security monitoring generates structured alert with: timestamp, affected systems, estimated users/clients impacted
- 9. On-call runbook includes Art.18 classification decision tree (major vs. minor) executable in < 30 minutes from alert
- 10. Classification timestamp recorded precisely — this starts the 4-hour Art.19 clock
- 11. Classification decision documented with rationale (which JTS thresholds triggered)
- 12. If classification unclear: escalate to senior compliance officer within 15 minutes; default to major if uncertain
Part 3: Initial Notification — 4 Hours (Items 13–17)
- 13. Initial notification draft can be completed in < 2 hours from classification (to allow 2-hour buffer before deadline)
- 14. Notification includes: entity identification, incident reference number, detection time, classification time, initial description, services affected
- 15. Cross-border impact assessed at initial notification stage (affects additional NCAs to notify)
- 16. Submission confirmed (portal acknowledgment receipt or email confirmation logged)
- 17. NIS2 NCA contacted via early warning pathway if entity is also NIS2-scoped (DORA Art.19(6))
Part 4: Intermediate Report — 24 Hours (Items 18–21)
- 18. Root cause hypothesis developed using available forensic evidence (hypothesis, not proven fact, is acceptable)
- 19. Impact assessment completed: confirmed client count, data affected, geographic scope, estimated financial impact
- 20. Mitigation measures documented: what was done, what is ongoing, what is planned
- 21. GDPR Art.33 assessment completed: if personal data involved, DPA notification filed or justified why 72h clock not yet expired
Part 5: Final Report — 5 Business Days (Items 22–25)
- 22. Root cause confirmed with forensic evidence (not just hypothesis)
- 23. Full impact assessment: final client count, data classification and scope, total downtime, financial quantification
- 24. Remediation plan documented: completed items with timestamps, planned items with owners and target dates
- 25. Cross-report audit: confirm DORA Art.19, NIS2 Art.23, and GDPR Art.33 submissions are mutually consistent (no contradictions in impact assessment or timeline)
8. Common Mistakes in DORA Art.19 Compliance
Mistake 1: Treating Classification as Optional
Some entities delay classification to "gather more information." DORA Art.18(1) requires classification "without undue delay." ENISA and the ESAs interpret this as: if you have reasonable grounds to believe an incident may be major, you classify and notify — you do not wait for certainty. The intermediate and final reports are the mechanisms for updating incomplete initial information.
Mistake 2: Confusing the 4-Hour Clock Start
The 4-hour clock starts from classification as major, not from incident detection. However, intentionally delaying classification does not restart the clock — if an NCA can demonstrate that an entity had sufficient information to classify earlier, the effective clock start will be the earlier time.
Mistake 3: Missing the Cross-Notification Obligation
DORA Art.19(6) is mandatory, not optional. If you are also NIS2-scoped (most large banks and digital infrastructure providers are), you must notify the NIS2 NCA. Failure to cross-notify is a separate breach from DORA non-compliance.
Mistake 4: Filing from Forensic Infrastructure Stored in the Cloud
During a major ICT incident, your forensic data (logs, snapshots, network flows) is also your evidence for the Art.19 reports. If this data is on US cloud infrastructure, a US CLOUD Act warrant can create a legal impediment to your access — precisely when you need it most. EU-native infrastructure eliminates this jurisdictional conflict.
Mistake 5: 5 Business Days from Classification, Not from Resolution
DORA Art.19(1)(c) specifies that the final report is due 5 business days from "closing of the incident or achieving a stable final situation." This is not 5 business days from the classification or from the initial notification. Entities that resolve incidents quickly sometimes file the final report too early; entities with long-running incidents sometimes miscalculate the resolution date.
9. DORA Art.19 and EU-Native Infrastructure
Financial entities choosing EU-native cloud infrastructure (data centres in Germany, France, Netherlands, Ireland operated by EU-incorporated providers without US parent companies) gain several DORA-specific advantages:
1. CLOUD Act-free forensic data: Incident logs, database snapshots, and network forensics stored on EU-native infrastructure are not compellable under 18 U.S.C. § 2713. You can access and report your incident data without US jurisdictional interference.
2. DORA Art.28(7) contract compliance: EU-native providers can more readily offer contractual assurances that data access is not subject to non-EU legal orders — a requirement the ESAs expect to see in DORA-compliant ICT third-party contracts.
3. Reduced Art.30 risk for financial ICT vendors: Technology vendors supplying financial entities under DORA Art.30 contracts are increasingly asked to demonstrate that their infrastructure does not expose client incident data to third-country legal orders. EU-native infrastructure is the straightforward answer to this audit question.
4. Joint NIS2/DORA compliance: Large banks and digital infrastructure operators subject to both DORA and NIS2 face dual reporting to different NCAs. Both regulatory frameworks benefit from consistent, EU-resident audit trails — one infrastructure solution satisfying both regulatory architectures.
Related Posts
- DORA ICT Risk Management: Formal Verification for Financial Systems — DORA Art.5–16 full ICT risk framework
- EU AI Act + DORA Dual Compliance for Financial Sector AI — AI systems in financial services
- NIS2 Art.23 Incident Reporting: 24h/72h/1-Month Timelines — NIS2 incident reporting for comparison
- NIS2 Essential Entity vs Important Entity Classification — NIS2 entity classification
- NIS2 + GDPR Dual Reporting: Simultaneous Incident Notification — When personal data is involved, DORA Art.19 entities face a third parallel obligation alongside NIS2 and GDPR