DORA Incident Reporting 2026: Initial Notification, Intermediate Report and Final Report Timeline

Last reviewed: 27 April 2026

DORA incident reporting in 2026: the short answer

Under the Digital Operational Resilience Act (DORA), financial entities must report major ICT-related incidents to their relevant competent authority through three stages — an initial notification, an intermediate report, and a final report — under DORA Article 19, using the templates and procedures set by the Joint Technical Standards on major incident reporting.

In 2026, the practical timeline is:

Initial notification — within 4 hours after the incident is classified as major, and no later than 24 hours after the financial entity became aware of the incident.
Intermediate report — at the latest within 72 hours of the initial notification (with updates whenever status or handling changes materially, and after recovery of regular activities where relevant).
Final report — no later than one month from the latest intermediate report.

Major-incident classification follows Commission Delegated Regulation (EU) 2024/1772. Significant cyber threats may be reported to competent authorities on a voluntary basis under DORA Article 19. There is no mandatory cyber-threat reporting regime.

DORA incident reporting timeline at a glance

Report stage	Trigger	Deadline	Key content	Responsible party
Initial notification	Incident classified as major under EU 2024/1772	Within 4 h after classification, and no later than 24 h after awareness of the incident	Identification of the entity; type and nature of the incident; affected ICT services; preliminary classification; whether activation of business continuity / disaster recovery has begun	Financial entity to its relevant competent authority
Intermediate report	Material status change after initial notification	At the latest 72 h from initial notification; further updates as conditions change; after recovery of regular activities where relevant	Updated classification; root-cause hypotheses; impact on critical or important functions; affected clients and counterparties; remediation status	Financial entity
Final report	Root cause established and remediation closed	No later than 1 month from the latest intermediate report	Root cause; full impact; remediation actions; lessons learned; policy / control changes	Financial entity
Voluntary cyber-threat notification	Significant cyber threat (no major incident yet)	Voluntary, no fixed deadline	Threat description, indicators, potential impact	Financial entity (optional)

Who reports under DORA Article 19

Major ICT-related incident reporting under Article 19 is primarily an obligation of the financial entity to its relevant competent authority. The competent authority depends on the entity type and Member State (e.g. central banks, national financial-supervisory authorities). Submission channels and portal details may vary by competent authority.

ICT third-party service providers — including those designated as critical under the Lead Overseer regime — do not universally have direct reporting duties to competent authorities for individual financial-entity incidents. Their role in the incident-reporting chain is:

Contractual notification and assistance duties under DORA Article 30, so the financial entity can meet its own deadlines.
Reporting on behalf of the financial entity only where reporting has been outsourced under DORA Article 19(5), with the financial entity remaining responsible for the reporting obligation.
Cooperation with the financial entity's competent authority during incident handling.

Bottom line: the financial entity stays responsible. Vendor SLAs and Article 30 contracts must guarantee the upstream notification flow that makes 4 h / 24 h / 72 h / 1 month feasible.

What makes an ICT incident "major"?

Classification follows Commission Delegated Regulation (EU) 2024/1772, which translates DORA's high-level criteria into operational thresholds. The criteria the financial entity must assess include:

Critical services affected — services essential to the entity's operations, clients or the financial system.
Clients and financial counterparties affected — number reached and materiality.
Reputational impact — visibility, media coverage, complaints, regulator queries.
Duration and downtime of the disruption.
Geographical spread — Member States and jurisdictions impacted.
Data losses — confidentiality, integrity, availability of personal or financial data.
Economic impact — direct and indirect costs.
Recurring incidents — repeated patterns of similar incidents that aggregate into materiality.

Each criterion has thresholds; incidents meeting the relevant combinations are classified major and trigger the reporting cadence. Operationalise this as a decision matrix in the incident-management runbook, not as a judgement call at 03:00.

What changed for 2026

The big shift since DORA started applying on 17 January 2025 is that the standards are no longer "in development":

The Joint Regulatory and Implementing Technical Standards on classification, content, format, templates and submission timelines for major ICT-related incident reporting are adopted and in force. The EBA's DORA major incident reporting page hosts the published standards and templates.
Commission Delegated Regulation (EU) 2024/1772 sets the criteria for classifying major ICT-related incidents and significant cyber threats.
Competent authorities have begun first-cycle reviews: supervisors increasingly look at how reports are produced — not whether a policy exists, but whether the timeline can be hit when it matters.

The 2026 work is no longer "stand up the framework". It's drill the cadence and prove it under stress: incident-class decision logs, on-call ownership, escalation runbooks, and the artefacts each report stage produces.

How to operate the timeline in practice

Classification trigger. Wire the EU 2024/1772 criteria into the incident-management taxonomy. Capture the moment the incident is classified as major as a discrete timestamp — that timestamp starts the 4-hour clock.
Awareness timestamp. Track time-of-detection (or awareness) separately. The 24-hour ceiling on initial notification runs from this moment.
Initial notification template. Use the JC ITS template for major incident reporting. Fill identification, classification, affected services, and BCP activation status — even if the picture is partial. Submit through the channel designated by the relevant competent authority (channels may vary by authority and Member State).
Intermediate cadence. Default to 72 hours from initial notification. Send additional intermediate updates whenever status or handling changes materially. After recovery of regular activities, an intermediate report covering the recovery may be required where relevant.
Final report. Closes the loop within 1 month of the latest intermediate report — root cause, impact, remediation, lessons learned, control changes.
Outsourcing (Article 19(5)). If reporting is outsourced to a third party, the contractual arrangement must allow the financial entity to remain accountable and traceable in front of the regulator.
Voluntary cyber-threat notifications. Treat them as a stakeholder-management lever: useful when a cyber threat against the entity has wider sector relevance.
Significant cyber threat ≠ major incident. Don't conflate. The incident-management taxonomy must distinguish them clearly.

Common operational pitfalls

Mixing the 4 h and 24 h triggers. The 4 h clock starts at classification as major; the 24 h clock starts at awareness / detection. Both must be respected.
Treating intermediate reports as a single 72 h obligation. 72 h is the latest first intermediate; further updates apply when status changes materially.
Final report scoped only to root cause. It also covers full impact, remediation, lessons learned and control changes.
Voluntary cyber-threat treated as mandatory. It isn't.
Vendor incidents lost in translation. Article 30 contracts must guarantee the upstream notification timing that makes 4 h achievable.
Submission channel assumed identical across Member States. Channels and national portals may vary by competent authority — confirm the local mechanism.

FAQ

What is the DORA incident reporting deadline in 2026?

For major ICT-related incidents, the financial entity submits an initial notification within 4 hours of classification as major and no later than 24 hours after becoming aware of the incident; an intermediate report at the latest within 72 hours of the initial notification (plus further updates as status changes materially); and a final report within 1 month of the latest intermediate report.

The financial entity in scope of DORA Article 2 reports to its relevant competent authority under Article 19. Submission channels may vary by competent authority and Member State.

Do ICT third-party service providers report directly?

Not universally. ICT third-party providers — including those designated as critical under the Lead Overseer regime — must support the financial entity's reporting through contractual notification and assistance duties under Article 30. A provider may submit the report on behalf of a financial entity only where reporting has been outsourced under DORA Article 19(5), with the financial entity remaining responsible.

What makes an ICT incident "major"?

Classification follows Commission Delegated Regulation (EU) 2024/1772, with criteria covering critical services and transactions affected, clients and counterparties impacted, reputational impact, duration / downtime, geographical spread, data losses, economic impact and recurring incidents.

Are significant cyber threats mandatory to report?

No. Under DORA Article 19, notification of significant cyber threats is voluntary. Financial entities may notify competent authorities where they consider the threat materially relevant.

Have the templates and procedures been finalised?

Yes. The Joint Regulatory and Implementing Technical Standards on major incident reporting are adopted and in force; the EBA's DORA major incident reporting page hosts the published standards and templates. Submission channels may vary by competent authority.

Related reading