Reporting Major ICT-related Incidents and Significant Cyber Threats under DORA
From 17 January 2025, financial entities subject to the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554) are obliged to submit reports on major ICT-related incidents to the Central Bank, where the required criteria and thresholds have been met. In scope financial entities may also submit reports on significant cyber threats. Information to support financial entities in the submission of these reports via the Central Bank Portal is provided below.
Key documents to support in scope financial entities with the submission process include:
The major ICT-related incident reporting template and significant cyber threat reporting template are to be used by in scope financial entities when submitting a major ICT-related incident and significant cyber threat report respectively. These templates have been designed by the European Supervisory Authorities. Please note that minor updates may be made to these reporting templates in the coming months.
Further information on the reporting requirements are contained in the following documents:
- Commission Delegated Regulation (EU) 2024/1772 with regard to the regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
- Commission Delegated Regulation (EU) 2025/301 with regard to the regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats
- Commission Implementing Regulation (EU) 2025/302 with regard to the implementing technical standards specifying the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat