What is DORA (Digital Operational Resilience Act)?

DORA is an EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector. It became mandatory on January 17, 2025, and requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party providers.

Who must comply with DORA?

DORA applies to virtually all EU-regulated financial entities including credit institutions (banks), investment firms, insurance companies, payment institutions, e-money institutions, crypto-asset service providers, and critical ICT third-party service providers. Over 22,000 entities are affected.

What is TLPT (Threat-Led Penetration Testing)?

TLPT is an advanced form of security testing aligned with the TIBER-EU framework. It simulates real-world cyber attacks based on threat intelligence to test an organization's detection and response capabilities. TLPT is mandatory for significant financial entities every 3 years under DORA.

Is TLPT mandatory for all financial entities?

No. TLPT is mandatory only for significant financial entities such as large banks, major insurers, and systemic investment firms. Smaller entities have simplified testing requirements, though regular vulnerability assessments are required for all entities under DORA.

What are the penalties for DORA non-compliance?

Penalties for DORA non-compliance vary by EU member state but can include fines up to 1% of average daily worldwide turnover, administrative penalties, public reprimands, and remediation orders from competent authorities.

What is the TIBER-EU framework?

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for threat-led penetration testing. It provides a structured methodology for conducting intelligence-led security tests on financial institutions, which DORA's TLPT requirements are based upon.

Guide5 min readUpdated February 2025

ICT Incident Classification Flowchart

Step-by-step decision guide for classifying ICT incidents under DORA Article 18 and the Joint ESA RTS

Classification errors are the most common incident management finding in DORA audits. Either entities don't classify fast enough (the clock has been running longer than they realise) or they skip criteria and miss a threshold they should have caught. Use this flowchart at the start of every incident triage — not after the situation has stabilised.

Bottom Line

Work through all six criteria for every incident. One criterion met = major incident = 4-hour CA notification clock running. Document your rationale for each criterion whether met or not. When in doubt, classify up — the cost of an unnecessary notification is far lower than the cost of a missed one.

What Auditors Will Actually Look For

Classification decisions documented for every logged ICT disruption — not just the serious ones.
Evidence that all six criteria were assessed — not just the ones that seemed relevant.
Timestamps: when the disruption started, when detected, and when classified.
Written rationale for non-classification decisions on borderline incidents.
Reclassification records where an incident initially assessed as non-major was later upgraded.

Common Mistakes

Starting the 4-hour clock from detection rather than classification — creating an apparent breach before the first notification is even drafted.
Assessing only criteria that seem obviously relevant — and missing a threshold on an overlooked one.
No documentation for incidents classified as non-major — leaving no audit trail for supervisory scrutiny.
Economic impact assessed net of insurance — the RTS requires gross figures.

Before You Start — Is This an ICT Incident?

Not every disruption is an ICT-related incident under DORA. Confirm the event meets the definition before applying the classification criteria.

An ICT-related incident is an unplanned event that compromises the security, availability, continuity, or integrity of ICT systems or data.
Includes: cyberattacks, ransomware, system outages, data corruption, third-party service failures, and insider incidents.
Excludes: planned maintenance windows, expected performance degradation within SLA tolerances, and non-ICT operational events.
If confirmed as an ICT incident: log it immediately and begin classification.

Step 1 — Duration

Is the disruption duration above threshold?

Service Type	Threshold	Result if Exceeded
High-impact / critical function	> 4 hours cumulative in a rolling 24-hour period	Potential major — continue to Step 2
Significant but non-critical function	> 20 hours in a rolling 7-day period	Potential major — continue to Step 2
Non-critical function	N/A	Not triggered by duration alone — continue to Step 2

Duration is measured from the start of the disruption, not from when it was detected. If detection was delayed, count from the earliest confirmed impact time.

Step 2 — Clients and Transactions Affected

Has the incident materially impacted clients or transaction volumes?

Count the number of clients unable to access services or affected by incorrect processing.
Assess the proportion of total active clients — a high absolute number on a small client base is more material.
For transaction-based entities: has the incident affected a material volume or value of transactions?
If a significant number of clients are affected → potential major. Continue to Step 3.
Define your own materiality thresholds in your classification policy — calibrate to your client base size.

Step 3 — Geographic Spread

Has the incident affected operations or clients in more than one EU Member State?

If yes → this criterion is met. Note it and continue to Step 4.
Geographic spread applies to the impact, not the origin of the incident.
A single technical failure that disrupts services in multiple jurisdictions meets this criterion.

Step 4 — Data Loss

Has the incident caused a loss of data availability, confidentiality, or integrity?

Availability loss: data or systems inaccessible beyond the defined RTO.
Confidentiality loss: unauthorised access to or exfiltration of sensitive or personal data.
Integrity loss: data modified, corrupted, or deleted without authorisation.
Any confirmed data loss → criterion met. Note it and continue to Step 5.
If a data breach is confirmed, GDPR notification obligations may also apply — assess in parallel.

Step 5 — Reputational Impact

Has the incident generated or is it likely to generate significant reputational damage?

Indicators: media coverage, social media volume, client complaints above normal baseline, regulatory enquiries.
Assess both actual impact (what has happened) and likely impact (what is probable if the incident continues).
Reputational impact is inherently judgmental — document your assessment and rationale.
If material negative reputational impact is probable → criterion met. Continue to Step 6.

Step 6 — Economic / Financial Impact

Does the incident's financial cost exceed your internal materiality threshold?

Calculate gross financial impact: direct losses, remediation costs, client compensation, and lost revenue.
Do not net off insurance recoveries for the classification assessment — use gross figures.
Compare against your internally defined financial materiality threshold (set in your classification policy).
If gross impact exceeds threshold → criterion met.

Classification Output

After working through all six steps, apply the following output logic.

Criteria Met	Classification	Action Required
One or more criteria met	MAJOR incident	Notify CA within 4 business hours. Activate incident response playbook.
No criteria met, but incident is material	SIGNIFICANT incident	Log and monitor. Escalate internally. No mandatory CA notification.
No criteria met, minor impact	MINOR incident	Log and resolve. Include in periodic ICT risk reporting.

When in doubt, classify up. The cost of an unnecessary notification is low; the cost of failing to notify a major incident is a regulatory breach.

3-Step Action Checklist

1. This week: Confirm this flowchart (or equivalent) is embedded in your incident management tool or playbook — accessible to the on-call incident manager at 2am without needing to search for it.
2. This month: Run a classification drill using a realistic borderline scenario (e.g. a 3.5-hour outage of a critical payment system). Time the classification decision and document the rationale. Identify process gaps.
3. This quarter: Audit the last 10 logged ICT disruptions. For each, confirm all six criteria were assessed and documented. For any classified as non-major, verify the rationale would withstand supervisory scrutiny.

Related Resources

ReferenceRTS on ICT Incident Classification

GuideDORA Incident Response Playbook

GuideDORA Article-by-Article Summary

Need a DORA gap assessment?

Use our free readiness tool to identify your compliance gaps across all five DORA pillars.

Start Free Assessment Talk to a Specialist