What is DORA (Digital Operational Resilience Act)?

DORA is an EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector. It became mandatory on January 17, 2025, and requires financial entities to manage ICT risks, report incidents, test resilience, and oversee third-party providers.

Who must comply with DORA?

DORA applies to virtually all EU-regulated financial entities including credit institutions (banks), investment firms, insurance companies, payment institutions, e-money institutions, crypto-asset service providers, and critical ICT third-party service providers. Over 22,000 entities are affected.

What is TLPT (Threat-Led Penetration Testing)?

TLPT is an advanced form of security testing aligned with the TIBER-EU framework. It simulates real-world cyber attacks based on threat intelligence to test an organization's detection and response capabilities. TLPT is mandatory for significant financial entities every 3 years under DORA.

Is TLPT mandatory for all financial entities?

No. TLPT is mandatory only for significant financial entities such as large banks, major insurers, and systemic investment firms. Smaller entities have simplified testing requirements, though regular vulnerability assessments are required for all entities under DORA.

What are the penalties for DORA non-compliance?

Penalties for DORA non-compliance vary by EU member state but can include fines up to 1% of average daily worldwide turnover, administrative penalties, public reprimands, and remediation orders from competent authorities.

What is the TIBER-EU framework?

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for threat-led penetration testing. It provides a structured methodology for conducting intelligence-led security tests on financial institutions, which DORA's TLPT requirements are based upon.

Guide20 min readUpdated January 2026

DORA Incident Response Playbook

A practical playbook for managing ICT-related incidents in compliance with DORA Articles 17–23

The 4-hour initial notification clock does not care whether your incident response team is overwhelmed, whether legal hasn't signed off, or whether root cause is still unclear. It starts the moment you classify the incident as major. Most entities that miss the deadline weren't slow to respond — they were slow to classify.

Bottom Line

You need a tested, end-to-end incident response process that classifies fast, notifies the CA on time, and generates documentation to prove it. Improvising during a live incident is not an option — the CA notification channel, the classification rationale template, and the on-call escalation path must all be decided in advance.

What Auditors Will Actually Look For

A documented incident management policy with roles, escalation paths, and the 4-hour clock explicitly addressed.
Evidence that the six classification criteria are applied to every logged incident — not just the serious ones.
Timestamps for every major incident: detection → classification → CA notification. Auditors calculate the gap.
Completed initial, intermediate, and final reports for every major incident, submitted on time.
CA notification channel confirmed and tested in advance — not "we'll figure it out when it happens."
A tabletop exercise conducted in the last 12 months, with documented outcomes and follow-up actions.
Post-incident review reports with action items tracked to closure.

Common Mistakes

Classification delayed because the incident manager wanted certainty first — DORA requires classification on reasonable belief, not proof.
CA notification sent to the wrong address or channel because no one confirmed it in advance.
Intermediate report missed because the team was in containment mode and forgot the 72-hour clock.
Post-incident review never completed — the team moved on after recovery and the final report was never submitted.

Detection and Triage

Logging discipline at triage defines everything that follows.

Any staff member, automated alert, or third-party notification can trigger an incident. All must feed the same logging system.
Log every potential incident immediately — no verbal-only handling. The log is a regulatory artefact.
Assign an initial severity level within 30 minutes of detection based on apparent business impact.
Notify the on-call incident manager for P1/P2 events regardless of time.
Preserve evidence from the outset — no system reboots or log wipes before forensic capture.

Staff reluctance to log apparent false alarms is a systemic risk. Establish the norm: log first, assess severity second.

Classification Against DORA Criteria

Classification must happen within the first hour. Apply all six criteria — no shortcuts.

Apply all six criteria: clients affected, duration, geographic spread, data loss, reputational impact, economic impact.
If any criterion is met — or uncertain — classify as major and start the 4-hour clock.
Document the rationale: which criteria were assessed, evidence considered, and decision reached.
Downgrade is permitted if later assessment shows no major criteria were met — document the reclassification with evidence.

Escalation and War Room

Major incidents require structure — not an ad-hoc group chat.

Activate the crisis team: CISO, CRO, Head of Operations, Legal/Compliance, Communications.
Establish a dedicated incident channel — separate from normal operations traffic.
Assign named roles: Incident Commander, Technical Lead, Regulatory Lead, Communications Lead.
Internal situation reports every 1–2 hours until contained.
Every decision and action logged in real time — this is the CA incident log.

Competent Authority Notification

This is a legal obligation. Confirm your CA's notification channel before any incident occurs.

Report	Deadline	Key Content
Initial notification	4 business hours from classification	Incident description, classification rationale, affected services, immediate impact estimate
Intermediate report	72 hours from initial notification	Updated impact, root cause (if known), containment status, revised estimates
Final report	1 month from incident closure	Full root cause analysis, timeline, total impact, remediation actions, lessons learned

Some CAs have dedicated portals; others require structured email. Confirm the channel in writing before an incident — not during one.

Containment, Recovery, and Client Communication

Technical response and regulatory reporting run in parallel — not sequentially.

Isolate affected systems to prevent lateral spread — balance containment against business continuity.
Activate backup and failover where available. Engage third-party providers immediately if their systems are involved.
Assess GDPR notification obligations in parallel — personal data breach timelines are separate from DORA.
Pre-draft client communication templates. Never write these during a live incident.
Coordinate client messaging with CA notifications — contradictory statements compound the damage.

Post-Incident Review

The final report is a DORA obligation. Schedule the review before the incident is closed.

Conduct the review within 2 weeks of closure — while memory is fresh and evidence is intact.
Identify root cause: technical failure, human error, process gap, third-party failure, or external attack.
Document what worked and what failed. Produce an action plan with named owners and target dates.
Present findings to the board — DORA requires management body oversight of incident outcomes.
Update the IRMF, classification policy, and BCP/DRP based on findings.

3-Step Action Checklist

1. This week: Confirm your CA notification channel in writing. Verify the contact details are current and that at least two people on your team have them accessible outside business hours.
2. This month: Run a tabletop exercise simulating a major ICT incident. Track classification time, CA notification time, and report drafting. Identify every gap before a real incident does.
3. This quarter: Audit your incident log for the past 12 months. For every logged incident, confirm the six criteria were assessed and documented. For every major incident, confirm all three CA reports were submitted on time.

Related Resources

ReferenceRTS on ICT Incident Classification

FlowchartICT Incident Classification Flowchart

GuideBuilding Your ICT Risk Management Framework

Need a DORA gap assessment?

Use our free readiness tool to identify your compliance gaps across all five DORA pillars.

Start Free Assessment Talk to a Specialist