RTS on ICT Incident Classification
How to classify ICT incidents as "major" under DORA Article 18 and the Joint ESA RTS
Most financial entities discover their incident classification process is broken during a real incident — not before. DORA gives you no such luxury. The Joint ESA RTS on incident classification defines exactly when you must report, in what timeframe, and with what content. Get it wrong and the failure to report becomes a second, separate regulatory breach.
Bottom Line
You have 4 hours from classification to submit an initial notification. You have 72 hours for an intermediate report. You have 1 month for the final report. The clock does not start at detection — it starts at classification. That distinction means your classification decision must happen fast, be documented, and be defensible.
What Auditors Will Actually Look For
- A written incident classification policy with entity-specific materiality thresholds for all six criteria.
- Evidence that the six criteria are assessed for every logged ICT disruption — not just the obvious ones.
- Timestamps: detection time, classification time, and initial notification time. Auditors calculate the gap.
- Three-stage reports (initial, intermediate, final) that are complete and submitted on time for every major incident.
- A documented rationale for non-classification — why a borderline incident was assessed as not major.
- Voluntary notification records for significant cyber threats under Art. 23, even where no incident resulted.
Common Mistakes
- Starting the 4-hour clock from detection rather than classification — typically causing a breach on first use.
- Materiality thresholds copied from a template without calibration to actual client base size, revenue, or RTO.
- No documented rationale for non-classifications — leaving regulators free to second-guess your decisions.
- Final reports submitted late because post-incident review is deprioritised once normal operations resume.
The Six Classification Criteria
An incident is major if it meets one or more of the following. Assess all six for every disruption — even those that appear minor at first.
- 1. Clients affected — number directly impacted by the incident.
- 2. Duration — how long the service disruption lasted.
- 3. Geographic spread — impact across multiple EU Member States.
- 4. Data loss — any loss of availability, confidentiality, or integrity of data.
- 5. Reputational impact — significant negative media coverage or regulatory attention generated.
- 6. Economic impact — gross financial cost to the entity or clients, before insurance and recoveries.
Materiality Thresholds
Each criterion has indicative thresholds. You must define your own in policy — generic thresholds will not survive scrutiny.
| Criterion | Indicative Threshold |
|---|---|
| Clients affected | Significant proportion of total client base or critical service users |
| Duration | > 4 hours for high-impact services; > 20 hours for significant but non-critical services |
| Geographic spread | Impact in more than one EU Member State |
| Data loss | Any loss of integrity or confidentiality; availability loss exceeding RTO |
| Reputational impact | Material negative press; regulatory enquiry triggered |
| Economic impact | Gross losses exceeding your entity-defined materiality threshold |
Document how you set your thresholds. Auditors will ask. "We used the EBA guidance" is not a complete answer — it must be calibrated to your actual operations.
The Three-Stage Reporting Timeline
Once classified as major, the sequence is fixed. There is no extension mechanism — only non-compliance.
| Stage | Deadline | Required Content |
|---|---|---|
| Initial notification | Within 4 business hours of classification | Basic incident details, classification rationale, immediate impact assessment |
| Intermediate report | Within 72 hours of initial notification | Updated impact, root cause analysis (if available), containment measures taken |
| Final report | Within 1 month of incident closure | Full post-incident analysis, root cause, remediation actions, lessons learned |
Voluntary Reporting of Significant Cyber Threats
DORA also creates a voluntary notification channel for threats that did not cause an incident — but could have.
- Art. 23 allows entities to notify competent authorities of significant cyber threats proactively.
- No mandatory format or timeline, but early notification is viewed favourably by supervisors.
- Competent authorities may anonymise and share threat data across the sector — contributing to collective defence.
- Voluntary reporting does not replace mandatory incident reporting if the threat materialises into an actual incident.
3-Step Action Checklist
- 1. This week: Review your incident classification policy. Confirm it includes entity-specific materiality thresholds for all six criteria — not defaults from a template. If it does not, schedule an immediate update.
- 2. This month: Run a tabletop exercise using a realistic ICT disruption scenario. Track the classification decision, timestamp it, and draft a mock initial notification. Identify gaps before a real incident does.
- 3. This quarter: Audit your incident log for the past 12 months. For every logged disruption, confirm the six criteria were assessed and the rationale documented. Remediate any gaps before your supervisor asks.
Need a DORA gap assessment?
Use our free readiness tool to identify your compliance gaps across all five DORA pillars.