EU DORA Major ICT-Related Incident Report
Detects DORA Article 19 major ICT-related incident reports — the initial notification, intermediate report, and final report submitted to the competent authority under Delegated Regulation (EU) 2025/301 and Implementing Regulation (EU) 2025/302 — and voluntary notifications of significant cyber threats. These reports detail live vulnerabilities, affected services, and root causes; premature disclosure aids attackers and can move markets.
- Type
- keyword_proximity
- Engine
- universal
- Confidence
- medium
- Confidence justification
- Medium confidence: honest topic matcher. 'Major ICT-related incident' and 'significant cyber threat' are DORA Article 19 terms of art rarely used outside the regulation's orbit, and the 85 tier additionally requires reporting-stage vocabulary (initial notification, intermediate report, final report, incident reference code, root cause analysis). News coverage and consultancy explainers about DORA incident reporting share this vocabulary and are suppressed only by noise exclusions.
- Jurisdictions
- eu
- Regulations
- Regulation (EU) 2022/2554 (DORA), Delegated Regulation (EU) 2025/301, Implementing Regulation (EU) 2025/302
- Frameworks
- ISO 27001
- Data categories
- financial, security, governance
- Scope
- wide
- Risk rating
- 8
Pattern
(?i)\b(?:major\s+ICT[\s-]related\s+incident|significant\s+cyber\s+threat)\b
Corroborative evidence keywords
major ICT-related incident, significant cyber threat, initial notification, intermediate report, final report, root cause analysis, incident reference code, competent authority, Regulation (EU) 2022/2554, DORA, classified as major, financial entity, services affected, board, committee, governance, compliance, fiduciary, oversight, charter (+8 more)
Proximity: 300 characters
Should match
MAJOR ICT-RELATED INCIDENT — INITIAL NOTIFICATION Submitted under Article 19(4) of Regulation (EU) 2022/2554 to the competent authority. Incident reference code: INC-2026-0042. Incident classified as major on 07/07/2026 at 14:20 CET. Services affected: retail payment processing and mobile banking authentication. Preliminary impact: 96,000 clients unable to authorise SEPA transfers.— Initial notification header with incident reference code and impactIntermediate report — major ICT-related incident INC-2026-0042, submission 2 of 3. Status: containment achieved 08/07/2026 03:10 CET; recovery of the payment gateway is in progress. Root cause analysis ongoing; preliminary indication points to a failed certificate rotation on the HSM cluster. Next update to the competent authority upon material change of status.— Intermediate report with status update and provisional root causeFinal report on major ICT-related incident INC-2026-0042, submitted in accordance with Delegated Regulation (EU) 2025/301. Root cause analysis completed: misconfigured failover between primary and secondary data centres. Actual impact figures replace the estimates in the initial notification: direct costs EUR 1.9m, 4h07m downtime of a critical or important function.— Final report with completed root cause analysis and actual impact figuresVoluntary notification of a significant cyber threat under Article 19(2) of Regulation (EU) 2022/2554: credential-stuffing infrastructure observed targeting our retail client portal. The financial entity deems the threat of relevance to the financial system; indicators shared with the competent authority.— Voluntary significant cyber threat notification
Should not match
In a press release issued this morning, the bank confirmed it had reported a major ICT-related incident to its regulator last month and that services have been fully restored.— Public press release about a past reported incidentConsultancy webinar: DORA incident reporting timelines demystified — 4 hours from classification, 72 hours for the intermediate report, one month for the final report. Sign up for our newsletter for the slide pack.— Consultancy webinar marketing about reporting timelinesThis tabletop tutorial walks the crisis team through a mock major ICT-related incident, using sample notification forms with placeholder impact figures.— Training exercise with mock incident and sample forms
Known false positives
- News coverage, press releases, and regulator statements about reported incidents Mitigation: Negative keyword exclusion: 'press release', 'media statement', 'webinar', 'newsletter', 'blog post'. Public post-incident statements reuse the regulation's vocabulary; residual matches are expected for a topic classifier.
- Compliance training, tabletop exercises, and consultancy explainers on DORA incident reporting Mitigation: Shared template-exclusion dictionary (tutorial, mock, sample, training exercise) as NOT evidence on every tier
- Collision with NIS2 and national incident-notification document classes that use similar report-stage vocabulary Mitigation: Primary phrases are DORA-specific (major ICT-related incident, significant cyber threat); NIS2 documents anchor on 'significant incident' and CSIRT vocabulary instead
- Internal incident-management tickets that reference DORA classification without being the regulatory report Mitigation: 85 tier requires report-stage vocabulary (initial notification, final report, incident reference code) in proximity; tickets typically match only at discovery tier
References
- DORA Article 19 — reporting of major ICT-related incidents and voluntary notification of significant cyber threats
- Implementing Regulation (EU) 2025/302 Article 1 — single Annex I template for initial notification, intermediate report and final report
- Central Bank of Ireland — reporting major ICT-related incidents under Delegated Regulation (EU) 2025/301 (4h/24h, 72h, 1 month stages)