User Guide for Incident Reporting under DORA

Guide

From July 1, 2025, incidents must be reported via the Altinn form KRT-3190. This user guide specifies in detail how to complete the form and provides other practical information regarding incident reporting and the reporting of significant cyber threats.

Reporting of serious ICT-related incidents via Altinn form KRT-3190

Completing the Altinn form

Serious ICT incidents must be reported via Altinn form KRT-3190 . The Altinn form is available in both Norwegian and English. Although not a requirement, the Financial Supervisory Authority encourages companies to report in English.

Information on how to complete the Altinn form can be found in the help texts within the form itself.

Only organizations, not private individuals, can report. There is no requirement for the reporter's role within the company.

The use of Altinn form KRT-3190 is structured so that reporting is step-by-step. First, the company notifies about the incident with an initial notification. Subsequent reports on the incident are completed by retrieving the latest submission regarding the incident from "Archive" and selecting "Create new copy". Based on the previous submission, the reporting on the incident continues. The type of report is indicated in field 1.1.

There may be multiple submissions regarding the same incident in the archive. The designation indicates what type of report it is, making it easy to find the report that was most recently submitted.

It is possible to change previously reported data about the incident.

Confirmation from the Financial Supervisory Authority of receipt

The company will receive an email confirmation from hendelse@finanstilsynet.no that the report has been received, along with any follow-up questions regarding the incident.

Consolidated reporting

Banks that are part of a group or alliance can report collectively. The groups and/or alliances this applies to have notified the Financial Supervisory Authority that they wish to use this option. The names and LEI codes of the companies covered by the reporting are written continuously with semicolons between them in fields 1.5 and 1.6 respectively. In aggregated reporting, field 1.4 'Type of financial entity' must be the same for the companies for which reporting is consolidated.

Transitional arrangements

Incidents reported to the Financial Supervisory Authority before July 1, 2025, for which the Financial Supervisory Authority has not yet received a final report, are reported as before directly to hendelse@finanstilsynet.no .

Reporting of significant cyber threats

Reporting of significant cyber threats in accordance with DORA must be reported via Altinn form KRT-3191. The Altinn form is available in both Norwegian and English.

Altinn form: DORA Significant Cyber Threats (KRT-3191)

Other information

Reporting form under PSD2 is being phased out

Altinn form KRT-1190 for Major Incident reporting under PSD2 is being phased out from July 1, 2025.

Backup solution

If companies experience problems using Altinn, ICT incidents should be reported on an Excel form and sent as an attachment via email to hendelse@finanstilsynet.no . If an initial notification is reported using the Excel form, the remaining reporting on this incident must continue in the Excel form. The backup solution can also be used to report significant cyber threats if the company experiences problems with the Altinn solution.

Excel form for reporting of serious ICT-related incident

Excel form for reporting of significant cyber threat

Topic page for incident reporting under DORA

Information on which incidents are subject to reporting requirements and deadlines for reporting, as well as information on which cyber threats can be reported, can be found here:

Incident reporting under DORA

Contact

For technical questions regarding the use of Altinn, contact Altinn user service . For other questions, send an email to hendelse@finanstilsynet.no .

Topic page

Regulation on digital operational resilience in the financial sector (DORA)