Guidance on Incident Reporting under DORA

Guidance

The Norwegian Financial Supervisory Authority (Finanstilsynet) has prepared a guide for reporting incidents under the rules of the DORA Regulation and the accompanying Level 2 regulatory framework.

The incident reporting is intended to contribute to the Financial Supervisory Authority quickly obtaining a correct understanding of the incident, including its scope and severity. Furthermore, the reporting is intended to help ensure a correct and timely picture of the risk level in the financial sector and to uncover patterns and connections that may be difficult for individual companies to detect.

In addition, the rules on reporting ICT incidents in DORA will contribute to ICT incidents and cyber threats being reported in a uniform manner to relevant authorities in all EU/EEA countries.

Companies covered by DORA must have a procedure for detecting, handling, and notifying about incidents. The regulatory framework sets more detailed requirements for what the procedure must contain. The framework also specifies which incidents must be reported to the Financial Supervisory Authority, deadlines for reporting, requirements for the content of the reports, and the format of the reporting. DORA also sets requirements for how the national supervisory authority must follow up on reported incidents.

Regulatory Framework

Rules on incident reporting follow from the DORA Regulation and the accompanying delegated commission regulations implemented in Norwegian law through the DORA Act and the DORA Regulation .

Reference

Name

Relevant Provisions

(EU) 2022/2554

Regulation on Digital Operational Resilience in the Financial Sector (DORA Regulation)

Chapter III, Art. 17-23

(EU) 2024/1772

Delegated Commission Regulation on the classification of incidents and cyber threats

The entire regulation

(EU) 2025/301

Delegated Commission Regulation on the content and deadlines for reporting serious ICT incidents and significant cyber threats

The entire regulation

(EU) 2025/302

Delegated Commission Regulation on templates and procedures for reporting serious ICT incidents and voluntary reporting of significant cyber threats

The entire regulation

Reporting of Serious ICT Incidents

Who must report?

Companies that must report on serious incidents are specified in DORA's scope in Art. 2 no. 1 letter (a) to (t). Certain types of companies are not covered, see Art. 2 no. 3.

Which incidents must be reported?

Companies must report to the Financial Supervisory Authority about serious ICT-related incidents that have a negative impact on the company's critical services. The regulatory framework contains a number of provisions to define the severity and consequences of the incident. An ICT-related incident can be a single incident or a series of related incidents, see DORA Art. 3 no. 8.

The figure illustrates the assessments the company must make to determine whether an incident should be reported.

Conditions for Reporting

The conditions for an ICT incident to be reported are specified in (EU) 2024/1772 Art. 8 no. 1.

Firstly, the incident must affect "critical services," which are further defined in (EU) 2024/1772 Art. 6.

What constitutes a critical service for the company will be evident from a business impact analysis (BIA).

Examples of critical services can be payment services for banks and payment institutions, core systems for insurance companies, trading solutions for securities firms, or transaction monitoring against money laundering and sanctions screening.

Secondly, the incident must meet one of the following conditions:

the incident involves "successful, malicious, and unauthorized access to network and information systems" that can lead to data loss, or

two or more of the significance thresholds in (EU) 2024/1772 Art. 9 no. 1 to no. 6 are met. The significance thresholds are based on classification criteria in the regulatory framework concerning the number and/or scope of affected customers or financial counterparties and transactions, impact on the company's reputation, duration and service disruption, geographical spread, data loss, the critical importance of the affected services, and economic effects, see DORA Art. 18 no. 1 and (EU) 2024/1772 Art. 1 to 7.

If there is uncertainty regarding whether an incident should be classified as serious, the Financial Supervisory Authority emphasizes that it is desirable for the company to report the incident.

What deadlines apply to reporting?

Deadlines for reporting serious ICT-related incidents are specified in DORA Art. 19 no. 4 and (EU) 2025/301 Art. 5:

Type of Report

When must the report be sent?

Initial Notification

Must be sent as soon as possible . Must be sent within 4 hours from the time the incident is classified as a serious ICT-related incident. Must be sent in all cases no later than 24 hours after the incident was discovered.

Status Report(s)

First status report:

Must be sent as soon as possible when:

there has been a significant change in the status of the original incident, or

the incident handling has changed based on new information. Must in any case be sent no later than 72 hours after the initial notification, even if there have been no changes in the status of or handling of the incident.

Updated status report:

Must be sent without undue delay and only in cases where a relevant status update is available and in all cases when normal operations are restored. Must also be sent upon request from the Financial Supervisory Authority.

Final Report

Must be sent when the root cause is handled (measures do not need to be completed yet), and when the figures for the actual impact are available and can replace estimates. Must be sent no later than one month after the last status report was sent.

If the deadline for sending an initial notification, status, or final report falls on a weekend or a holiday, the company may send the report by 12:00 on the next working day. However, this rule does not apply to all types of companies, see (EU) 2025/301 Art. 5 no. 5.

Practical Information on Reporting Serious ICT-Related Incidents

Reclassification of Incidents

If the company has previously reported an ICT incident to the Financial Supervisory Authority but later finds that the incident cannot be classified as serious, this must be reported to the Financial Supervisory Authority through the Financial Supervisory Authority's reporting solution (checking box 1.1 for 'Serious incident reclassified as non-serious').

Recurring/Repetitive Incidents

Minor and recurring incidents must be reported if they together can be classified as a "serious" ICT-related incident, see (EU) 2024/1772 Art. 8 no. 2 and (EU) 2025/302 Art. 3.

Forwarding of Reports

The Financial Supervisory Authority will forward reports to EU financial supervisory authorities (EBA, ESMA, and EIOPA ("the ESAs")). If a specific incident affects another EU/EEA country, the ESAs will forward reports to relevant authorities in the country affected by the incident. The Financial Supervisory Authority will correspondingly receive reports from the ESAs about incidents in another EU/EEA country if the incident is relevant to Norway. This will typically be reports about incidents affecting Norwegian branches of foreign companies.

Voluntary Reporting of Significant Cyber Threats

Companies can report on significant cyber threats when they believe it is relevant for the financial system, service users, or customers. The Financial Supervisory Authority encourages such threats to be reported as this will give the Financial Supervisory Authority a better overview of the threat situation in the financial sector.

In DORA Art. 3 no. 13, a cyber threat is defined as significant if "technical characteristics indicate that it could lead to a serious ICT-related incident or a serious payment-related operational incident or security incident ".

A cyber threat shall be considered significant if all the conditions in (EU) 2024/1772 Art. 10 are met:

The cyber threat, if it materializes, can affect or may have affected the company's critical or important functions or other third parties based on information available to the company;

There is a high probability that the cyber threat will materialize in the financial entity or other financial entities; and

If the cyber threat materializes, it can meet the criteria in (EU) 2024/1772 Art. 10 (c).

Reporting of Incidents on Behalf of One or More Companies

Collective Incident Reporting

A third-party provider can report on behalf of multiple companies if the conditions in (EU) 2025/302 Art. 7 are met:

The reporting obligation has been outsourced to a third-party ICT service provider (see requirements under "Outsourcing of Reporting Obligation" below);

The serious ICT-related incident originates from or is caused by a third-party ICT service provider;

This third-party ICT service provider delivers the ICT service to more than one financial entity, or to a group;

The serious ICT-related incident is classified as serious by each individual financial entity covered by the collective reporting;

The serious ICT-related incident affects companies in a single member state, and the collective reporting concerns financial entities subject to supervision by the same supervisory authority; and

The Financial Supervisory Authority has explicitly allowed this type of financial entity to report collectively.

Groups and/or alliances wishing to report incidents collectively must notify the Financial Supervisory Authority, even if previously reported under the Financial Supervisory Authority Act and the Reporting Obligation Regulation. Any changes regarding which companies are covered by such collective reporting must be reported continuously before the change takes effect.

For such notifications, use Altinn form KRT-1060 "General Attachment Form" and with reference 25/7440 in field 2.2.

Outsourcing of Reporting Obligation

DORA allows companies to outsource the reporting obligation to a third-party provider. The responsibility for complying with the reporting obligation remains with the company, see DORA Art. 19 no. 5.

If the reporting obligation is outsourced, this must be reported to the Financial Supervisory Authority as soon as the contractual relationship has been entered into with the third-party provider and no later than before an initial notification is sent to the Financial Supervisory Authority on behalf of the company, see (EU) 2025/302 Art. 6.

Other Information

User Guide for Incident Reporting

For practical information on how incidents should be reported, see the Financial Supervisory Authority's user guide for reporting .

Seminar on Incident Reporting under DORA

The seminar was relevant for everyone working on adapting the company's ICT operations to the new regulatory framework on digital resilience, DORA (Digital Operational Resilience Act).

Presentation and recording from webinar on DORA (Regulation on Digital Operational Resilience in the Financial Sector) March 4, 2025

Excel Forms for Reporting

Excel form for reporting serious ICT-related incidents

Excel form for reporting significant cyber threats

Topic Page

Regulation on Digital Operational Resilience in the Financial Sector (DORA)