DORA Incident Classification Tool

On May 1, 2024, NOREA started the new Taskforce DORA. This important step underlines NOREA's commitment to promoting the digital resilience of financial institutions. The task force will focus on addressing uncertainties surrounding the implementation of DORA. The goal is to publish guidelines and templates for these domains. 
More information about the Taskforce DORA

With this tool, financial entities can easily determine if an incident is classified as major and as such needs to be reported to the competent authorites under the Digital Operational Resilience Act (DORA). This questionnaire is based upon the related classification of ICT-related incidents.

The reporting timelines for major incidents in DORA are:

  • The initial report shall be submitted as early as possible within 4 hours from the moment of classification of the incident as major, but no later than 24 hours from the moment the financial entity has become aware of the incident;
  • An intermediate report shall be submitted the latest within 72 hours from the submission of the initial notification even where the status or the handling of the incident have not changed (as referred to in Article 19(4)(b) of Regulation (EU) 2022/2554). Financial entities shall submit without undue delay an updated intermediate report, in any case, when regular activities have been recovered.
  • the final report shall be submitted no later than one month from the submission of the latest updated intermediate report.

For more information on how to report the incident to the competent authorities and the (mandatory) content of the different reports, refer to the respective RTS.


This tool has been thoughtfully developed, and we kindly request that you share any feedback via email at norea@norea.nl. Please note that any data entered in this form will be analyzed within the browser and will not be centrally collected or processed. NOREA cannot be held responsible for any errors.

Please answer the following 8 questions:

1. Does the incident impact critical services?

Assess if the incident:

a) affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity;
b) affects or has affected financial services that require authorisation, registration or that are supervised by competent authorities; or
c) represents a successful, malicious and unauthorised access to the network and information systems of the financial entity.


2. Is unauthorised access to network and information systems identified, which may result in data losses?


3a. Clients, financial counterparts and transactions - does the incident meet any of the following conditions?

a) the number of affected clients is higher than 10% of all clients using the affected service; or
b) the number of affected clients is higher than 100,000 clients using the affected service; or
c) the number of affected financial counterparts is higher than 30% of all financial counterparts carrying out activities related to the provision of the affected service; or
d) the number of affected transactions is higher than 10% of the daily average number of transactions carried out by the financial entity related to the affected service; or
e) the amount of affected transactions is higher than 10% of the daily average value of transactions carried out by the financial entity related to the affected service; or
f) any identified impact on clients or financial counterparts which have been identified as relevant as an outcome of the assessment made by the financial entity under Article 1(3).


3b. Data losses - does the incident have any impact on the availability, authenticity, integrity or confidentiality of data, which has or will have an adverse impact on the implementation of the business objectives of the Financial Entity or on meeting regulatory requirements?

1. availability of data – data on demand rendered temporarily or permanently inaccessible or unusable;
2. authenticity of data – compromised trustworthiness of the source of data;
3. integrity of data – data inaccurate or incomplete due to non-authorised modification;
4. confidentiality of data – data being accessed by or disclosed to an unauthorised party or system.


3c. Reputational impact - Is here any reputational impact?

Reputational impact evidenced by any of the below:
a) incident reflected in the media; or
b) received repetitive complaints; or
c) inability to meet regulatory requirements; or
d) likely loss of clients or financial counterparts with a material impact on FE’s business. Level of visibility of the incident to be taken into account.


3d. Duration and Service Downtime - is the a) incident duration longer than 24 hours; or b) service downtime longer than 2 hours for ICT services that support critical or important functions

1. Duration measured from the moment an incident occurs or is detected, until it is resolved. (estimate if not yet known)
2. Service downtime measured from the moment service fully/partially unavailable/delayed to clients, financial counterparts or other internal or external users, until activities are restored to the same level before the incident.


3e. Geographical Spread - any impact of the incident identified in the territories of at least two EU Member States?

Assess significant impact of the incident in other EU Member States on:
a) clients or financial counterparts;
b) branches of the FE or other group financial entities;
c) Financial market infrastructures or third-party providers that may affect other FEs.


3f. Economic Impact - do the costs and losses incurred by the Financial Entity exceed or are likely to exceed €100,000 (can be based on estimates where actuals cannot be determined)?

Types of direct and indirect incurred costs:
a) expropriated funds or financial assets liability, including theft;
b) replacement or relocation costs;
c) staff costs;
d) contract non-compliance fees;
e) customer redress and compensation costs;
f) forgone revenues;
g) communication costs;
h) advisory costs. (based on available data at the time of reporting)




Click on the button to determine if this is a major incident which requires reporting to the competent authorities under DORA.

RiskNow Company Logo This DORA incident classification tool has been co-developed by NOREA with RiskNow, provider of the RiskNow GRC SaaS platform that helps companies to comply with DORA.