Risk Horizon
Live

Intelligence generated by AI from public regulatory sources. Not investment or regulatory advice. Verify before relying on any output.

Signals
critical·EBA · Joint Committee of the European Supervisory Authorities

DORA Final RTS on ICT-Related Incident Classification Criteria

The Joint Committee of the ESAs published the Final RTS under DORA specifying classification criteria for major ICT-related incidents. The RTS introduces a multi-dimensional matrix covering client impact, geographic spread, data breach severity, and service disruption duration. Firms must submit an initial supervisory notification within 4 hours of identifying a major incident.

Materiality

Horizon

Immediate

Source Type

legislative change

Published

1 August 2024

AI Commentary

The 4-hour initial notification requirement is a significant operational shift. Current incident management processes typically operate on 24–72 hour cycles. Firms should prioritise tooling, escalation protocols, and regulatory reporting automation as immediate remediation priorities.

Related Themes

2 themes

Operational Resilience & Critical Third Parties

Operational Risk

established

Cyber Threat Intelligence & Incident Reporting

Cyber Risk

crystallising