Overview of key EU regulations in the digital area

Free DORA Incident Classification Tool (beta version)

With this tool, financial entities can easily determine if an incident is classified as major and as such needs to be reported to the competent authorites under the Digital Operational Resilience Act (DORA). This questionnaire is based upon the official related Regulatory Technical Standard.

The reporting timelines for major incidents in DORA are:

  • The initial report shall be submitted as early as possible within 4 hours from the moment of classification of the incident as major, but no later than 24 hours from the moment the financial entity has become aware of the incident;
  • An intermediate report shall be submitted the latest within 72 hours from the submission of the initial notification even where the status or the handling of the incident have not changed (as referred to in Article 19(4)(b) of Regulation (EU) 2022/2554). Financial entities shall submit without undue delay an updated intermediate report, in any case, when regular activities have been recovered.
  • the final report shall be submitted no later than one month from the submission of the latest updated intermediate report.

This free of charge tool has been carefully prepared, if you have feedback can we kindly ask to share this per email via info@digitalacts.eu. Any data entered in this form will be analysed in the browser and will not be centrally collected and/or processed. DigitalActs.EU cannot be held liable for any mistakes on this website.


Please answer the following 8 questions:


1. Does the incident impact critical services?

Assess if the incident:

a) affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity;
b) affects or has affected financial services that require authorisation, registration or that are supervised by competent authorities; or
c) represents a successful, malicious and unauthorised access to the network and information systems of the financial entity.




2. Is unauthorised access to network and information systems identified, which may result in data losses?




3a. Clients, financial counterparts and transactions - does the incident meet any of the following conditions?

a) the number of affected clients is higher than 10% of all clients using the affected service; or
b) the number of affected clients is higher than 100,000 clients using the affected service; or
c) the number of affected financial counterparts is higher than 30% of all financial counterparts carrying out activities related to the provision of the affected service; or
d) the number of affected transactions is higher than 10% of the daily average number of transactions carried out by the financial entity related to the affected service; or
e) the amount of affected transactions is higher than 10% of the daily average value of transactions carried out by the financial entity related to the affected service; or
f) any identified impact on clients or financial counterparts which have been identified as relevant as an outcome of the assessment made by the financial entity under Article 1(3).




3b. Data losses - does the incident have any impact on the availability, authenticity, integrity or confidentiality of data, which has or will have an adverse impact on the implementation of the business objectives of the Financial Entity or on meeting regulatory requirements?


1. availability of data – data on demand rendered temporarily or permanently inaccessible or unusable;
2. authenticity of data – compromised trustworthiness of the source of data;
3. integrity of data – data inaccurate or incomplete due to non-authorised modification;
4. confidentiality of data – data being accessed by or disclosed to an unauthorised party or system.




3c. Reputational impact - Is here any reputational impact?


Reputational impact evidenced by any of the below:
a) incident reflected in the media; or
b) received repetitive complaints; or
c) inability to meet regulatory requirements; or
d) likely loss of clients or financial counterparts with a material impact on FE’s business. Level of visibility of the incident to be taken into account.




3d. Duration and Service Downtime - is the a) incident duration longer than 24 hours; or b) service downtime longer than 2 hours for ICT services that support critical or important functions

1. Duration measured from the moment an incident occurs or is detected, until it is resolved. (estimate if not yet known)
2. Service downtime measured from the moment service fully/partially unavailable/delayed to clients, financial counterparts or other internal or external users, until activities are restored to the same level before the incident.




3e. Geographical Spread - any impact of the incident identified in the territories of at least two EU Member States?


Assess significant impact of the incident in other EU Member States on:
a) clients or financial counterparts;
b) branches of the FE or other group financial entities;
c) Financial market infrastructures or third-party providers that may affect other FEs.




3f. Economic Impact - do the costs and losses incurred by the Financial Entity exceed or are likely to exceed €100,000 (can be based on estimates where actuals cannot be determined)?


Types of direct and indirect incurred costs:
a) expropriated funds or financial assets liability, including theft;
b) replacement or relocation costs;
c) staff costs;
d) contract non-compliance fees;
e) customer redress and compensation costs;
f) forgone revenues;
g) communication costs;
h) advisory costs. (based on available data at the time of reporting)





Click on the button to determine if this is a major incident which requires reporting to the competent authorities under DORA.

This website is powered by RiskNow – The Governance, Risk and Compliance (GRC) SaaS solution with the ultimate user experience. Get rid of your legacy GRC system and join us!

Disclaimer: the information on this website is for informational purposes only. While we strive to ensure the accuracy and reliability of the information, we are not liable for any errors or omissions. For the most accurate and official information, we kindly refer to the official website of the European Union.