Overview
Classify ICT incidents using DORA RTS 2024/1772 criteria and produce initial, intermediate, and final notification reports per ITS 2025/302 templates for submission to competent authorities.
What It Covers
- 7-criterion classification against Commission Delegated Regulation (EU) 2024/1772 thresholds: clients affected, transactions affected, reputational impact, duration, geographic spread, data losses, and critical services affected
- Major incident determination using the mandatory-criterion rule (at least 2 criteria triggered, with at least one being clients, transactions, or duration)
- Three-stage notification sequence per ITS 2025/302: initial notification (4 hours), intermediate report (72 hours), and final report (1 month)
- Recurring incident aggregation for related incidents within a 24-hour window
- GDPR coordination when a major ICT incident also constitutes a personal data breach
- Third-party ICT provider incidents where the financial entity remains responsible for classification and reporting
Who It’s For
Compliance officers, ICT risk managers, CISOs, and incident response teams at EU financial entities (credit institutions, payment institutions, investment firms, insurance undertakings, and other DORA-scoped entities) who need to classify ICT incidents and file regulatory notifications under tight deadlines.
Example Conversation
You: Our online banking platform went down at 06:15 UTC this morning due to a failed database migration. We detected it at 06:40 UTC. Roughly 45,000 retail clients cannot access their accounts or make payments. The outage is ongoing — we estimate 3-4 hours total. Our payment processing is a critical function under our Art. 11 BIA. No data breach, but clients in Germany, France, and the Netherlands are affected. We have had a few media mentions on Twitter. Can you classify this and draft the initial notification?
Agent: I’ll gather the details and classify this against the 7 RTS 2024/1772 criteria. Let me structure the incident data and run
dora_incident_classifier.
Agent: Running
dora_incident_classifierwith report stage “initial”…
Agent: Classification result: MAJOR INCIDENT — MANDATORY REPORTING REQUIRED. Four criteria triggered:
- Criterion 1 (Clients affected): 45,000 clients — need to confirm total client base, but if below 450,000 this exceeds the 10% threshold. TRIGGERED.
- Criterion 4 (Duration): 3+ hours with critical function (payment processing) affected — exceeds the 2-hour threshold for critical functions. TRIGGERED.
- Criterion 5 (Geographic spread): 3 EU member states (Germany, France, Netherlands) — exceeds the >2 threshold. TRIGGERED.
- Criterion 7 (Critical services): Payment processing identified as critical/important function in Art. 11 BIA. TRIGGERED.
The mandatory-criterion rule is satisfied (criteria 1 and 4 are both mandatory criteria). I’ve drafted the initial notification in
initial-notification-INC-2025-0042.md. Your deadline is 10:40 UTC (4 hours from classification). Shall I proceed with the intermediate report template?
You: Yes, and flag any missing fields.
Agent: Created
intermediate-report-INC-2025-0042.md. The classifier flagged 2 missing fields for the intermediate stage:root_cause(set to “under investigation” if not yet confirmed) andestimated_recovery_time. I’ve pre-filled root cause as “under investigation — failed database migration suspected” and left recovery time for you to confirm. The intermediate report is due within 72 hours of the initial notification.
Sample Output Excerpt
The skill produces structured notification documents per ITS 2025/302. Below is an excerpt from an initial notification.
Part A — Entity Identification
| Field | Value |
|---|---|
| Entity name | Eurobank Digital Services GmbH |
| LEI | 5493001KJTIIGC8Y1R12 |
| Entity type | Credit institution |
| Competent authority | BaFin (Federal Financial Supervisory Authority) |
| Contact person — Name | Dr. Anna Richter |
| Contact person — Role | Head of ICT Risk |
| Contact person — Email | anna.richter@eurobank-digital.eu |
| Contact person — Phone | +49 69 555 0199 |
Part B — Initial Notification
Submission deadline: Within 4 hours of classification (10:40 UTC) or 24 hours of detection (06:40 UTC +24h), whichever is earlier.
B.1 Incident Identification
| Field | Value |
|---|---|
| Incident reference | INC-2025-0042 |
| Detection date and time (UTC) | 2025-03-15 06:40 UTC |
| Classification date and time (UTC) | 2025-03-15 06:55 UTC |
| Incident type | Service unavailability |
B.2 Incident Description
Online banking platform became unavailable following a scheduled database migration at 06:15 UTC. The migration script encountered a schema conflict that caused the primary database cluster to enter a degraded state. Core banking queries fail with timeout errors. Payment processing, account access, and balance inquiries are unavailable for retail clients across Germany, France, and the Netherlands.
B.3 Impact Assessment (Preliminary)
| Field | Value |
|---|---|
| Critical or important functions affected | Yes — payment processing (Art. 11 BIA) |
| Cross-border impact | Yes — Germany, France, Netherlands |
| Estimated number of clients affected | 45,000 retail clients |
| Data compromise suspected | No |
B.4 Immediate Actions Taken
- Database migration rolled back at 07:10 UTC; cluster restarting
- Backup payment channel activated via SWIFT for high-value transfers
- Client-facing status page updated with estimated restoration time
- Vendor (database provider) escalated to P1 support
Extension Tools
dora_incident_classifier evaluates an ICT incident against the 7 classification criteria from RTS 2024/1772 and validates notification fields per ITS 2025/302.
What It Validates
Classification criteria (7 criteria + 1 supporting):
- Criterion 1 — Clients affected: Checks whether >10% of clients using the affected service are impacted, or >100,000 in absolute terms, or the entity cannot determine the count.
- Criterion 2 — Transactions affected: Checks whether >10% of the daily average transaction volume is disrupted.
- Criterion 3 — Reputational impact: Checks for media coverage, formal client complaints, or regulatory compliance risk.
- Criterion 4 — Duration: Checks whether the outage exceeds 24 hours (general) or 2 hours (when critical/important functions are affected).
- Criterion 5 — Geographic spread: Checks whether clients or operations in more than 2 EU member states are affected.
- Criterion 6 — Data losses: Checks for personal data breaches triggering GDPR Art. 33/34 notification or loss of critical operational data.
- Criterion 7 — Critical services affected: Checks whether critical/important functions (per Art. 11 BIA) or authorization conditions are impacted.
- Criterion 8 — Economic impact (supporting): Flags if costs exceed EUR 100,000, but this alone does not trigger “major” status.
Major incident determination rule: At least 2 of criteria 1-7 must be triggered, and at least one of those must be a mandatory criterion (clients, transactions, or duration).
Notification field validation: When a report stage is specified (initial, intermediate, or final), the tool checks that all required ITS 2025/302 fields are present and reports any missing fields:
- Initial — Entity identification (LEI, name, authority, contact), incident reference, timestamps, type, description, cross-border flag
- Intermediate — Adds root cause, containment measures, recovery status, estimated recovery time, GDPR flag, third-party involvement
- Final — Adds remediation measures, lessons learned, total cost assessment
Output: A structured report showing each criterion’s status (TRIGGERED / NOT TRIGGERED) with evidence, the major/not-major determination, reporting deadlines (if major), and any missing notification fields.
Getting Started
Add your incident details to the project workspace — either as a structured JSON file with the incident data or as free-text notes describing the incident (affected systems, timeline, client impact, geographic scope). Then activate the DORA ICT Incident Classification & Reporting skill. The agent will walk you through the 7-criterion classification, run dora_incident_classifier to verify the determination, and produce the applicable ITS 2025/302 notification documents (initial, intermediate, and/or final report) ready for submission to your competent authority.