# DORA ICT Incident Classification & Reporting

> Classify ICT incidents using DORA RTS 2024/1772 criteria and produce initial, intermediate, and final notification reports per ITS 2025/302 templates for submission to competent authorities.



Tags: DORA, Incident Classification, Incident Reporting, EU Regulation, Financial Services, ICT Incident


## Example Prompts

- Classify this ICT service outage to determine if it is a major incident under DORA
- Draft the initial notification for a major ICT incident within the 4-hour window
- Prepare the final incident report with root cause analysis and remediation measures
- Review our incident classification process against DORA RTS 2024/1772 criteria

URL: https://rakenne.app/skills/dora-incident-classification/index.md

Try this skill: https://rakenne.app/a/?skill=dora-incident-classification



## Overview

Classify ICT incidents using DORA RTS 2024/1772 criteria and produce initial, intermediate, and final notification reports per ITS 2025/302 templates for submission to competent authorities.

### What It Covers

- **7-criterion classification** against Commission Delegated Regulation (EU) 2024/1772 thresholds: clients affected, transactions affected, reputational impact, duration, geographic spread, data losses, and critical services affected
- **Major incident determination** using the mandatory-criterion rule (at least 2 criteria triggered, with at least one being clients, transactions, or duration)
- **Three-stage notification sequence** per ITS 2025/302: initial notification (4 hours), intermediate report (72 hours), and final report (1 month)
- **Recurring incident aggregation** for related incidents within a 24-hour window
- **GDPR coordination** when a major ICT incident also constitutes a personal data breach
- **Third-party ICT provider incidents** where the financial entity remains responsible for classification and reporting

### Who It's For

Compliance officers, ICT risk managers, CISOs, and incident response teams at EU financial entities (credit institutions, payment institutions, investment firms, insurance undertakings, and other DORA-scoped entities) who need to classify ICT incidents and file regulatory notifications under tight deadlines.

## Example Conversation

> **You:** Our online banking platform went down at 06:15 UTC this morning due to a failed database migration. We detected it at 06:40 UTC. Roughly 45,000 retail clients cannot access their accounts or make payments. The outage is ongoing — we estimate 3-4 hours total. Our payment processing is a critical function under our Art. 11 BIA. No data breach, but clients in Germany, France, and the Netherlands are affected. We have had a few media mentions on Twitter. Can you classify this and draft the initial notification?

> **Agent:** I'll gather the details and classify this against the 7 RTS 2024/1772 criteria. Let me structure the incident data and run `dora_incident_classifier`.

> **Agent:** Running `dora_incident_classifier` with report stage "initial"...

> **Agent:** Classification result: **MAJOR INCIDENT — MANDATORY REPORTING REQUIRED**. Four criteria triggered:
>
> - **Criterion 1 (Clients affected):** 45,000 clients — need to confirm total client base, but if below 450,000 this exceeds the 10% threshold. TRIGGERED.
> - **Criterion 4 (Duration):** 3+ hours with critical function (payment processing) affected — exceeds the 2-hour threshold for critical functions. TRIGGERED.
> - **Criterion 5 (Geographic spread):** 3 EU member states (Germany, France, Netherlands) — exceeds the >2 threshold. TRIGGERED.
> - **Criterion 7 (Critical services):** Payment processing identified as critical/important function in Art. 11 BIA. TRIGGERED.
>
> The mandatory-criterion rule is satisfied (criteria 1 and 4 are both mandatory criteria). I've drafted the initial notification in `initial-notification-INC-2025-0042.md`. Your deadline is **10:40 UTC** (4 hours from classification). Shall I proceed with the intermediate report template?

> **You:** Yes, and flag any missing fields.

> **Agent:** Created `intermediate-report-INC-2025-0042.md`. The classifier flagged 2 missing fields for the intermediate stage: `root_cause` (set to "under investigation" if not yet confirmed) and `estimated_recovery_time`. I've pre-filled root cause as "under investigation — failed database migration suspected" and left recovery time for you to confirm. The intermediate report is due within 72 hours of the initial notification.

## Sample Output Excerpt

The skill produces structured notification documents per ITS 2025/302. Below is an excerpt from an initial notification.

---

## Part A — Entity Identification

| Field | Value |
|---|---|
| **Entity name** | Eurobank Digital Services GmbH |
| **LEI** | 5493001KJTIIGC8Y1R12 |
| **Entity type** | Credit institution |
| **Competent authority** | BaFin (Federal Financial Supervisory Authority) |
| **Contact person — Name** | Dr. Anna Richter |
| **Contact person — Role** | Head of ICT Risk |
| **Contact person — Email** | anna.richter@eurobank-digital.eu |
| **Contact person — Phone** | +49 69 555 0199 |

## Part B — Initial Notification

**Submission deadline**: Within 4 hours of classification (10:40 UTC) or 24 hours of detection (06:40 UTC +24h), whichever is earlier.

### B.1 Incident Identification

| Field | Value |
|---|---|
| **Incident reference** | INC-2025-0042 |
| **Detection date and time (UTC)** | 2025-03-15 06:40 UTC |
| **Classification date and time (UTC)** | 2025-03-15 06:55 UTC |
| **Incident type** | Service unavailability |

### B.2 Incident Description

Online banking platform became unavailable following a scheduled database migration at 06:15 UTC. The migration script encountered a schema conflict that caused the primary database cluster to enter a degraded state. Core banking queries fail with timeout errors. Payment processing, account access, and balance inquiries are unavailable for retail clients across Germany, France, and the Netherlands.

### B.3 Impact Assessment (Preliminary)

| Field | Value |
|---|---|
| **Critical or important functions affected** | Yes — payment processing (Art. 11 BIA) |
| **Cross-border impact** | Yes — Germany, France, Netherlands |
| **Estimated number of clients affected** | 45,000 retail clients |
| **Data compromise suspected** | No |

### B.4 Immediate Actions Taken

- Database migration rolled back at 07:10 UTC; cluster restarting
- Backup payment channel activated via SWIFT for high-value transfers
- Client-facing status page updated with estimated restoration time
- Vendor (database provider) escalated to P1 support

<!-- /excerpt -->

## Extension Tools

**`dora_incident_classifier`** evaluates an ICT incident against the 7 classification criteria from RTS 2024/1772 and validates notification fields per ITS 2025/302.

### What It Validates

**Classification criteria (7 criteria + 1 supporting):**

- **Criterion 1 — Clients affected:** Checks whether >10% of clients using the affected service are impacted, or >100,000 in absolute terms, or the entity cannot determine the count.
- **Criterion 2 — Transactions affected:** Checks whether >10% of the daily average transaction volume is disrupted.
- **Criterion 3 — Reputational impact:** Checks for media coverage, formal client complaints, or regulatory compliance risk.
- **Criterion 4 — Duration:** Checks whether the outage exceeds 24 hours (general) or 2 hours (when critical/important functions are affected).
- **Criterion 5 — Geographic spread:** Checks whether clients or operations in more than 2 EU member states are affected.
- **Criterion 6 — Data losses:** Checks for personal data breaches triggering GDPR Art. 33/34 notification or loss of critical operational data.
- **Criterion 7 — Critical services affected:** Checks whether critical/important functions (per Art. 11 BIA) or authorization conditions are impacted.
- **Criterion 8 — Economic impact (supporting):** Flags if costs exceed EUR 100,000, but this alone does not trigger "major" status.

**Major incident determination rule:** At least 2 of criteria 1-7 must be triggered, and at least one of those must be a mandatory criterion (clients, transactions, or duration).

**Notification field validation:** When a report stage is specified (initial, intermediate, or final), the tool checks that all required ITS 2025/302 fields are present and reports any missing fields:

- **Initial** — Entity identification (LEI, name, authority, contact), incident reference, timestamps, type, description, cross-border flag
- **Intermediate** — Adds root cause, containment measures, recovery status, estimated recovery time, GDPR flag, third-party involvement
- **Final** — Adds remediation measures, lessons learned, total cost assessment

**Output:** A structured report showing each criterion's status (TRIGGERED / NOT TRIGGERED) with evidence, the major/not-major determination, reporting deadlines (if major), and any missing notification fields.

## Getting Started

Add your incident details to the project workspace — either as a structured JSON file with the incident data or as free-text notes describing the incident (affected systems, timeline, client impact, geographic scope). Then activate the *DORA ICT Incident Classification & Reporting* skill. The agent will walk you through the 7-criterion classification, run `dora_incident_classifier` to verify the determination, and produce the applicable ITS 2025/302 notification documents (initial, intermediate, and/or final report) ready for submission to your competent authority.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)