DORA2026-03-104 min read

DORA Article 19 Explained: Reporting of Major ICT-Related Incidents

Also available in:DeutschFrançaisEspañolNederlandsItaliano

Table of Contents

  1. 01Introduction
  2. 02Key Requirements
  3. 03Implementation Guide
  4. 04Common Pitfalls
  5. 05How Matproof Helps
  6. 06Related Articles

Introduction

Digital Operational Resilience Act (DORA) is set to become a cornerstone of European Union's financial regulation, aiming to strengthen the operational resilience of financial entities by ensuring their systems are robust against digital risks. As part of this comprehensive framework, Article 19 of DORA specifically addresses the reporting of major ICT-related incidents, a critical aspect of maintaining operational resilience in the financial sector. This article will provide a detailed explanation of Article 19, the reporting obligations for major ICT-related incidents, and the implications for financial entities.

Key Requirements

Article 19 of DORA mandates financial entities to report any ICT incident that could significantly disrupt or impair their operational functions. Here are the bullet points outlining the key requirements:

  • Incident Threshold: Financial entities must have mechanisms in place to determine when an ICT incident qualifies as "major" based on the potential impact on their operations.
  • Immediate Reporting: Upon identifying a major incident, financial entities must report it to their competent authority immediately.
  • Details Required: The report must include a description of the incident, the entities affected, and the measures taken or planned to address the incident.
  • Follow-up Reporting: Ongoing updates must be provided until the incident is resolved.
  • Annual Reporting: An annual internal report on ICT-related incidents must be produced, detailing all major incidents that occurred during the year.
  • Documentation Retention: Records of incidents and the reports made must be kept for at least five years.

Implementation Guide

To ensure compliance with Article 19, financial entities should follow these practical steps:

  1. Define Major Incidents: Establish clear criteria for what constitutes a major ICT-related incident based on potential operational impact, such as loss of data, service disruption, or financial loss.
  2. Develop Incident Reporting Protocols: Create a standardized process for reporting incidents to the competent authority, including who is responsible for reporting, the communication channels, and the required information.
  3. Establish Communication Channels: Ensure there are reliable and secure communication channels with the competent authority for immediate reporting.
  4. Ongoing Monitoring and Updates: Implement a system to track the status of incidents and provide regular updates to the competent authority until resolution.
  5. Create Annual Reports: Develop a process for compiling and analyzing data on major incidents for the annual report.
  6. Documentation and Record-Keeping: Implement a robust system for documenting incidents and retaining records in line with the five-year retention requirement.

Common Pitfalls

Mistakes to avoid when implementing Article 19's requirements include:

  • Lack of Clear Criteria: Without a clear definition of what constitutes a major incident, entities may under-report or be unsure when to report.
  • Inadequate Communication Channels: Slow or insecure communication channels can delay reporting and potentially harm the entity's reputation and regulatory standing.
  • Poor Record-Keeping: Inadequate documentation and record-keeping can lead to difficulties in providing evidence of compliance and understanding incident trends.
  • Neglecting Ongoing Updates: Failing to provide regular updates on incident status can lead to regulatory penalties and a lack of transparency.
  • Annual Report Oversights: Missing details or inaccuracies in the annual report can undermine the entity's compliance with DORA.

How Matproof Helps

Matproof's compliance management platform can assist financial entities in automating the tracking and evidence collection for Article 19 requirements, ensuring that all incidents are captured and reported in a timely and accurate manner. The platform provides a centralized system for incident reporting and documentation, streamlining the compliance process and reducing the risk of non-compliance.

Related Articles

For further reading on DORA and related topics, consider these articles:

By understanding and implementing the requirements of Article 19, financial entities can enhance their operational resilience and maintain trust with regulators and stakeholders. DORA's focus on digital risks underscores the importance of proactive measures and robust incident management in today's digital financial landscape.

DORA Article 19Reporting of Major ICT-Related Incidentsdigital operational resilienceICT risk managementfinancial regulation

Ready to simplify compliance?

Get audit-ready in weeks, not months. See Matproof in action.

Request a demo