AFM publishes letter reminding firms of DORA reporting requirements for serious ICT incidents

DORA reporting obligation: timely notification of serious ICT incidents

DORA requires financial entities to report serious ICT‑related incidents without undue delay to the competent supervisory authority (for Dutch institutions, the AFM). The reporting obligation consists of a three‑stage reporting process: an initial notification, an intermediate report and a final report. Once an incident has been internally classified as ‘serious’, the initial notification must be submitted as soon as possible within four hours after classification and in any event within 24 hours after detection of the incident. This is followed by an intermediate report, which must be submitted within 72 hours after the initial notification and supplemented where necessary, for example at the request of the supervisor or when normal operations have been restored. Finally, a final report must be submitted within one month after the last intermediate report. If an incident is later reclassified and no longer meets the criteria for a serious incident, this can be reported via the AFM portal, after which the subsequent reporting stages lapse.

When is an ICT incident considered ‘serious’?

Under DORA, an ICT‑related incident qualifies as ‘serious’ if it has a material impact on critical services. In practice, any cyber incident involving a successful attack will generally be considered serious, or where at least two of the DORA severity criteria are met. These criteria include, among others: (i) the number and relevance of affected clients or counterparties; (ii) the duration of the incident; (iii) its geographical spread (for example, impact across multiple EU Member States); (iv) data loss or compromise (availability, integrity or confidentiality); (v) the impact on critical business functions; and (vi) the economic impact, including direct and indirect costs. In addition, recurring incidents that are not serious when assessed individually may still be classified as serious if they occur repeatedly (for example, at least twice within six months with the same root cause) and jointly meet the severity criteria. The AFM recommends incorporating these criteria into internal classification procedures and documenting the assessment in the incident register.

AFM: number of reports falls short of expectations

As the reason for its letter, the AFM states that the number of reported serious ICT incidents is lower than expected, while cyber incidents are increasingly reported in the media. This may indicate that not all financial entities are complying correctly with their reporting obligations under DORA, which in turn hampers the AFM’s supervisory activities. The AFM therefore explicitly calls on financial institutions to pay close attention to these obligations and ensure that serious incidents are reported properly and in a timely manner.

Relevance for financial institutions

The AFM’s letter highlights the practical importance of DORA compliance for all financial entities within scope. Digital operational resilience and risk management are key pillars of DORA. Financial institutions are expected to have a clear and fully implemented ICT incident management framework in place to detect, register, manage, classify and report ICT‑related incidents. These processes should be embedded in internal policies and procedures and should be reviewed to ensure their effectiveness, with improvements made where necessary. The AFM also refers to earlier DORA‑related publications, such as its DORA updates for further guidance. Given the AFM’s current focus, financial institutions are advised to review their existing incident management processes, assess whether these comply with DORA requirements, and make adjustments where required. Proactive assessment of ICT incidents, including those that may initially appear minor, against the DORA criteria is essential to avoid underreporting.

Recommended actions for financial institutions

• Review internal processes: Financial institutions should ensure that they have a clear and effective framework in place for the detection, classification and reporting of ICT-related incidents in accordance with DORA.
• Embed the severity criteria: The DORA severity criteria (such as duration, data impact and the number of affected clients or counterparties) should be properly embedded in internal procedures and consistently applied and documented.
• Ensure timely reporting: Where an ICT incident qualifies as serious, financial institutions must submit all required notifications and reports within the applicable deadlines via the AFM DORA portal.
• Prepare for increased supervisory focus: The AFM has placed renewed emphasis on compliance with the DORA reporting framework, making it essential for financial institutions to assess and, where necessary, enhance their incident management and reporting arrangements.

Contact