D3 Security · Security Operations Glossary

What Is DORA Compliance?

Q: What is DORA Article 18 materiality classification?

DORA Article 18 defines when an ICT incident qualifies as critical and triggers reporting obligations, based on: impact on client assets and market integrity, duration of service unavailability, number of clients affected, geographic scope, and data sensitivity.

Back to glossary

Definition

DORA (Digital Operational Resilience Act, Regulation 2022/2554) is an EU regulation requiring financial institutions to establish comprehensive frameworks for managing ICT (Information and Communication Technology) risk, including mandatory incident reporting to national financial authorities within specified timeframes. It applies to banks, investment firms, insurance companies, payment institutions, and their critical ICT third-party service providers across all EU member states.

Who DORA Applies To

DORA’s scope covers the full spectrum of EU financial services: credit institutions, investment firms, insurance and reinsurance undertakings, central counterparties, trade repositories, payment institutions, electronic money institutions, crypto-asset service providers, and — critically — their ICT third-party service providers. If a cloud provider or managed security vendor is designated “critical” by the European Supervisory Authorities, they fall under direct DORA oversight.

Three Reporting Phases (Article 19)

DORA establishes a mandatory three-phase incident reporting structure. Each phase serves a specific regulatory purpose and requires distinct information.

Phase 1 — Initial Notification (4 hours)

Required within 4 hours of classifying a critical ICT incident. Must include: incident description, detection time, classification, systems affected, and preliminary impact assessment. This is the deadline that creates the most operational pressure, because classification itself requires forensic investigation.

Phase 2 — Intermediate Report (72 hours)

Updated impact assessment, preliminary root cause analysis, actions taken so far, and forensic findings to date. Institutions must distinguish between preliminary and final findings — regulators expect honesty about what is still unknown.

Phase 3 — Final Report (30 days)

Complete incident timeline, confirmed root cause, all systems affected, full impact assessment, and remediation status. This report must satisfy both regulatory and audit defense requirements.

Materiality Thresholds (Article 18)

DORA Article 18 defines when an ICT incident qualifies as “critical” and triggers reporting obligations. Financial authorities classify incidents based on five dimensions:

Financial impact: Effect on client assets and market integrity
Service disruption: Duration of customer-facing service unavailability
Scale: Number of clients affected
Geographic scope: Single-entity vs. multi-region impact
Data sensitivity: Customer PII, financial data, or regulatory data exposed

Classification requires forensic investigation to determine whether an alert represents a reportable incident — a process that takes 30–60 minutes when performed manually.

Why the 4-Hour Deadline Is Structurally Difficult

The average EU financial institution receives 4,484 security alerts daily (Devo, 2024). Manual investigation workflows consume 75–135 minutes per incident before a classification decision can be made:

Phase	Manual Time
Queue time (alert sits before analyst picks it up)	15–30 min
Investigation (cross-tool correlation)	30–60 min
Classification decision	10–15 min
Report generation	10–20 min
Total before management review	75–135 min

Combined with management review and filing logistics, most institutions struggle to meet the 4-hour window consistently (ECB, 2024).

How AI Automation Addresses the Gap

Purpose-built cybersecurity AI platforms compress the alert-to-report timeline by performing autonomous investigation (under 2 minutes), applying Article 18 materiality logic automatically, and populating reporting templates through configurable generators. This reduces total filing time to approximately 40 minutes — well within the 4-hour deadline.

The key distinction is investigation speed. DORA compliance is not about detection speed (SIEMs already detect in near-real-time). It’s about investigation speed: how fast can you determine whether an alert represents a critical ICT incident that requires reporting?

Learn more: Morpheus AI

DORA vs. Related Regulations

DORA does not exist in isolation. EU financial institutions face overlapping regulatory obligations:

NIS2 Directive: Broader cybersecurity requirements for essential services; DORA is the financial-sector-specific implementation
GDPR: Data breach notification within 72 hours; DORA’s 4-hour window is significantly tighter for ICT incidents
TIBER-EU: Threat-led penetration testing framework; complements DORA’s resilience testing requirements
MiCA: Markets in Crypto-Assets regulation; crypto-asset service providers fall under both MiCA and DORA

Also See

Frequently Asked Questions

What is DORA compliance?
DORA (Digital Operational Resilience Act, Regulation 2022/2554) is an EU regulation requiring financial institutions to establish comprehensive ICT risk management frameworks, including mandatory incident reporting to national financial authorities within 4 hours of classifying a critical ICT incident. It applies to banks, investment firms, insurance companies, payment institutions, and their critical third-party ICT providers.

What are DORA’s three reporting phases?
DORA mandates three phases: (1) Initial Notification within 4 hours of detection with incident description, classification, and preliminary impact; (2) Intermediate Report within 72 hours with updated assessment and preliminary root cause; (3) Final Report within 30 days with complete timeline, confirmed root cause, and remediation status.

What is DORA Article 18 materiality classification?
Article 18 defines when an ICT incident qualifies as “critical” and triggers reporting obligations, based on five dimensions: financial impact on client assets, duration of service unavailability, number of clients affected, geographic scope, and data sensitivity. Determining materiality requires forensic investigation, not just alert review.

Why do EU banks struggle with the DORA 4-hour deadline?
Manual investigation workflows consume 75–135 minutes per incident before a classification decision can be made. The average EU financial institution receives 4,484 daily alerts (Devo, 2024), and analysts need 30–60 minutes of cross-tool correlation to determine whether an alert represents a reportable incident.

How does AI automation help meet DORA reporting deadlines?
Purpose-built cybersecurity AI platforms perform autonomous investigation in under 2 minutes, apply Article 18 materiality logic automatically, and populate reporting templates through configurable generators. This compresses total alert-to-filed-report time to approximately 40 minutes.