DORA tool
Is your incident reportable under DORA?
Answer a few questions about an ICT incident and get an indicative read on whether it's a major incident you'd have to report, following DORA's classification criteria (RTS (EU) 2024/1772). It runs entirely in your browser; nothing is sent or stored.
Step 1: Does the regime apply?
Did the incident affect ICT services or systems that support a critical or important function (or a supervised/authorised financial service)?
Art. 6Step 2: The fast track
A malicious unauthorised access that may cause data loss is, on its own, a major incident.
Did it involve a successful, malicious and unauthorised access to your network or systems that may result in data losses?
Art. 9(5)(b)Step 3: Materiality thresholds
Two or more of these, on a critical function, also make it a major incident.
Were more than 10% of clients on the affected service (or more than 100,000 clients), more than 30% of financial counterparts, or more than 10% of daily transactions (by number or value) affected?
Art. 9(1)Did the incident last more than 24 hours, OR did a critical-function service have more than 2 hours of downtime?
Art. 9(3)Did the incident have an impact in two or more EU/EEA Member States?
Art. 9(4)Did it adversely affect the availability, integrity, authenticity or confidentiality of data in a way that hits your business objectives or ability to meet regulatory requirements?
Art. 9(5)(a)Have the direct and indirect costs and losses exceeded, or are they likely to exceed, €100,000?
Art. 9(6)Did it reach the media, cause repetitive client complaints, threaten your ability to meet regulatory requirements, or risk material client loss?
Art. 9(2)