Understanding The Second Chapter of DORA

Robust incident management is not just a best practice but a regulatory requirement for financial businesses operating within and outside the EU. The Digital Operational Resilience Act (DORA) places significant emphasis on how these businesses manage, classify, and report ICT-related incidents.

Chapter 2 of DORA provides a framework for ensuring timely and effective incident handling, safeguarding the integrity and operational continuity of financial entities.

Understanding the second Chapter of DORA

The Core Requirements

Monitoring and Management Process

Chapter 2 mandates that financial entities establish and implement comprehensive management processes for monitoring ICT incidents. This involves setting up systems to detect and log incidents in real time, ensuring that potential threats are identified before they escalate into critical issues.

Incident Classification

Classifying ICT-related incidents based on a clear and predefined set of criteria is a cornerstone of DORA’s incident management framework. This classification helps organisations prioritise their response efforts, ensuring that severe incidents are addressed promptly while less critical ones are managed appropriately. The criteria for classification should address the incident’s impact on operations, data integrity, and customer trust.

Reporting to Authorities

DORA specifies precise timeframes within which incidents must be reported to competent authorities. The current recommendations being considered are:

  • Initial notification – 4 hours from the incident being classified as major and not later than 24 hours
  • Intermediate report – 72 hours, or if/when the status of the incident changes or new information about the incident is available
  • Final report – within 1 month.

This ensures that regulatory bodies are kept informed of significant issues that could affect the financial stability of the organisation or its customers. Timely reporting also facilitates coordinated responses to widespread threats, enhancing the overall resilience of the financial sector.

Practical Implications

Implementing Chapter 2’s requirements involves adopting a structured approach to incident management, as follows:

  1. Identify

The first step is to establish a robust incident detection system. This involves deploying monitoring tools that can detect anomalies and potential security breaches in real time. These tools should be capable of logging incidents with detailed metadata, which is crucial for subsequent analysis and classification.

  1. Assess

Once an incident is detected, it needs to be assessed to determine its severity. This assessment should be based on predefined criteria that consider the incident’s impact on business operations, data integrity, and customer trust.

  1. Respond

Effective response plans are critical for minimising the impact of ICT incidents. These plans should outline the specific steps to be taken based on the incident’s classification. For high-severity incidents, this might involve activating a crisis management team, notifying affected customers, and working with authorities to contain the breach.

  1. Learn

After resolving an incident, it’s essential to conduct a thorough post-incident review. This review should analyse what went wrong, how the incident was handled, and what improvements can be made to prevent similar incidents in the future.


Proper documentation is vital for demonstrating compliance with DORA. Financial entities should maintain detailed records of each incident, including detection, assessment, response, and lessons learned. This should include:

  • Incident Reports: Detailed accounts of each incident, including the date and time of detection, the nature of the incident, and its classification.
  • Assessment Records: Documentation of the assessment process, including the criteria used for classification and the rationale for the assigned severity level.
  • Response Logs: Records of all actions taken in response to the incident, including communications with affected parties and authorities.
  • Post-Incident Reviews: Detailed analyses of the incident and the response, including recommendations for improvements.

Chapter 2 of DORA provides a clear and structured framework for ICT incident management, classification, and reporting. By following best practices for identifying, assessing, responding to, and learning from incidents, financial entities can ensure compliance with DORA’s requirements. Proper documentation of these processes not only meets regulatory standards but also enhances the organisation’s overall resilience, ultimately protecting its operations and customers in an increasingly digital world.

Reach out to CRMG today to learn more about DORA's implications for your business and how we can assist you in achieving compliance.