Since January 17, 2025, Regulation (EU) 2022/2554 – better known as DORA – has been compulsory for financial companies. A key objective of the regulation is to strengthen the digital operational resilience of the financial sector and create clear structures for dealing with ICT risks. But not all risks are the same: DORA makes a precise distinction between threats, incidents, and attacks – and attaches different obligations to each category. While threats as potential sources of danger are primarily to be analyzed internally, actual incidents and attacks trigger specific reporting and action obligations. This distinction becomes particularly relevant when it comes to the question of when financial companies are obliged to inform authorities or affected parties. The regulation not only defines what constitutes a cyber threat, an ICT-related incident, or a cyber-attack, but also specifies the steps that companies must take in each case. Precise classification is of central importance not only for compliance, but also for the strategic orientation of ICT risk management.
What Are Threats, Incidents, and Attacks Under DORA
DORA uses a number of different terms for attacks and incidents. These terms can be broadly divided into two categories: threats (which have the potential to cause damage) and incidents/attacks (the actual events that have caused or are causing damage). Threats refer to possible circumstances or actions that could affect network and information systems (ICT). According to Art. 3 No. 12 DORA, a cyber threat refers to a possible circumstance, event, or action that could harm, disrupt, or otherwise affect network and information systems, users of these systems, and other persons. According to Art. 3 No. 13 DORA, a significant cyber threat is a cyber threat whose technical characteristics indicate that it could have the potential to cause a serious ICT-related incident or a serious payment-related operational or security incident. An ICT-related incident is the most general category of a negative event in the ICT sector. It is defined in Article 3(8) of DORA as an unplanned event or a series of related events that compromises the security of network and information systems and has an adverse impact on the availability, authenticity, integrity, or confidentiality of data or on the services provided by the financial institution. ICT-related incidents are further subdivided into serious ICT-related incidents and serious payment-related operational or security incidents within the meaning of Article 3(10) and (11) DORA. In contrast, a cyberattack within the meaning of Article 3(14) DORA refers to a malicious ICT-related incident resulting from an attacker’s attempt to destroy, expose, alter, disable, steal, or gain unauthorized access to or use of an asset.
What Obligations Are Associated With Each Category?
DORA attaches different legal consequences and obligations to threats, incidents, and attacks. There is no external reporting obligation for cyber threats as a general threat category. The information is primarily used for internal analysis and further development of digital operational resilience. Reporting a significant cyber threat to the competent authorities is voluntary under Article 19(2) DORA. Financial companies may share this information if they consider the threat to be relevant to the financial system, service users, or customers. Both ICT-related incidents and cyberattacks only trigger an external reporting obligation if they reach a certain level of severity, i.e., if they are classified as serious. According to Art. 19 (1) DORA, financial companies must therefore report serious ICT-related incidents to the competent authority. Credit institutions, e-money institutions, payment institutions, and account information service providers must also report serious payment-related operational or security incidents in accordance with Article 23 of DORA. It follows from recitals 23 and 54 of DORA that this specific reporting obligation replaces the corresponding reporting obligations under PSD2 in order to avoid duplication of requirements. However, the obligations of financial companies are not limited to reporting requirements. Following disruptions to their main activities as a result of serious ICT-related incidents, financial companies must provide for subsequent reviews of the ICT-related incident. These reviews should investigate the causes and identify improvements to ICT processes or the ICT business continuity policy. In addition, financial companies that are not micro-enterprises must, upon request, notify the competent authorities of the changes made following the review of ICT-related incidents in accordance with Article 13 of DORA. Consequently, DORA focuses on proactive integration into risk management and voluntary information sharing in the event of threats, while clear reactive obligations such as reporting, damage limitation, recovery, and root cause analysis are at the forefront in the event of incidents/attacks.
Attorney Anton Schröder
subscribe to Newsletter-
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage. -
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW. -
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm.
