• Annex I enumerates primary quantitative indicators—client impact, service downtime, transactional disruption, geographical spread, and data losses—that automatically trigger a “major” classification once the prescribed thresholds are met. Operations teams must codify these metrics inside SIEM/SOAR playbooks so escalations automatically request regulatory notification packs and preserve evidentiary data.
• Annex II defines secondary qualitative indicators, including reputational damage, critical function disruption, and third-party concentration effects, that can elevate an incident to “major” when combined with primary metrics. Crisis managers should revise severity matrices so leadership can override purely quantitative scoring when secondary impacts surface.
• Section 4 requires firms to complete classification “without undue delay” and no later than four hours after determining that thresholds are met, with initial notifications to competent authorities sent within the same four-hour window. Response teams should pre-assign duty officers, multilingual notification templates, and regulator distribution lists to stay inside the regulatory clock.

Source extracts — ESAs Q&A on DORA Incident Reporting (February 2025)

• The Q&A reiterates that firms must issue intermediate updates whenever material facts change, even if root-cause analysis is ongoing. Incident commanders should schedule update cadences and maintain a running issues log to avoid supervisory follow-up requests.
• Supervisors expect financial entities to coordinate with critical ICT providers so telemetry, recovery evidence, and classification inputs are available for each report. Vendor managers need contractual clauses enforcing these obligations and escalation contacts for every critical supplier.
• The ESAs confirm that near-miss events failing to meet “major” thresholds still require documentation within the ICT risk-management framework, enabling trend analysis and readiness for future supervisory enquiries. Risk teams must log sub-major incidents and integrate lessons learned into resilience testing plans.