Back to blog

DORA ICT incident management: classify, escalate, notify, prove

Classify a major incident, meet notification deadlines, build the evidence pack and avoid common failure points — the operational DORA essentials.

·Read time : 9 min·For CISO, compliance, operations
DORA ICT incident management

Under DORA, an incident is not an event: it is a sequence of decisions to classify, escalate, notify and prove.

Goal: move quickly from a “signal” to a traceable classification.

Notification deadline pressure

Scope

ICT incident = event affecting confidentiality, integrity or availability of systems, data or a service.

Distinguish: incidentproblem (root cause) ≠ crisis (broader command).

End-to-end chain

Detection → triage → major / non-major decision → response → recovery → post-incident RCA + actions + re-test.

Is it a major incident? (simple rule)

  1. Is a critical service hit? If no → not major under DORA. If yes → step 2.
  2. Major if confirmed intrusion OR ≥ 2 significant impacts (clients/transactions, reputation, material disruption, geography, data loss, economic impact).

Evidence pack

Timestamped chronology · key decisions · scope & impacts · actions/results · communications.

Notification milestones

Milestone Timing
Initial ASAP; ≤ 4h after major classification, and no later than ≤ 24h after awareness
Intermediate ≤ 72h after initial; updates on material change
Final ≤ 1 month after intermediate (or last intermediate)

More detail: DORA incident notification deadlines.

Where it breaks

Late or unjustified classification · no timestamped reclassification · incomplete third-party facts · reconstructed evidence · remediation not closed / not re-tested.

Axenia’s role. Axenia structures the incident path: classification, deadlines, chronology, impacted assets and functions, involved third parties — and prepares supervisor-ready exports.