Incident management
DORA ICT incident management: classify, escalate, notify, prove
Classify a major incident, meet notification deadlines, build the evidence pack and avoid common failure points — the operational DORA essentials.

Under DORA, an incident is not an event: it is a sequence of decisions to classify, escalate, notify and prove.
Goal: move quickly from a “signal” to a traceable classification.

Scope
ICT incident = event affecting confidentiality, integrity or availability of systems, data or a service.
Distinguish: incident ≠ problem (root cause) ≠ crisis (broader command).
End-to-end chain
Detection → triage → major / non-major decision → response → recovery → post-incident RCA + actions + re-test.
Is it a major incident? (simple rule)
- Is a critical service hit? If no → not major under DORA. If yes → step 2.
- Major if confirmed intrusion OR ≥ 2 significant impacts (clients/transactions, reputation, material disruption, geography, data loss, economic impact).
Evidence pack
Timestamped chronology · key decisions · scope & impacts · actions/results · communications.
Notification milestones
| Milestone | Timing |
|---|---|
| Initial | ASAP; ≤ 4h after major classification, and no later than ≤ 24h after awareness |
| Intermediate | ≤ 72h after initial; updates on material change |
| Final | ≤ 1 month after intermediate (or last intermediate) |
More detail: DORA incident notification deadlines.
Where it breaks
Late or unjustified classification · no timestamped reclassification · incomplete third-party facts · reconstructed evidence · remediation not closed / not re-tested.
Axenia’s role. Axenia structures the incident path: classification, deadlines, chronology, impacted assets and functions, involved third parties — and prepares supervisor-ready exports.
