Regulatory change

DORA incident-reporting technical standards published in the Official Journal

Regulatory change20 Feb 2025✓ verified 4 Jul 2026

What changed

Commission Delegated Regulation (EU) 2025/301 — regulatory technical standards on the content and time limits of the initial notification, intermediate report and final report for major ICT-related incidents — and Commission Implementing Regulation (EU) 2025/302 — the standard forms and templates for those reports — were published in the Official Journal on 20 February 2025. Together they fix exactly what financial entities must file, in what format, with initial-notification time limits counted in hours.

Why it matters

Incident reporting under DORA is no longer a principle but a form with a clock: the content, templates and deadlines are now binding law. Playbooks written before these standards need to be checked against them.

Who is affected

All DORA financial entities — specifically the incident-response, security-operations and regulatory-reporting teams that own the classification-to-notification flow.

What to check next

Align your major-incident playbook and report templates to Delegated Regulation 2025/301 and Implementing Regulation 2025/302, and test that your classification-to-first-notification flow meets the time limits.

Key dates

  • 2024-10-23Adopted by the Commission
  • 2025-02-20Published in the Official Journal
Source. EUR-Lex — Commission Delegated Regulation (EU) 2025/301 ↗
Document: Commission Delegated Regulation (EU) 2025/301 — CELEX 32025R0301 (with Commission Implementing Regulation (EU) 2025/302 — CELEX 32025R0302)
Verified by Trusq against this source on 4 Jul 2026. Trusq publishes only what it can trace to an official source; the source text prevails. Not legal advice.
Relates to DORA
← All updates