Diligence Software

DORA Regulatory Reporting: ICT Register and Incident Reporting

Diligence helps European financial institutions prepare and submit DORA reporting obligations — ICT third-party risk registers, major incident notifications, and threat intelligence reports — on time and in the correct format.

See pricingTalk to our team

DORA Reporting Obligations for Financial Institutions

The Digital Operational Resilience Act (Regulation EU 2022/2554) entered into force on 17 January 2025. It applies to a broad scope of financial entities — banks, investment firms, payment institutions, insurance undertakings, crypto-asset service providers, and more — and introduces structured reporting obligations around ICT risk management and operational incidents.

Major ICT-related incident reporting

Financial institutions must classify and notify major ICT-related incidents to their national competent authority (NCA) within defined timeframes. For banks and investment firms in France, the NCA is the ACPR. Notification follows a three-phase structure: initial notification within 4 hours of classification, intermediate report within 72 hours, and final report within one month of resolution.

The European Supervisory Authorities (EBA, ESMA, EIOPA) have defined common reporting templates. These templates use structured data fields rather than free text, and submissions must go through the standard supervisory reporting channels — ONEGATE for French entities.

ICT third-party risk register

Institutions must maintain a Register of Information (RoI) covering all contractual arrangements with ICT third-party service providers. The register must include provider details, service classification, criticality assessment, contractual references, and risk information for each arrangement. The full register must be submitted annually to the NCA in a specified structured format.

TLPT reporting (Threat-Led Penetration Testing)

Significant institutions must conduct Threat-Led Penetration Tests (TLPT) at least every three years and report results to their NCA. The test scope, methodology, and findings must be documented and submitted in a structured format. TIBER-EU and national equivalents define the TLPT framework.

Voluntary reporting of significant cyber threats

DORA also establishes a voluntary notification pathway for significant cyber threats that have not yet materialised into major incidents. Institutions may report these to their NCA on a voluntary basis; the NCA may share anonymised information with other competent authorities and ENISA.

DORA and ACPR: French Institution Obligations

For French banks, payment institutions, investment firms, and insurers, DORA obligations are supervised by the ACPR. Incident notifications and the ICT third-party register are submitted through ONEGATE or directly to ACPR through their designated secure channel.

Interaction with existing ACPR reporting

Many DORA reporting obligations run in parallel with existing ACPR prudential reporting. Institutions that already use Diligence for COREP, FINREP, or ACPR prudential submissions have an existing ONEGATE connection and user access structure that can be extended to cover DORA notifications.

DORA timeline for French institutions

Interaction with NIS2

DORA operates as a lex specialis in relation to NIS2 (the Network and Information Security Directive). Financial entities subject to DORA are exempt from the corresponding NIS2 incident reporting obligations — DORA is the applicable framework for regulated financial institutions.

ICT Third-Party Register: What Must Be Included

The Register of Information (RoI) is the most operationally significant new DORA obligation for many institutions. It covers all ICT third-party service providers — not just those deemed critical — and must be structured according to the templates defined by the ESAs.

Required data fields per arrangement

Annual submission

The complete register must be submitted annually to the NCA. Institutions must also notify the NCA of any significant changes to a critical arrangement within defined timeframes. The register is a living document — institutions need a process to maintain it in real time, not just at annual submission.

Why Choose Diligence for DORA Reporting

Existing ONEGATE connection for French institutions

French institutions already using Diligence for COREP or FINREP have an established ONEGATE connection, user structure, and submission workflow. Extending that infrastructure to cover DORA incident notifications avoids building a separate reporting channel for a new obligation.

Structured data, not free text

DORA reporting templates use structured data fields. Diligence is purpose-built for structured regulatory data preparation and submission — the same principles that underpin XBRL reporting apply to DORA notification templates.

Single platform for all regulatory reporting

Managing COREP, FINREP, Solvency II, and DORA obligations in separate tools creates operational risk. Diligence's platform consolidates regulatory reporting into a single environment — one submission workflow, one audit trail, one ONEGATE connection.

Ready for regulatory evolution

DORA's technical standards are still being finalised and updated by the ESAs. Diligence tracks regulatory developments and updates the platform — the same commitment that keeps XBRL taxonomies current applies to DORA template evolution.

Frequently Asked Questions: DORA Reporting

Does DORA apply to all financial institutions or only large banks?

DORA applies to a broad scope of financial entities — banks, investment firms, payment institutions, e-money institutions, insurance undertakings, crypto-asset service providers, and others. The proportionality principle applies: some obligations (like TLPT) apply only to significant institutions, but ICT incident reporting and the third-party register apply broadly.

What is the timeline for major ICT incident notification under DORA?

Initial notification: within 4 hours of classifying an incident as major. Intermediate report: within 72 hours of initial classification. Final report: within one month of incident resolution. These are tight timelines that require pre-built reporting workflows, not improvised responses.

How does DORA interact with existing ACPR reporting obligations?

DORA adds new reporting obligations on top of existing prudential and statistical reporting. It does not replace existing ACPR obligations. French institutions in scope must comply with both — DORA reporting routes through ACPR as the national competent authority.

Can Diligence help with both the ICT register and incident notifications?

Yes. Diligence's platform supports both the structured data preparation for the ICT third-party register and the notification workflows for major incidents. Institutions already using Diligence for COREP or FINREP can extend their existing ONEGATE setup to cover DORA obligations.

Prepare for DORA reporting with Diligence

ICT incident notifications, third-party register submissions, ONEGATE integration — manage all DORA obligations in the same platform you use for COREP and FINREP.

See pricingTalk to our team