In case of major incidents, the organization must report them to the authorities defined in their national application of DORA. Reporting of major incidents should include:
- First notification
- Intermediate report (as status of the incident changes)
- Final report when root cause analysis is done
When an incident affects clients' financial interests, they must be promptly informed and provided with necessary details about mitigation actions. In the case of cyber threats, clients should be notified if they might be affected and advised on protective measures to take.
The relevant competent authorities are defined in Article 46 of DORA