DORA Article 19 Incident Reporting
DORA doesn't ask for an incident report. It asks for three — initial, intermediate, and final — each with its own mandatory fields, timing, and evidentiary weight.
30 minutes. Led by someone who knows DORA.
Trusted by compliance and risk teams
Banks · Designated investment firms · Payment service providers · Solvency II insurers · SMCR firms
Maximum time to submit your initial report to your NCA from the moment a major incident is identified.
Initial · Intermediate · Final. Each phase carries distinct mandatory fields under DORA Article 19 and the applicable RTS.
Of global annual turnover. The maximum fine for failure to meet DORA incident management and reporting obligations.
Copla manages the full lifecycle of DORA incident notifications — from classification against Article 18 criteria to a completed, export-ready report for your National Competent Authority.
Article 18 incident triggers and classification criteria are built into the workflow: pre-defined, consistent, and documented with a named assessor.
Initial, intermediate, and final reports have separate data fields. Deadlines are calculated from detection. Each phase status is visible at a glance.
When each phase is complete, the report is formatted for NCA submission and ready to export. The submission record is retained in the audit trail.
When you create an incident report in Copla, the incident trigger is selected from a pre-defined list mapped to DORA Article 18 criteria — clients and financial counterparts affected, service availability impacted, data integrity compromised, and others. This is not a free-text field. The trigger selection drives the classification, ensuring the report reflects the regulatory category rather than an informal description.
DORA Article 19 requires three separate submissions: initial, intermediate, and final. Each is built into the Copla incident record from the moment an incident is created. Each has its own mandatory fields, its own deadline, and its own status, such as not created, in progress, or ready to export.
When a phase report reaches ready-to-export status, Copla produces it in the format your NCA requires. All mandatory fields are pre-populated from the classification workflow. You review, confirm, and submit. The export timestamp is recorded in the audit trail.
DORA Article 17(3)(e) requires the management body to be informed of every major incident. Impact, response, and additional controls must all be documented, separately from the NCA submission. Copla records who was notified, when, and what they were told. Both obligations are evidenced independently. The incident reference code ties every record together.
We work with legal advisors, compliance consultancies, and referral partners — each in a model designed around how you actually operate.
DORA ICT Register
EBA Outsourcing
Incident Reporting
Vendor Risk
Contract Lifecycle
DORA's first full enforcement year is underway. The firms that are exposed are not the ones that haven't heard of the regulation — they're the ones whose three-phase reporting process hasn't been built yet.
30 minutes. Led by someone who knows DORA, not just the software.
FAQ
Yes. Copla Incident Reporting is built for DORA Article 19: the three-phase notification obligation to National Competent Authorities. The incident triggers, classification criteria, and mandatory report fields reflect the DORA regulation and applicable RTS directly.
It means all mandatory fields for that reporting phase have been completed, the report is structured in the format required for NCA submission, and the export action is available. You review the output, confirm it, and submit to your NCA through your designated channel.
Yes. The classification workflow steps through the Article 18 criteria in a fixed sequence. The decision — reportable or not reportable — is documented with the assessor's name and the rationale recorded. The same process prevents over-reporting as well as under-reporting.
Yes. Copla offers a separate Vendor Management module that holds your vendor contacts, risk tiers, certifications, and contract records in one place. Under DORA, a vendor-caused disruption is still your incident to classify and report — and the vendor context you need is already in Copla.
Most firms are operational within two weeks of onboarding. Setup includes confirming your entity LEI, configuring incident owners and notification recipients, and verifying your NCA submission channel. There is no lengthy implementation project.
Yes. DORA Article 17(3)(e) requires the management body to be informed of major incidents — independently of the NCA report. Copla logs when this notification was sent, to whom, and what it contained. That record is stored separately from the incident report so both can be evidenced independently.
