ICT-related incident management process

Article 17 establishes the foundation for ICT-related incident management, a capability that sits at the heart of DORA's second pillar. Financial entities must create a structured process that covers the entire incident lifecycle — from initial detection through resolution and post-incident review.

The incident management process must begin with effective detection. Entities are required to implement early warning indicators that can signal developing problems before they escalate into full incidents. These indicators should cover technical metrics (system health, performance thresholds, error rates) and contextual signals (threat intelligence, vulnerability disclosures, unusual patterns).

Once detected, incidents must be systematically tracked, logged, and classified according to severity and impact. The classification determines the response priority, resource allocation, and whether regulatory reporting is required. Article 17 works in conjunction with Article 18, which provides the detailed classification criteria and thresholds.

Root cause analysis is mandatory for significant incidents. Understanding why an incident occurred — not just what happened — is essential for preventing recurrence and improving the overall resilience posture. The article requires that findings from root cause analysis feed back into the ICT risk management framework, creating a virtuous cycle of learning and improvement aligned with the requirements of Article 13.