Major ICT-related incident reporting and significant cyber threats
Major ICT-related incident reporting
Pension schemes subject to DORA are obliged to report major ICT-related incidents to the Pensions Authority within prescribed timeframes using these reporting templates.
An ICT-related incident is considered major where the criteria and thresholds set out in the regulatory techncial standards are met.
Completed reporting templates must be emailed to DORA_incidents@pensionsauthority.ie within the timeframes set out in the final report on the relevant draft technical standards. These are summarised below:
| Type of report | Notification time limit* |
| Initial report | As early as possible, but in any case, within 4 hours of the classification of the incident as major but no later than 24 hours from the time the scheme became aware of the incident. |
| Intermediate report and updated intermediate report | At the latest within 72 hours from the submission of the initial notification. An updated intermediate report must be submitted once regular activities have been recovered. |
| Major incident reclassified as non-major report | As soon as it is determined that the incident reported as major at no time fulfilled the required classification criteria and materiality thresholds. |
| Final report | No later than one month after either the submission of the intermediate report, or, where applicable, after the latest updated intermediate report. |
* Where the time limit for the submission of any of the above reports falls on a weekend day or a bank holiday the pension scheme may submit the report by noon of the next working day.
Notifying the Pensions Authority of significant cyber threats
The DORA regulation requires in-scope pension schemes to record significant cyber threats. Voluntary reports of significant cyber threats which are deemed of relevance to the financial system, service users or clients, should be emailed to DORAcyberthreats@pensionsauthority.ie using the template below.
Further information
For further information, see:
- Final report on the draft RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats.
- Regulatory techncial standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
- Pensions Authority Q&A on DORA