It is 09:40 on a Tuesday and your payment institution's core processing platform has been down for two hours. The incident team has just confirmed unauthorised access, and customer personal data may be affected. From this moment, three EU reporting regimes are each running their own clock — with different triggers, different recipients, and different deadlines. None of them waits for the other two.
The three clocks, side by side
| Stage | DORA Art. 19 (+ RTS (EU) 2025/301, Art. 5) | GDPR Art. 33–34 | NIS2 Art. 23 |
|---|---|---|---|
| Clock starts | Classification of the incident as major (and, independently, the moment of awareness) | Awareness of a personal data breach | Awareness of a significant incident |
| First notification | Initial notification within 4 hours of classification and no later than 24 hours from awareness — to the competent financial authority | — | Early warning within 24 hours of awareness — to the CSIRT or competent authority |
| 72-hour stage | Intermediate report within 72 hours from submission of the initial notification | Notification to the supervisory authority within 72 hours of awareness; affected data subjects informed without undue delay where the breach is high-risk (Art. 34) | Incident notification with initial assessment within 72 hours of awareness |
| Final report | No later than one month after the intermediate report (or its latest update) | — (documentation duty under Art. 33(5) continues) | Final report within one month of the incident notification |
| Weekend / holiday relief | Next-working-day relief exists in the RTS — but not for credit institutions, CCPs, trading venues, or NIS2 essential/important entities | None. The 72 hours run through the weekend | None in the directive baseline |
Which clocks actually apply to a payment institution
Not all three. NIS2 Article 4(1)–(2) makes DORA lex specialis for financial entities: where DORA imposes at least equivalent obligations, the DORA regime applies instead of the NIS2 one. A payment institution in DORA scope therefore reports the ICT incident under DORA's clocks, not NIS2's. GDPR is not displaced by either — the Article 33 clock runs in parallel the moment personal data is involved. The practical risk, as the verified conflict records below put it, is misclassifying which regime applies, not double reporting. Two clocks, not three — but the two do not share a trigger: DORA's initial notification can fall due before or after GDPR's 72 hours depending on when classification happens.
The verified conflicts underneath this page
These four cross-regulatory conflicts are published only after human verification against the provision text. Descriptions are verbatim from the Fontvera conflict register.
| Provision A | Provision B | Severity | Description |
|---|---|---|---|
| DORA Art 18 | GDPR Art 33 | high | [entity affected: Financial entities] DORA requires reporting of major ICT incidents to competent authorities based on specific criteria, while GDPR requires notification of personal data breaches to supervisory authorities within 72 hours; differing timelines and definitions may create conflicting reporting priorities. |
| DORA Art 19 | NIS2 Directive Art 23 | high | [entity affected: Financial entities classified as essential/important] DORA imposes specific, strict timelines for incident reporting (initial notification 4h after classification / within 24h of awareness), while NIS2 sets a 24h early-warning and 72h notification track. RESOLUTION: NIS2 Art 4(1)-(2) makes DORA lex specialis — financial entities in DORA scope report under DORA, not NIS2. The practical risk is misclassifying which regime applies, not double reporting. |
| DORA Art 18 | NIS2 Directive Art 23 | high | [entity affected: Financial entities classified as essential/important] DORA defines specific criteria for classifying major ICT incidents (RTS 2024), whereas NIS2 relies on member-state definitions of significant incidents. RESOLUTION: NIS2 Art 4(1)-(2) makes DORA lex specialis for financial entities — DORA classification criteria control. Divergent national NIS2 definitions still matter for group entities outside DORA scope. |
| GDPR Art 33 | NIS2 Directive Art 23 | high | [entity affected: Essential and Important Entities] GDPR mandates notification within 72 hours of becoming aware of a breach, whereas NIS2 requires an initial notification within 24 hours of becoming aware of a significant incident, creating a stricter timeline conflict for overlapping incidents. |
Where member states diverge on the NIS2 clocks
DORA is a regulation — the same clocks in every member state. NIS2 is a directive, and the clocks above are only the baseline: each member state transposes them into national law, and some have changed them. This matters for group entities outside DORA scope — a sister company, a group IT provider, or an ancillary services entity caught by NIS2 directly. Fontvera has verified the reporting-timeline provision in 25 of 27 national transposition acts against the national source; five worth knowing about:
| Country | Reporting clocks in the national act | National act | Source |
|---|---|---|---|
| CY | Stricter than the directive: initial notification of a significant incident within SIX (6) hours (vs the directive's 24-hour early warning), full notification within 72 hours, and a final report within one month. | Ν. 60(Ι)/2025 (τροποποιεί Ν. 89(Ι)/2020) | source |
| PT | Initial notification without undue delay and within 24 hours of concluding that a significant incident exists or may occur; notification within 24 hours after the significant impact ends; final report within 30 working days of the end-of-impact notification - via the CNCS MyCiber platform. | Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025) | source |
| CZ | Initial incident report without undue delay via NUKIB Portal; where the incident has significant impact: further report within 72 hours, interim report on request, final report within 30 days (60 days if the incident is still ongoing). NUKIB confirms significant-impact assessment within 24 hours for higher-regime providers. | Zakon c. 264/2025 Sb., o kyberneticke bezpecnosti | source |
| FI | First notification within 24 hours of detecting the significant incident and follow-up notification within 72 hours of detection (11 §); interim report on request (12 §); final report to the supervisory authority within one month of the follow-up notification, or for prolonged incidents within one month after handling ends (13 §). Trust service providers: follow-up within 24 hours. | Kyberturvallisuuslaki 124/2025 | source |
| DK | Early warning without undue delay and within 24h; incident notification within 72h; interim report on CSIRT request; final report within 1 month of the incident notification (or 1 month after handling if ongoing). Trust service providers: notification within 24h (§ 13). | Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025 | source |
Cyprus is the standout: a six-hour initial notification, four times tighter than the directive's 24-hour early warning. Portugal counts in working days and ties clocks to end of impact. Czechia routes everything through the NUKIB portal with its own confirmation step. If your group has entities reporting under national NIS2 law rather than DORA, the baseline table above is not what applies to them.
FAQ
We are a payment institution — do we report under NIS2 or DORA?
DORA. NIS2 Article 4(1)–(2) defers to sector rules with at least equivalent effect, and the Commission and the ESAs treat DORA's incident-reporting regime as exactly that. You follow DORA Article 19 and RTS (EU) 2025/301: 4 hours from classification / 24 hours from awareness, intermediate at 72 hours, final at one month. Your NIS2-scoped group entities that are not financial entities still report under their national NIS2 transposition.
Does the GDPR 72-hour clock still run?
Yes, always, in parallel, whenever personal data is or may be affected — to the data protection authority, which is a different regulator than your DORA competent authority. One incident can lawfully require two notifications to two authorities on two clocks.
Do the weekend extensions line up?
No. GDPR's 72 hours run through the weekend. DORA's RTS gives next-working-day relief to some entities but explicitly not to credit institutions, CCPs, trading venues, or NIS2 essential/important entities — check which side of that line each group entity sits on before assuming the relief applies.
Method note: the DORA clocks above were checked against Article 5 of Commission Delegated Regulation (EU) 2025/301; the conflict rows are human-verified against the provision text before publication; the member-state rows come from Fontvera's transposition register, where every verified entry's national source was live-checked at extraction time. Extracted from the primary sources — not summarised from memory.