§ DORA · GDPR · NIS2 Directive BRIEFING

One incident. Three clocks. Different regulators.

A major ICT incident at a payment institution starts the DORA, GDPR and NIS2 reporting clocks at once — with different triggers, recipients and deadlines. Here is the whole picture, verified against the provision text.

Summary

A major ICT incident at a payment institution triggers up to three EU reporting regimes at once. DORA Article 19 (with RTS (EU) 2025/301) demands an initial notification within 4 hours of classifying the incident as major and no later than 24 hours from awareness, an intermediate report within 72 hours of the initial notification, and a final report within one month. GDPR Article 33 runs in parallel whenever personal data is affected: 72 hours from awareness, to a different regulator. NIS2 Article 23 sets a 24-hour early warning and 72-hour notification — but NIS2 Article 4 makes DORA lex specialis, so a payment institution in DORA scope reports under DORA, not NIS2. The NIS2 clocks still matter for group entities outside DORA scope, and member states diverge in transposing them: Cyprus requires initial notification within six hours, Portugal counts in working days, Czechia adds its own portal-confirmation step.

Who this applies to
Compliance directors at payment institutions, e-money institutions, fintechs, and insurers running incident response under DORA while GDPR and (for non-financial group entities) national NIS2 law run in parallel.
Compliance deadline
None
§ Key articles

What the law says

DORA Art 19
Reporting of major ICT-related incidents — initial notification 4h from classification / 24h from awareness (RTS (EU) 2025/301 Art 5)
GDPR Art 33
Notification of a personal data breach to the supervisory authority within 72 hours of awareness
NIS2 Art 23
Early warning within 24 hours, incident notification within 72 hours, final report within one month — as transposed by each member state
§ Detail

In depth

It is 09:40 on a Tuesday and your payment institution's core processing platform has been down for two hours. The incident team has just confirmed unauthorised access, and customer personal data may be affected. From this moment, three EU reporting regimes are each running their own clock — with different triggers, different recipients, and different deadlines. None of them waits for the other two.

The three clocks, side by side

StageDORA Art. 19 (+ RTS (EU) 2025/301, Art. 5)GDPR Art. 33–34NIS2 Art. 23
Clock starts Classification of the incident as major (and, independently, the moment of awareness) Awareness of a personal data breach Awareness of a significant incident
First notification Initial notification within 4 hours of classification and no later than 24 hours from awareness — to the competent financial authority Early warning within 24 hours of awareness — to the CSIRT or competent authority
72-hour stage Intermediate report within 72 hours from submission of the initial notification Notification to the supervisory authority within 72 hours of awareness; affected data subjects informed without undue delay where the breach is high-risk (Art. 34) Incident notification with initial assessment within 72 hours of awareness
Final report No later than one month after the intermediate report (or its latest update) — (documentation duty under Art. 33(5) continues) Final report within one month of the incident notification
Weekend / holiday relief Next-working-day relief exists in the RTS — but not for credit institutions, CCPs, trading venues, or NIS2 essential/important entities None. The 72 hours run through the weekend None in the directive baseline

Which clocks actually apply to a payment institution

Not all three. NIS2 Article 4(1)–(2) makes DORA lex specialis for financial entities: where DORA imposes at least equivalent obligations, the DORA regime applies instead of the NIS2 one. A payment institution in DORA scope therefore reports the ICT incident under DORA's clocks, not NIS2's. GDPR is not displaced by either — the Article 33 clock runs in parallel the moment personal data is involved. The practical risk, as the verified conflict records below put it, is misclassifying which regime applies, not double reporting. Two clocks, not three — but the two do not share a trigger: DORA's initial notification can fall due before or after GDPR's 72 hours depending on when classification happens.

The verified conflicts underneath this page

These four cross-regulatory conflicts are published only after human verification against the provision text. Descriptions are verbatim from the Fontvera conflict register.

Provision AProvision BSeverityDescription
DORA Art 18GDPR Art 33high[entity affected: Financial entities] DORA requires reporting of major ICT incidents to competent authorities based on specific criteria, while GDPR requires notification of personal data breaches to supervisory authorities within 72 hours; differing timelines and definitions may create conflicting reporting priorities.
DORA Art 19NIS2 Directive Art 23high[entity affected: Financial entities classified as essential/important] DORA imposes specific, strict timelines for incident reporting (initial notification 4h after classification / within 24h of awareness), while NIS2 sets a 24h early-warning and 72h notification track. RESOLUTION: NIS2 Art 4(1)-(2) makes DORA lex specialis — financial entities in DORA scope report under DORA, not NIS2. The practical risk is misclassifying which regime applies, not double reporting.
DORA Art 18NIS2 Directive Art 23high[entity affected: Financial entities classified as essential/important] DORA defines specific criteria for classifying major ICT incidents (RTS 2024), whereas NIS2 relies on member-state definitions of significant incidents. RESOLUTION: NIS2 Art 4(1)-(2) makes DORA lex specialis for financial entities — DORA classification criteria control. Divergent national NIS2 definitions still matter for group entities outside DORA scope.
GDPR Art 33NIS2 Directive Art 23high[entity affected: Essential and Important Entities] GDPR mandates notification within 72 hours of becoming aware of a breach, whereas NIS2 requires an initial notification within 24 hours of becoming aware of a significant incident, creating a stricter timeline conflict for overlapping incidents.

Where member states diverge on the NIS2 clocks

DORA is a regulation — the same clocks in every member state. NIS2 is a directive, and the clocks above are only the baseline: each member state transposes them into national law, and some have changed them. This matters for group entities outside DORA scope — a sister company, a group IT provider, or an ancillary services entity caught by NIS2 directly. Fontvera has verified the reporting-timeline provision in 25 of 27 national transposition acts against the national source; five worth knowing about:

CountryReporting clocks in the national actNational actSource
CYStricter than the directive: initial notification of a significant incident within SIX (6) hours (vs the directive's 24-hour early warning), full notification within 72 hours, and a final report within one month.Ν. 60(Ι)/2025 (τροποποιεί Ν. 89(Ι)/2020)source
PTInitial notification without undue delay and within 24 hours of concluding that a significant incident exists or may occur; notification within 24 hours after the significant impact ends; final report within 30 working days of the end-of-impact notification - via the CNCS MyCiber platform.Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)source
CZInitial incident report without undue delay via NUKIB Portal; where the incident has significant impact: further report within 72 hours, interim report on request, final report within 30 days (60 days if the incident is still ongoing). NUKIB confirms significant-impact assessment within 24 hours for higher-regime providers.Zakon c. 264/2025 Sb., o kyberneticke bezpecnostisource
FIFirst notification within 24 hours of detecting the significant incident and follow-up notification within 72 hours of detection (11 §); interim report on request (12 §); final report to the supervisory authority within one month of the follow-up notification, or for prolonged incidents within one month after handling ends (13 §). Trust service providers: follow-up within 24 hours.Kyberturvallisuuslaki 124/2025source
DKEarly warning without undue delay and within 24h; incident notification within 72h; interim report on CSIRT request; final report within 1 month of the incident notification (or 1 month after handling if ongoing). Trust service providers: notification within 24h (§ 13).Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025source

Cyprus is the standout: a six-hour initial notification, four times tighter than the directive's 24-hour early warning. Portugal counts in working days and ties clocks to end of impact. Czechia routes everything through the NUKIB portal with its own confirmation step. If your group has entities reporting under national NIS2 law rather than DORA, the baseline table above is not what applies to them.

FAQ

We are a payment institution — do we report under NIS2 or DORA?

DORA. NIS2 Article 4(1)–(2) defers to sector rules with at least equivalent effect, and the Commission and the ESAs treat DORA's incident-reporting regime as exactly that. You follow DORA Article 19 and RTS (EU) 2025/301: 4 hours from classification / 24 hours from awareness, intermediate at 72 hours, final at one month. Your NIS2-scoped group entities that are not financial entities still report under their national NIS2 transposition.

Does the GDPR 72-hour clock still run?

Yes, always, in parallel, whenever personal data is or may be affected — to the data protection authority, which is a different regulator than your DORA competent authority. One incident can lawfully require two notifications to two authorities on two clocks.

Do the weekend extensions line up?

No. GDPR's 72 hours run through the weekend. DORA's RTS gives next-working-day relief to some entities but explicitly not to credit institutions, CCPs, trading venues, or NIS2 essential/important entities — check which side of that line each group entity sits on before assuming the relief applies.

Method note: the DORA clocks above were checked against Article 5 of Commission Delegated Regulation (EU) 2025/301; the conflict rows are human-verified against the provision text before publication; the member-state rows come from Fontvera's transposition register, where every verified entry's national source was live-checked at extraction time. Extracted from the primary sources — not summarised from memory.

§ What Fontvera found

Documents in our corpus

imy SE Fetched 2026-07
§ Cross-references

Related Fontvera intelligence

Need a cross-border briefing on this?
Search Fontvera ↵ Run the AI Act diagnostic
AI Act Article 50 transparency
29 days
until 2026-08-02, when Article 50 transparency obligations apply (unchanged). Annex III high-risk obligations move provisionally to 2 December 2027 under the Digital Omnibus agreement of 7 May 2026, pending formal adoption.
Preparing for 2 August 2026? Read the EU AI Act August 2026 deadline requirements checklist.