Request for Review – DORA Logging, Monitoring, and ICT Incident Reporting:  I’m seeking your input on the EU Digital Operational Resilience Act (DORA), specifically around logging, monitoring, and ICT incident reporting requirements. DORA mandates financial entities to log all relevant ICT events, including user activity and system and security events, typically via centralized platforms like SIEM. Real-time monitoring must be in place to detect anomalies, threats, or system failures, supported by automated alerts and clear escalation protocols. Incidents must be classified based on severity and impact. Major incidents must be reported to regulators within four hours of classification; significant incidents within 48 hours. Entities must also submit intermediate progress and final reports detailing root cause and remediation. Where appropriate, impacted clients and stakeholders should be notified. DORA emphasizes proactive ICT risk management, EU-wide regulatory harmonization, and board-level accountability. Compliance requires mature governance frameworks and supporting technologies for detection, reporting, and response. Could you confirm if this summary aligns with your understanding of DORA’s requirements and share any insight on market best practices or tooling trends?

4.2k viewscircle icon1 Upvotecircle icon2 Comments
Sort by:
GRC Analyst17 days ago

Your summary is solid and hits the major DORA requirements. What I’d add from experience is that compliance becomes tricky not in detection, but in follow-through.

For example, we’ve had to build structured workflows that not only escalate incidents but also track ownership, documentation status, and reporting progress. DORA’s expectations around root cause analysis and remediation plans require evidence that you’ve learned from the event and can show what’s changed as a result.

Another layer is governance. Having board-level oversight sounds good in theory, but in practice, it means providing leadership with real visibility into the risk posture, ongoing incidents, and regulatory commitments.

To answer your second question, while the tech stack (SIEM, SOAR, etc.) is important, it’s the operational glue —such as ownership, timing, documentation, and accountability —that determines whether you’re truly DORA-aligned.

Lightbulb on1
IT Managera month ago

Yes, this summary aligns well with my understanding of DORA's requirements around ICT logging, monitoring, and incident reporting. The act places strong emphasis on centralized logging—typically via SIEM platforms—for all relevant user and system activity, paired with real-time monitoring, automated alerting, and clear escalation protocols. The classification and reporting timelines you noted are accurate, with a four-hour window for major incidents post-classification and structured follow-ups including root cause and remediation. I’m also seeing a growing shift toward integrating SIEM with SOAR to streamline response workflows, increased use of cloud-native monitoring tools, and AI-assisted incident classification to meet DORA’s aggressive timelines.

Content you might like

Yes80%

No15%

Unsure4%

View Results

Yes71%

No26%

Unsure2%

View Results