DORA-Art21-P1

Article: 21 (1)
Pillar: ICT Incident Detection & Reporting
Regulation Ref: Regulation (EU) 2022/2554, Article 21(1)
Last Reviewed: 2026-01-15

Financial entities shall establish procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents, to ensure that root causes are identified, documented and addressed.

Evidence Profiles

ICT Incident Log Register COMMON

CSV register of all ICT-related incidents including detection time, classification, impact, resolution, and follow-up status as required by DORA Article 21.

Formats: CSV
Evidence Class: incident-log
Availability: COMMON
Update Frequency: continuous
Typical Author: SOC Analyst
Approval Chain: SOC Manager → Incident Manager

Content Sections

Expected Fields

Common Quality Issues

Inconsistent classification across incidents
Missing resolution timestamps for older incidents
Follow-up status not updated after remediation
Near-miss incidents not logged

ICT Incident Root Cause Analysis Report PARTIAL

Detailed root cause analysis document for ICT-related incidents, using structured methodologies (5 Whys, fishbone diagram, fault tree analysis) to identify underlying causes and recommend corrective actions.

Formats: DOCX PDF
Evidence Class: incident-root-cause-analysis
Availability: PARTIAL
Update Frequency: event-driven
Typical Author: Incident Manager
Approval Chain: Incident Manager → CISO

Content Sections

Expected Fields

Common Quality Issues

Analysis performed only for major incidents
Methodology not consistently applied
Corrective actions identified but not tracked to completion
Missing linkage between root causes and systemic risk factors

Fact Schemas

incident_log_status

Schema ID: fs-incident-log-status
Control: DORA-Art21-P1

Valid Ranges

reporting_period_end: within last 3 months
incidents_with_root_cause: should equal total_incidents for thorough process

Related Schemas

JSON Schema

{
  "properties": {
    "follow_ups_completed": {
      "minimum": 0,
      "type": "integer"
    },
    "incidents_resolved": {
      "minimum": 0,
      "type": "integer"
    },
    "incidents_with_root_cause": {
      "minimum": 0,
      "type": "integer"
    },
    "major_incidents": {
      "minimum": 0,
      "type": "integer"
    },
    "mean_time_to_detect_hours": {
      "minimum": 0,
      "type": "number"
    },
    "mean_time_to_resolve_hours": {
      "minimum": 0,
      "type": "number"
    },
    "reporting_period_end": {
      "format": "date",
      "type": "string"
    },
    "total_incidents": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "reporting_period_end",
    "total_incidents",
    "major_incidents",
    "incidents_with_root_cause"
  ],
  "type": "object"
}

incident_root_cause_analysis

Schema ID: fs-incident-root-cause-analysis
Control: DORA-Art21-P1

Valid Ranges

analysis_date: within 30 days of incident resolution
corrective_actions_completed: should equal corrective_actions_count for full remediation

Related Schemas

JSON Schema

{
  "properties": {
    "analysis_date": {
      "format": "date",
      "type": "string"
    },
    "corrective_actions_completed": {
      "minimum": 0,
      "type": "integer"
    },
    "corrective_actions_count": {
      "minimum": 0,
      "type": "integer"
    },
    "incident_id": {
      "minLength": 1,
      "type": "string"
    },
    "methodology_used": {
      "enum": [
        "five_whys",
        "fishbone",
        "fault_tree",
        "combined",
        "other"
      ],
      "type": "string"
    },
    "root_cause_category": {
      "enum": [
        "technical",
        "process",
        "human",
        "external",
        "vendor"
      ],
      "type": "string"
    },
    "root_cause_identified": {
      "type": "boolean"
    },
    "systemic_risk_identified": {
      "type": "boolean"
    }
  },
  "required": [
    "incident_id",
    "analysis_date",
    "methodology_used",
    "root_cause_identified",
    "corrective_actions_count"
  ],
  "type": "object"
}