DORA-Art22-P1

Article: 22 (1)
Pillar: ICT Incident Detection & Reporting
Regulation Ref: Regulation (EU) 2022/2554, Article 22(1)
Last Reviewed: 2026-01-15

Financial entities shall ensure that ICT-related incident reports and post-incident reviews are used to identify vulnerabilities and improve the ICT risk management framework.

Evidence Profiles

Post-Incident Review Summary RARE

Plain text summary of post-incident review meetings, documenting key findings, process improvement recommendations, and action items for enhancing the ICT risk management framework as required by DORA Article 22.

Formats: PLAIN_TEXT
Evidence Class: post-incident-review
Availability: RARE
Update Frequency: event-driven
Typical Author: Incident Manager
Approval Chain: Incident Manager → CISO

Content Sections

Expected Fields

Common Quality Issues

Reviews conducted informally without structured documentation
Action items not assigned to specific owners
Recommendations not tracked to implementation
Reviews limited to major incidents only

ICT Incident Trend Analysis Report RARE

CSV-based trend analysis of ICT-related incidents over time, identifying patterns, recurring issues, and areas requiring systemic improvement.

Formats: CSV JSON
Evidence Class: incident-trend-analysis
Availability: RARE
Update Frequency: quarterly
Typical Author: Risk Analyst
Approval Chain: Risk Analyst → CISO

Content Sections

Expected Fields

Common Quality Issues

Trend analysis based on incomplete incident data
No statistical methodology applied
Missing correlation with external threat intelligence
Reporting periods inconsistent across analyses

Fact Schemas

post_incident_review_status

Schema ID: fs-post-incident-review
Control: DORA-Art22-P1

Valid Ranges

review_date: within 60 days of incident resolution
improvements_implemented: should equal improvements_recommended for full follow-through

Related Schemas

JSON Schema

{
  "properties": {
    "framework_updates_triggered": {
      "type": "boolean"
    },
    "improvements_implemented": {
      "minimum": 0,
      "type": "integer"
    },
    "improvements_recommended": {
      "minimum": 0,
      "type": "integer"
    },
    "incident_id": {
      "minLength": 1,
      "type": "string"
    },
    "policy_changes_triggered": {
      "type": "boolean"
    },
    "process_gaps_identified": {
      "minimum": 0,
      "type": "integer"
    },
    "review_date": {
      "format": "date",
      "type": "string"
    }
  },
  "required": [
    "review_date",
    "incident_id",
    "process_gaps_identified",
    "improvements_recommended"
  ],
  "type": "object"
}

incident_trend_analysis

Schema ID: fs-incident-trend-analysis
Control: DORA-Art22-P1

Valid Ranges

reporting_period_end: within last 3 months
trend_direction: decreasing indicates improving incident posture

Related Schemas

JSON Schema

{
  "properties": {
    "major_incidents_in_period": {
      "minimum": 0,
      "type": "integer"
    },
    "mean_time_to_detect_trend": {
      "enum": [
        "improving",
        "stable",
        "degrading"
      ],
      "type": "string"
    },
    "mean_time_to_resolve_trend": {
      "enum": [
        "improving",
        "stable",
        "degrading"
      ],
      "type": "string"
    },
    "recurring_root_causes_count": {
      "minimum": 0,
      "type": "integer"
    },
    "reporting_period_end": {
      "format": "date",
      "type": "string"
    },
    "reporting_period_start": {
      "format": "date",
      "type": "string"
    },
    "total_incidents_in_period": {
      "minimum": 0,
      "type": "integer"
    },
    "trend_direction": {
      "enum": [
        "increasing",
        "stable",
        "decreasing"
      ],
      "type": "string"
    }
  },
  "required": [
    "reporting_period_start",
    "reporting_period_end",
    "total_incidents_in_period",
    "trend_direction"
  ],
  "type": "object"
}