Open navigation
Search
Search
All Expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All Insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Cyber Space: Global insights on cyber and data risks for insurers October 2025 – Cyber incident response and compliance with DORA

16 Oct 2025 Europe 7 min read

Introduction  

Following the current global theme of increased cyber resilience requirements, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”) introduces a harmonised framework to ensure that financial entities and their ICT providers operating in the European Union (including Banks, Asset Managers and Insurers) can withstand, respond to, and recover from ICT-related disruptions and threats.

For directors and management bodies of in-scope entities, this marks enhanced accountability and operational expectations as they bear the ultimate responsibility for managing a financial entity's ICT risk.

DORA is intended to embed managing cyber risks into the core of corporate governance, making proactive engagement, strategic investment, and robust oversight essential pillars of resilience in the digital age.

Whilst there has been significant commentary on the requirements and potential implications of DORA, the purpose of this article is to consider the expectations and processes to follow should an in-scope entity suffer a cyber-attack.

Summary of DORA response following a Cyber-Attack

Should a cyber incident occur, financial entities are expected to act swiftly to ensure ongoing compliance with DORA and other relevant regulations. The following steps are critical:

  • Activate the Incident Response Plan: The affected entity must immediately activate its incident response plan, ensuring that all relevant teams and stakeholders are mobilised.
  • Classify the Incident: Incidents must be classified using prescribed DORA criteria, specifically the Regulatory Technical Standards (RTS) on ICT incidents classification. Proper classification is essential for determining the reporting obligations and the urgency of the response.
  • Notify Competent Authorities: DORA imposes significant obligations and strict timelines for reporting major ICT-related incidents (i.e. where one or more of the prescribed impact criteria meet specified thresholds). We comment on this in more detail below.
  • Root Cause Analysis and Implement Corrective Actions: It is expected that a thorough root cause analysis will be conducted to understand the origins and impact of the incident. Corrective actions should be implemented promptly to address vulnerabilities and prevent recurrence.
  • Update Internal Documentation and Resilience Strategies: All internal documentation, including risk management frameworks and incident response procedures, should be updated in light of the incident. Lessons learned must be integrated into ongoing resilience strategies.

Mandatory Incident Reporting and Timelines

The management body or board of an affected entity must be informed of major ICT-related incidents as soon as possible. This is to avoid individuals within an organisation trying to manage or remedy an issue without making the relevant leadership aware.  

Significant ICT-related incidents must then be reported to competent authorities (i.e. normally a local regulator) within tight timeframes, increasing reputational and regulatory exposure.

The reporting process and timing requirements under DORA is as follows:

  • Initial Report: As early as possible, but in any case within four hours from the classification of the ICT-related incident as a major incident and no later than 24 hours from the moment the financial entity has become aware of the incident.
  • Intermediate Report: At the latest, within 72 hours from the submission of the initial notification, even if the status or handling of the incident has not changed. An updated intermediate report must be submitted without undue delay, and in any case when regular activities have been recovered.
  • Final Report: No later than one month after either the submission of the intermediate report, or, where applicable, after the latest updated intermediate report.

Helpfully, templates for the reports are available in the annexes of the Implementing Technical Standards (ITS) on ICT incidents reporting, ensuring that all required information is captured and reported consistently.

The reports will typically cover:

  • A description of the incident and its impact
  • The classification and severity of the incident
  • Actions taken to mitigate and resolve the incident
  • Root cause analysis and corrective measures implemented
  • Any ongoing risks or vulnerabilities identified

Suggested Best Practice

Internal and External Coordination

In order to ensure compliance with DORA, effective incident management requires clear coordination, both internally and with external parties.

Internal reporting channels should enable direct access to management bodies, ensuring that they are kept informed of ICT risks and incidents without delay. Further, policies and procedures should specify the practical steps for swift communication to management.

In our experience, the best way to ensure coordination between all stakeholders - such as forensic experts, legal counsel, and ransom negotiators - is to  utilise an incident response manager. This is a role often performed by CMS for clients across the various jurisdictions in which we operate.

This individual or team is responsible for facilitating smooth communication and ensuring that all regulatory and operational requirements under DORA are complied with during the incident response.

Directors’ Responsibilities and Strategic Considerations

DORA requires that Directors and management bodies are proactively involved in all aspects of digital operational resilience. This includes strategic planning, risk management, incident response, and ensuring ongoing compliance with DORA's requirements.

Key to this is regular Board-level training on ICT risks and regulatory obligations to ensure informed oversight. This is something which CMS regularly assists with, both via Insurers and direct to our clients.

Moreover, directors and boards are being strongly encouraged to invest in cyber insurance as part of their response to DORA compliance. This is because such policies not only cover financial losses but often also provide strategic external support, including access to forensic experts, first responders, lawyers, and ransom negotiators. We find that this support is vital to mitigate the effects of a cyber-attack and to meet the requirements of a DORA compliant response.

Conclusion

DORA not only raises the bar for compliance but also embeds consideration of cyber risks into the core of corporate governance.

The cost of inaction - both financial and reputational - can be severe. By addressing cybersecurity at board level and ensuring robust incident response and reporting mechanisms, financial entities can better protect their assets, reputation, and stakeholders from cyber threats, while meeting the stringent requirements of DORA.

Cyber Space – More to come…

This article is part of our Cyber Space series. These regular articles, produced for the cyber insurance market, are written collaboratively by CMS’ global network of cyber and data lawyers to build a rolling comparison of the approaches to cyber risks, insurance and legislation across different jurisdictions. 

As an international full-service law firm, providing cyber coverage advice and incident response services to insurers and their policyholders for over 15 years, CMS is ideally placed to comment on the important issues and developments in the global cyber space and the potential impacts to insurers and policy cover.

More insights
Cyber Defendant Personal Injury Financial Services Professionals Insurance Brokers Pension Professionals Solicitors Surveyors Technology Reinsurance Warranty & Indemnity Liability Other Classes Fine Art, Specie and Jewellers' Block Trade Credit and Political Risk Practice Title Indemnity Aviation Construction & Energy Construction CAR/EAR Energy Property Directors’ & Officers’ Liability Financial Institutions Healthcare, Social Care and Life Sciences Marine Professional Negligence Accountants & Actuaries Construction PI Insurance Education TMT - Technology, Media & Telecommunications FinTech FinTech Data Protection & Freedom of Information Insurance Corporate Competition and Cartel Investigations

Explore more

Event United Kingdom

Cross-Border Financial Services 2026 webinar series

26 Mar 2026
Publication United Kingdom

Cyber risk management for senior leadership teams

02 Oct 2025 1 min read
Expert Guide International

Data protection and cybersecurity laws in the United Kingdom

38 min read
Back to top Back to top
Warning: Fraudulent emails and messages
Find out more.
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. LawNow have moved to CMS.law. LEXplicite have moved to CMS.law. Blogtt have moved to CMS.law.
Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.