Article 19(4) of Regulation (EU) 2022/2554 (DORA) provides that financial entities shall, within the time limits to be laid down in accordance with Article 20, first paragraph, point (a), point (ii), submit an intermediate report after the initial notification, as soon as the status of the original incident has changed significantly or the handling of the incident has changed based on new information available, followed, as appropriate by updated notifications every time a relevant status update is available, as well as upon a specific request of the competent authority. 

Article 5(1)(b) of the Commission Delegated Regulation XX (RTS on content and timelines on incident reporting) specifies that financial entities shall submit an intermediate report ‘at the latest within 72 hours from the submission of the initial notification, even where the status or the handling of the incident have not changed as referred to in Article 19(4), point (b), of Regulation (EU) 2022/2554. Financial entities shall submit an updated intermediate report without undue delay, and in any case when the regular activities have been recovered’.

It follows from the above that financial entities shall submit an intermediate report under the conditions set out in Article 19(4) of DORA and at the very latest within 72 hours from the submission of the initial notification as set out in the Delegated Regulation.

Where financial entities have not recovered regular activities within 72 hours from the submission of the initial notification, they shall submit an intermediate within the 72-hour timeframe and at least another intermediate when the regular activities have been recovered.

Where financial entities have recovered regular activities, they can submit a single intermediate report, provided that the requirements of Article 19(4) of DORA are met.