EU Clarifies When Phishing Triggers DORA Incident Reporting

Key Takeaways

• Customer-Only Phishing Is Not Reportable: Phishing incidents that occur solely in a customer’s private sphere and do not affect a financial entity’s systems or services do not qualify as ICT-related incidents under Digital Operational Resilience Act.
• Reporting Hinges on Institutional Impact: Phishing becomes reportable under DORA only when it compromises a financial entity’s own networks, employees, systems, or service delivery.
• Large-Scale Campaigns May Qualify: Widespread phishing campaigns that ultimately affect a financial entity’s services can be classified as ICT-related incidents if materiality thresholds are met.
• Supervisory Consistency Addressed: The clarification aims to harmonize how national authorities assess phishing-related incidents across the EU.
• Administrative Burden Considered: Regulators acknowledged concerns that treating customer-side phishing as reportable could significantly increase reporting volumes without improving operational resilience.

Deep Dive

Phishing attacks are a daily reality for banks and their customers alike. But under the EU’s Digital Operational Resilience Act (DORA), not every phishing email belongs in a regulator’s incident inbox. That distinction is now clearer following a formal question from Germany’s financial supervisor, BaFin.

The clarification addresses whether phishing incidents that target customers in their private lives can qualify as reportable major ICT-related incidents. BaFin’s question stemmed from uncertainty in how DORA’s definitions should be applied when phishing does not directly hit a financial entity’s systems. Typical scenarios include customers clicking malicious links in personal email accounts or unknowingly entering credentials into fake versions of a bank’s website.

Under DORA, major ICT-related incidents are those that compromise the security of a financial entity’s network and information systems. But the regulation does not explicitly state whether that compromise must be aimed at the institution itself or whether customer harm alone could be enough.

Complicating matters further, the regulatory technical standards on incident classification introduce materiality thresholds that could, in theory, be met in many successful phishing cases. BaFin warned that treating customer-side phishing as reportable could dramatically increase reporting volumes, raising questions about proportionality and administrative burden.

The Answer Draws a Firm Boundary

The EU’s final response cuts through the ambiguity.

Phishing incidents that occur entirely within a customer’s private sphere and do not affect the services, systems, or third-party providers of a financial entity do not qualify as ICT-related incidents under DORA. In those cases, they cannot be classified as major ICT-related incidents and do not trigger reporting obligations.

In other words, a customer falling victim to a phishing email on a personal inbox, even where credentials are stolen, does not (by itself) become a DORA incident.

The picture changes once the financial entity itself is in the firing line.

Phishing attacks that successfully compromise employees, internal systems, or service delivery, or wide-scale phishing campaigns that ultimately affect a firm’s operations, can qualify as ICT-related incidents under DORA. If such incidents meet the relevant thresholds, they may need to be reported as major ICT-related incidents.

The distinction hinges not on the phishing technique itself, but on where the impact lands.

How the Guidance Applies in Practice

For financial institutions, the clarification offers welcome certainty as DORA reporting frameworks move from theory to practice. Customer-only phishing remains primarily a fraud and consumer protection issue. It only becomes a DORA matter when it spills over into the institution’s own digital resilience.

Just as importantly, the guidance supports greater consistency across EU supervisors, reducing the risk that firms face different reporting expectations for the same incident depending on jurisdiction.

In a regulatory environment already heavy with new obligations, that clarity may be one of DORA’s quieter, but more practical, wins.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.