DORA's 4-hour clock: classification is the new evidence problem

Active DORA enforcement started in 2026. The informal tolerance that supervisors granted through 2025 is over, and the European Banking Authority plus the national competent authorities (NCAs) are now reviewing real submissions against the harmonised templates. The headline rule — 4 hours to file an initial notification of a major ICT incident — is finally being measured. And the part that fails first under measurement is not the template, the courier channel or the executive sign-off. It is the classification step that the 4-hour clock starts from.

The 4-hour clock starts at classification, not detection

The clock specified by RTS 2025/301 and the joint EBA/ESMA/EIOPA standards is not "4 hours after the SOC raises the alert". It is 4 hours after the incident is classified as major under DORA's criteria. Classification itself has its own deadline — without undue delay, in practice within 24 hours of detection. Then the regulated entity has 4 hours from that classification to send the initial notification, 72 hours to submit an intermediate report with a preliminary root-cause analysis, and one month from the intermediate report to file the final report.

The order matters because the regulator can argue two things separately:

• You classified late. Detection was at T0, classification at T0+18h, but the indicators were sufficient for classification at T0+4h. Article 19 breach, classification path.
• You filed late. Classification was clean at T0+6h, but the initial notification went out at T0+13h. Article 19 breach, reporting path.

Both are sanctionable under the same article. The 4-hour bar everyone talks about is only the second of the two.

Seven criteria, two thresholds, one window to decide

The classification framework in RTS 2025/301 Annex II lists seven criteria:

#	Criterion	Concrete signal
1	Clients, counterparts, transactions affected	Number / share above the materiality threshold
2	Reputational impact	Press coverage, regulator notifications, social-media spike
3	Duration and service downtime	Time the service was unavailable or degraded
4	Geographical spread	Number of Member States with affected users
5	Data losses	Confidentiality, integrity, availability of personal or business data
6	Criticality of services affected	Whether the system supports a critical or important function (CIF)
7	Economic impact	Direct + indirect cost crossing the EUR 100,000 threshold

An incident is classified major when it meets at least two primary criteria, or one primary criterion plus the EUR 100,000 economic threshold. The walked example in the regulation-dora.eu training material — the fictional Bank Alpha incident — is a clean case: 2h58m of downtime during peak hours, total cost EUR 220,000 (EUR 40K direct, EUR 180K indirect), affected clients in Germany and France, online banking impacted, press coverage and a social-media spike. Five out of seven criteria fire. Classification is obvious in retrospect.

It is not obvious at T0+90 minutes, with one engineer on call, a partially understood failure mode and an incomplete blast-radius map.

End of the grace period: what 2026 enforcement looks like

Penalty exposure under DORA is, for a tier-1 bank, large enough to change board-level priorities:

• Up to 2% of total annual worldwide turnover for the most serious violations, per the DORA enforcement guide.
• Up to 1% of average daily worldwide turnover, recurring, applied to force remediation of identified ICT vulnerabilities — the regulator can let it accrue until the fix lands.
• Personal fines up to EUR 1 million on senior management, including the CIO, CISO and the board-designated DORA accountability officer.

The same enforcement guide describes the supervisor posture explicitly as the end of the grace period: the informal tolerance characterising 2025 supervision is finished, and 2026 reviews are looking for proof of resilience, not documentation of policy. NCAs are testing the quality of submissions, and three patterns are already showing up in early review outcomes:

• Delays between first awareness and initial notification — i.e. classification took too long.
• Misclassification of incidents (under-reporting is the dominant risk; over-reporting is also flagged).
• Final reports lacking adequate root-cause analysis, despite the one-month extension from the intermediate report.

The pattern is consistent. The institutions failing review are not the ones missing a template field. They are the ones whose detection-to-classification pipeline takes too long, runs on a spreadsheet, or depends on one human being awake.

Why your evidence binder needs to become an evidence stream

The 2025 mental model of DORA compliance was binder-shaped: a quarterly bundle assembled by an internal team, reviewed by the auditor weeks later. Active 2026 enforcement breaks this model in two ways.

First, the NCA is now allowed to ask for evidence the same day it queries you. The binder workflow assumed asynchronous review. The new workflow assumes the regulator pulls a current bundle on demand and reads it that afternoon. Anything reconstructed retroactively from logs three weeks later is not, by definition, current.

Second, the classification step itself has become an evidence-producing event. The regulator wants to see how you decided an incident was or was not major — which signals you weighted, which criteria you measured, at what timestamp. "We decided it was minor and didn't file" is not a defensible position unless the decision is itself documented, signed and reviewable.

NCA inspector: "Show me how you classified the 14 February incident."

Bank: "Here's the Confluence page our incident commander updated that morning."

NCA inspector: "And how do I know the page wasn't edited after the fact?"

The point of ECDSA-signed, append-only evidence is that the second question stops the conversation. Cryptographic chain-of-custody is no longer a nice-to-have — it is what makes the classification decision itself defensible.

The Article 26-27 TLPT requirement amplifies this. Threat-led penetration testing, every three years, on live production systems supporting critical functions — for significant entities. The evidence chain produced by the TLPT engagement (which exploits were attempted, which succeeded, against which control set, with what blast radius) flows into the same evidence stream the NCA will read in an incident review.

What this looks like in the first 240 minutes

The CISO's operational picture in the first four hours after a security event has changed materially. A reasonable allocation under 2026 enforcement looks like:

• T+0 to T+30: Detection, alert correlation, initial triage.
• T+30 to T+90: Scope assessment — which systems, which clients, which Member States.
• T+90 to T+150: Classification against the seven criteria, with the evidence produced by step 2 fed into a severity-weighted scoring view. Decision: major / not major. The decision and its supporting evidence are signed and timestamped at this point.
• T+150 to T+240: Initial notification drafted in RTS 2025/301 Annex II format, reviewed by accountable senior management, dispatched to the NCA.

That budget assumes the classification phase actually runs in 60 minutes. In most banks today it runs in 4-8 hours, because each of the seven criteria is checked by hand across separate dashboards, the EUR 100,000 economic threshold is estimated by someone in operations who has to call finance, and the reputational and geographic spread signals are entirely manual.

Three things compress the classification window from 4-8 hours to under 60 minutes:

• Continuous, automated measurement of each of the seven criteria against current state — not a quarterly survey.
• A severity-weighted scoring engine that produces a single major/not-major signal from the seven inputs, with each input timestamped and signed.
• A pre-formatted evidence bundle keyed to RTS 2025/301 Annex II — so the initial notification is a render of existing data, not a 240-minute writing exercise.

This is the operational gap 2026 enforcement is actually targeting.

Where this hits Zero Hunt

Zero Hunt's Pillar 3 — automatic compliance — is engineered for exactly this gap. The compliance engine continuously maps every finding, every scan, every remediation against 32 frameworks, DORA included. Severity-weighted scoring is the same primitive that DORA classification needs: financial impact, scope, duration, criticality already structured, weighted, and queryable. When an incident fires, the seven criteria already have current values; classification is a query, not a workshop.

Every output of the engine — scans, findings, classification decisions, remediation events — is ECDSA-signed at write time, with chain-of-custody by construction. The Trust Center exposes this to the auditor or NCA as a current, signed evidence stream rather than a reconstructed binder. When the inspector asks "show me how you classified the 14 February incident", the answer is a signed bundle the regulator can verify against the public key.

On the TLPT side (Articles 26-27), the 10-agent generative-pentest swarm runs against live production systems — Recon, Exploit, Web, Credential, Post-Exploit, Pivot, Tactic, Report, plus the AI Controller — with the AI Gym backtest corpus (142+ skills validated against Vulhub, NYU CTF Bench, Cybench, Vulhub-Bench before any new skill touches production) providing the safety guarantee that lets you actually run TLPT against the production critical functions DORA names, instead of a staging copy that proves nothing about real exposure.

The output of either path lands in the same evidence stream. That is what shrinks the classification-to-notification window from 4-8 hours to a number that survives a 2026 NCA review — and what makes the 4-hour clock a clock you can actually run, rather than the spreadsheet panic it has been for most of the financial sector.

If you want to see how the compliance engine and the TLPT swarm produce a single evidence stream that maps onto DORA, the platform overview walks through the architecture, and the comparison page sets it against the audit-binder vendors. Or skip ahead and contact us.