# Art. 17 — Incident management process

1. Financial entities shall define, establish and implement an [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) management process to detect, manage and notify [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident).
2. Financial entities shall record all [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) and [significant cyber threats](https://www.mica.wtf/definitions/definitions/dora/significant-cyber-threat). Financial entities shall establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident), to ensure that root causes are identified, documented and addressed in order to prevent the occurrence of such incidents.
3. The [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) management process referred to in paragraph 1 shall:
   1. put in place early warning indicators;
   2. establish procedures to identify, track, log, categorise and classify [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) according to their priority and severity and according to the criticality of the services impacted, in accordance with the criteria set out in [Article 18(1)](/dora/digital-operational-resilience-act/chapter-iii-ict-related-incident-classification-reporting/article-18-classification-of-ict-related-incidents.md);
   3. assign roles and responsibilities that need to be activated for different [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) types and scenarios;
   4. set out plans for communication to staff, external stakeholders and media in accordance with [Article 14](/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-14-communication.md) and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counterparts, as appropriate;
   5. ensure that at least [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) are reported to relevant senior management and inform the [management body](https://www.mica.wtf/definitions/definitions/dora/management-body) of at least [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident), explaining the impact, response and additional controls to be established as a result of such [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident);
   6. establish [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-iii-ict-related-incident-classification-reporting/article-17-ict-related-incident-management-process.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.