DORA ICT Incident Reporting Register
A runnable Spring Boot service that captures, classifies, and reports major ICT incidents to the regulator with an immutable audit trail, aligned to the EU DORA reporting timelines.
Problem
Under EU DORA (Regulation 2022/2554), financial entities must detect, classify, and report major ICT-related incidents to their competent authority within strict windows (initial notification, intermediate, and final reports). Handling this manually with spreadsheets and email is slow, inconsistent in applying the major-incident classification criteria, and leaves no tamper-evident record — exposing the firm to missed deadlines, mis-classification, and supervisory findings.
Solution Overview
A deterministic engine that:
- Captures an ICT incident through a validated REST API.
- Classifies it server-side against DORA's major-incident criteria (clients affected, service downtime, data losses, economic impact).
- Schedules the regulatory report deadlines — initial (24h), intermediate (72h), and final (1 month) windows computed from detection time.
- Records every state change in an append-only audit ledger that is enforced immutable at both the application and database (trigger) level.
Everything runs locally with docker compose up — a Spring Boot 3.3 app on Java 17
backed by PostgreSQL 16 with Flyway migrations and seed data.
What you get
- Complete Spring Boot 3.3 / Java 17 source (entities, repositories, service, REST API).
- PostgreSQL 16 schema via Flyway migrations, plus seed data.
- Multi-stage
Dockerfileanddocker-compose.yml— one command to run. - DORA classification engine and report-deadline scheduler.
- Append-only audit ledger with a database-level immutability trigger.
- Structured JSON audit logging, bounded exponential-backoff retry, Actuator health.
- JUnit tests that pass with
mvn verify. - An evidence pack script producing four verifiable artifacts.
Verification & Evidence
Run the evidence generator after starting the stack:
docker compose up -d --build
./evidence/run-evidence.sh
It produces four artifacts:
| Artifact | What it proves |
|----------|----------------|
| 01-startup-health | /actuator/health reports UP |
| 02-api-response | POST /api/v1/incidents returns 200 with an incidentId |
| 03-database-proof | audit_event ledger holds rows for the captured incident |
| 04-test-output | mvn verify passes |