Article 18

Classification of ICT-related incidents and cyber threats


TL;DR The Digital Operations Resilience Act from the EU requires financial entities to classify ICT-related incidents and cyber threats based on criteria such as the number of affected clients, the amount or number of transactions affected, the duration of the incident and the data losses that the incident entails. The European Supervisory Authorities (ESAs) have been tasked to develop common draft regulatory technical standards further specifying the criteria that financial entity should use for classification and assessment of relevance. The ESAs must take into account criteria and international standards developed by ENISA and must consider the needs of microenterprises, small and medium-sized enterprises. The ESAs must submit the common draft regulatory technical standards to the Commission by 17 January 2024, with the Commission delegated the power to supplement the Regulation.
  1. Financial entitiesas defined in Article 2, points (a) to (t) shall classify ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity and shall determine their impact based on the following criteria:

    1. the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, and whether the ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity has caused reputational impact;

    2. the duration of the ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, including the service downtime;

    3. the geographical spread with regard to the areas affected by the ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity, particularly if it affects more than two Member States;

    4. the data losses that the ICT-related incidenta single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity entails, in relation to availability, authenticity, integrity or confidentiality of data;

    5. the criticality of the services affected, including the financial entity’s transactions and operations;

    6. the economic impact, in particular direct and indirect costs and losses, of the ICT- related incident in both absolute and relative terms.

  2. Financial entitiesas defined in Article 2, points (a) to (t) shall classify cyber threatsas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons as significant based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk.

  3. The ESAsEuropean Supervisory Authority shall, through the Joint Committeethe committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 and in consultation with the ECB and ENISA, develop common draft regulatory technical standards further specifying the following:

    1. the criteria set out in paragraph 1, including materiality thresholds for determining major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity or, as applicable, major operational or security payment- related incidents, that are subject to the reporting obligation laid down in Article 19(1);

    2. the criteria to be applied by competent authoritiesas defined in Article 46 for the purpose of assessing the relevance of major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity or, as applicable, major operational or security payment-related incidentsa single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity, to relevant competent authoritiesas defined in Article 46 in other Member States’, and the details of reports of major ICT-related incidentsan ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity or, as applicable, major operational or security payment-related incidentsa single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity, to be shared with other competent authoritiesas defined in Article 46 pursuant to Article 19(6) and (7);

    3. the criteria set out in paragraph 2 of this Article, including high materiality thresholds for determining significant cyber threatsa cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident.

  4. When developing the common draft regulatory technical standards referred to in paragraph 3 of this Article, the ESAsEuropean Supervisory Authority shall take into account the criteria set out in Article 4(2), as well as international standards, guidance and specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectors. For the purposes of applying the criteria set out in Article 4(2), the ESAsEuropean Supervisory Authority shall duly consider the need for microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million and small and medium-sized enterprisesa financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million to mobilise sufficient resources and capabilities to ensure that ICT-related incidentsa single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity are managed swiftly.

    The ESAsEuropean Supervisory Authority shall submit those common draft regulatory technical standards to the Commission by 17 January 2024.

    Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 3 in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.