Close survey popup

User survey


Help us improve dora-info.eu by taking a 2-minute user survey.

Survey icon

High materiality thresholds for determining significant cyber threats


For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; shall be considered significant where all of the following conditions are fulfilled:

  1. the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881;, if materialised, could affect or could have affected critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entity, or could affect other financial entitiesas defined in Article 2, points (a) to (t), third-party providers, clients or financial counterparts, based on information available to the financial entity;

  2. the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; has a high probability of materialisation at the financial entity or at other financial entitiesas defined in Article 2, points (a) to (t), taking into account at least the following elements:

    1. applicable risks related to the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; referred to in point (a), including potential vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; of the systems of the financial entity that can be exploited;

    2. the capabilities and intent of threat actors to the extent known by the financial entity;

    3. the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts;

  3. the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; could, if materialised, meet any of the following:

    1. the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation;

    2. the materiality threshold set out in Article 9(1);

    3. the materiality threshold set out in Article 9(4).

Where, depending on the type of cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered.