Article 10 High materiality thresholds for determining significant cyber threats
For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; shall be considered significant where all of the following conditions are fulfilled:
-
the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881;, if materialised, could affect or could have affected critical or important functionsmeans a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entity, or could affect other financial entitiesas defined in Article 2, points (a) to (t), third-party providers, clients or financial counterparts, based on information available to the financial entity;
-
the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; has a high probability of materialisation at the financial entity or at other financial entitiesas defined in Article 2, points (a) to (t), taking into account at least the following elements:
-
applicable risks related to the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; referred to in point (a), including potential vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; of the systems of the financial entity that can be exploited;
-
the capabilities and intent of threat actors to the extent known by the financial entity;
-
the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts;
-
-
the cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; could, if materialised, meet any of the following:
-
the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation;
-
the materiality threshold set out in Article 9(1);
-
the materiality threshold set out in Article 9(4).
-
Where, depending on the type of cyber threatmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered.