Source: AMLA consultation paper draft

EN

Article 2 Classification of the level of gravity of breaches

This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 9 February 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

    1. When classifying the level of gravity of a breach, supervisorsmeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; shall use four categories as follows, by increased order of severity: category one, category two, category three, category four.

    1. To classify the breaches into one of the four categories listed in paragraph 1, supervisorsmeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; shall assess whether and to what extent all the applicable indicators of Article 1 of this Regulation are met.

    1. Supervisorsmeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; may classify under those categories breaches other than those described in paragraphs 4 to 7.

    1. Supervisorsmeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; shall classify the breach under category one breaches where there is no direct impact or the impact is minor on the obliged entity when assessing the indicators specified in Article 1, points (d) and (e), and, at the same time:

      1. when assessing the indicator specified in Article 1, point (a), the breach has lasted for a short period of time, and

      2. when assessing the indicator specified in Article 1, point (b), the breach has been committed on a non-repetitive basis.

    2. Supervisorsmeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; shall not classify a breach as category one if indicators specified in Article 1, points (g) to (k) are met.

    1. Supervisorsmeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; shall classify the breach as category two where, for the indicators specified in Article 1, points (d) or (e), the impact is moderate and none of the indicators (g) to (k) of Article 1 are met.

    1. Supervisorsmeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; shall classify the breach as at least category three where, for the indicators specified in Article 1, point (d) or point (e), the impact is significant and at the same time:

      1. when assessing the indicators specified in Article 1, point (a), the breach has persisted over a significant period of time, or

      2. one of the indicators specified in Article 1 points (b) or (k), is met.

    1. Supervisorsmeans the body entrusted with responsibilities aimed at ensuring compliance by obliged entities with the requirements of this Regulation, including AMLA when performing the tasks entrusted to it in Article 5(2) of Regulation (EU) 2024/1620; shall classify the breach as category four where:

      1. when assessing the indicators specified in Article 1, point (d) or point (e), the impact is very significant, or

      2. when indicator specified in Article 1, point (h), is met, or

      3. when assessing the indicator specified in Article 1, point (g), the breach has facilitated or otherwise led to significant criminal activitiesmeans criminal activity as defined in Article 2, point (1), of Directive (EU) 2018/1673, as well as fraud affecting the Union’s financial interests as defined in Article 3(2) of Directive (EU) 2017/1371, passive and active corruption as defined in Article 4 (2) and misappropriation as defined in Article 4(3), second subparagraph, of that Directive; as defined in Article 2(1), point (3), of Regulation (EU) 2024/1624, or

      4. when assessing the indicators specified in Article 1, point (i) or (j), the breach has a significant impact.

    1. Breaches that would not be classified as category three or category four when assessed in isolation could amount to a breach of category three or four when assessed in combination.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod