Source: OJ L, 2024/2690, 18.10.2024Current language: EN
- High common level of cybersecurity for entities
Implementing acts
- Cybersecurity measures and significant incidents for relevant entities
Article 4 Recurring incidents
Incidents that individually are not considered a significant incident within the meaning of Article 3, shall be considered collectively as one significant incident where they meet all of the following criteria:
they have occurred at least twice within 6 months;
they have the same apparent root cause;
they collectively meet the criteria set out in Article 3(1)(a).
Relevant recitals
Recital 40 Recurring incidents
Recurring incidents that are linked through the same apparent root cause, which individually do not meet the criteria of a significant incident, should collectively be considered to be a significant incident, provided that they collectively meet the criterion for financial loss, and that they have occurred at least twice within six months. Such recurring incidents can indicate significant deficiencies and weaknesses in the relevant entity’s cybersecurity risk management procedures and their level of cybersecurity maturity. Moreover, such recurring incidents are capable of causing significant financial loss for the relevant entity.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.