Art. 18 Classification of ICT-related incidents and cyber threats | DORA regulation | DORA

1. Financial entitiesas defined in Article 2, points (a) to (t) shall classify ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and shall determine their impact based on the following criteria:
  1. the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, and whether the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; has caused reputational impact;
  2. the duration of the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, including the service downtime;
  3. the geographical spread with regard to the areas affected by the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, particularly if it affects more than two Member States;
  4. the data losses that the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; entails, in relation to availability, authenticity, integrity or confidentiality of data;
  5. the criticality of the services affected, including the financial entity’s transactions and operations;
  6. the economic impact, in particular direct and indirect costs and losses, of the ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; in both absolute and relative terms.
1. Financial entitiesas defined in Article 2, points (a) to (t) shall classify cyber threats means ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; as significant based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk.
1. The ESAsEuropean Supervisory Authority shall, through the Joint Committee means the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; and in consultation with the ECB and ENISA, develop common draft regulatory technical standards further specifying the following:
  1. the criteria set out in paragraph 1, including materiality thresholds for determining major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; or, as applicable, major operational or security payment-related incidents means an operational or security payment-related incident that has a high adverse impact on the payment-related services provided;, that are subject to the reporting obligation laid down in Article 19(1);
  2. the criteria to be applied by competent authoritiesas defined in Article 46 for the purpose of assessing the relevance of major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; or, as applicable, major operational or security payment-related incidents means an operational or security payment-related incident that has a high adverse impact on the payment-related services provided;, to relevant competent authoritiesas defined in Article 46 in other Member States’, and the details of reports of major ICT-related incidents means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; or, as applicable, major operational or security payment-related incidents means an operational or security payment-related incident that has a high adverse impact on the payment-related services provided;, to be shared with other competent authoritiesas defined in Article 46 pursuant to Article 19(6) and (7);
  3. the criteria set out in paragraph 2 of this Article, including high materiality thresholds for determining significant cyber threats means a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;.
1. When developing the common draft regulatory technical standards referred to in paragraph 3 of this Article, the ESAsEuropean Supervisory Authority shall take into account the criteria set out in Article 4(2), as well as international standards, guidance and specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectors. For the purposes of applying the criteria set out in Article 4(2), the ESAsEuropean Supervisory Authority shall duly consider the need for microenterprises means a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million; and small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; to mobilise sufficient resources and capabilities to ensure that ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; are managed swiftly.
2. The ESAsEuropean Supervisory Authority shall submit those common draft regulatory technical standards to the Commission by 17 January 2024.
3. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 3 in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.