Article 1 Indicators to classify the level of gravity of breaches


This is a draft act

This text has been parsed from the AMLA consultation paper draft as published on 9 February 2026. While we run a suite of validations, the automated parsing can result in errors. Also, before it is finally adopted by the Commission, its wording, numbering and references may change, and entire articles might be removed or added.

Summary What does Article 1 of the RTS on pecuniary sanctions and administrative measures say?

This foundational article establishes the full set of indicators that supervisors must consider when classifying the gravity of a breach committed by an obliged entity.

It serves as the diagnostic framework that feeds directly into Article 2, which uses these indicators to assign breaches to one of four severity categories.

The indicators span a wide range of dimensions, from how long the breach lasted and whether it was repeated, to its impact on AML/CFT controls, its potential to have facilitated criminal activity, and its broader effect on financial system stability.

Supervisors also retain discretion to apply additional indicators beyond those listed.

Important points:

  • Supervisors are required to assess all applicable indicators from this article as the basis for classifying the gravity of any breach.
  • The indicators cover both the internal impact on the obliged entity, such as effects on AML/CFT systems and the number of customers affected, and external impact, including risks to financial stability and potential facilitation of criminal activity.
  • Supervisors retain the ability to identify and apply additional indicators beyond those explicitly listed in this article.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

  1. To classify the level of gravity of a breach, supervisors shall take into account all of the following indicators, to the extent that they apply:

    1. the duration of the breach;

    2. the repetition of the breach;

    3. the conduct of the natural person or legal person that committed, permitted or did not prevent the breach;

    4. the impact of the breach on the obliged entity, by assessing:

      1. whether the breach concerns the obliged entity and whether it has an impact at group level or any cross-border impact;

      2. the extent to which the products and services are affected by the breach;

      3. the approximate number of customers affected by the breach;

      4. the extent to which the effectiveness of the AML/CFT systems, controls and policies are affected by the breach;

    5. the impact of the breach on the exposure of the obliged entity, or of the group to which it belongs, to money laundering and terrorist financing risks;

    6. the nature of the breach, by assessing whether the breach is related to internal policies, procedures and controls of the obliged entity, customer due diligence, reporting obligations or records retention;

    7. whether the breach could have facilitated or otherwise led to criminal activities as defined in Article 2(1), point (3), of Regulation (EU) 2024/1624;

    8. whether there is a structural failure within the obliged entity with regards to AML/CFT systems, controls or policies or a material failure of the entity to put in place adequate AML/CFT systems, controls or policies;

    9. the actual or potential impact of the breach on the financial viability of the obliged entity or of the group of which the obliged entity is part;

    10. the actual or potential impact of the breach:

      1. on the integrity, transparency and security of the financial system of a Member State or of the Union as a whole, or on the financial stability of a Member State or of the Union as a whole;

      2. on the orderly functioning of the financial markets;

    11. the systematic nature of the breach;

    12. any other indicator identified by the supervisors.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod