Source: OJ L 333, 27.12.2022, p. 1–79

Current language: EN

Article 18 Classification of ICT-related incidents and cyber threats

Summary What does Article 18 of the DORA regulation say?

This article establishes the classification framework that financial entities must use when assessing ICT-related incidents and cyber threats.

It feeds directly into the reporting obligations set out in Article 19, as the severity classifications determined here dictate what must be reported to competent authorities.

The article sets out concrete criteria for judging the impact of an incident — such as how many clients are affected, how long the disruption lasts, whether multiple Member States are involved, and what economic damage results.

Separately, it requires financial entities to classify cyber threats as significant using a comparable but distinct set of criteria.

The ESAs are then tasked with developing regulatory technical standards to sharpen these classifications further, including by setting materiality thresholds.

Important points:

  • Classify ICT-related incidents using six defined criteria covering client impact, duration, geographical spread, data loss, service criticality, and economic damage.
  • Classify cyber threats as significant based on the criticality of services at risk, clients or counterparts targeted, and geographical spread.
  • The ESAs are required to develop regulatory technical standards to further specify the classification criteria and materiality thresholds, including consideration of the resource constraints of microenterprises and SMEs.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Financial entities shall classify ICT-related incidents and shall determine their impact based on the following criteria:

      1. the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incident, and whether the ICT-related incident has caused reputational impact;

      2. the duration of the ICT-related incident, including the service downtime;

      3. the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States;

      4. the data losses that the ICT-related incident entails, in relation to availability, authenticity, integrity or confidentiality of data;

      5. the criticality of the services affected, including the financial entity’s transactions and operations;

      6. the economic impact, in particular direct and indirect costs and losses, of the ICT-related incident in both absolute and relative terms.

    1. Financial entities shall classify cyber threats as significant based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk.

    1. The ESAs shall, through the Joint Committee and in consultation with the ECB and ENISA, develop common draft regulatory technical standards further specifying the following:

      1. the criteria set out in paragraph 1, including materiality thresholds for determining major ICT-related incidents or, as applicable, major operational or security payment-related incidents, that are subject to the reporting obligation laid down in Article 19(1);

      2. the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT-related incidents or, as applicable, major operational or security payment-related incidents, to relevant competent authorities in other Member States’, and the details of reports of major ICT-related incidents or, as applicable, major operational or security payment-related incidents, to be shared with other competent authorities pursuant to Article 19(6) and (7);

      3. the criteria set out in paragraph 2 of this Article, including high materiality thresholds for determining significant cyber threats.

    1. When developing the common draft regulatory technical standards referred to in paragraph 3 of this Article, the ESAs shall take into account the criteria set out in Article 4(2), as well as international standards, guidance and specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectors. For the purposes of applying the criteria set out in Article 4(2), the ESAs shall duly consider the need for microenterprises and small and medium-sized enterprises to mobilise sufficient resources and capabilities to ensure that ICT-related incidents are managed swiftly.

    2. The ESAs shall submit those common draft regulatory technical standards to the Commission by 17 January 2024.

    3. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 3 in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod