Art. 10 High materiality thresholds for determining significant cyber threats | RTS on incident classification | DORA

This article defines the conditions under which a cyber threat is considered "significant," which is the trigger for voluntary notification obligations under Article 18(2) of DORA.

It builds directly on the materiality thresholds established in Articles 6 and 9 of this Regulation, effectively linking the threat notification framework to the same benchmarks used for classifying actual major incidents.

All three conditions must be met simultaneously: the threat must have the potential to impact critical functions or other parties, it must carry a high probability of materialising, and it must be capable of meeting certain materiality thresholds if it were to materialise.

Important points:

Assess whether a cyber threat meets all three cumulative conditions before classifying it as significant and triggering notification obligations.
The probability of materialisation must be evaluated using available information on system vulnerabilities, threat actor capabilities and intent, and the persistence of the threat.
The materiality thresholds relating to reputational impact, duration, data losses, and economic impact may also be considered, but are not mandatory elements of the assessment.

For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled:
1. the cyber threat, if materialised, could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third-party providers, clients or financial counterparts, based on information available to the financial entity;
2. the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements:
  applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited;
  the capabilities and intent of threat actors to the extent known by the financial entity;
  the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts;
3. the cyber threat could, if materialised, meet any of the following:
  the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation;
  the materiality threshold set out in Article 9(1);
  the materiality threshold set out in Article 9(4).
Where, depending on the type of cyber threat and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered.