Source: OJ L, 2024/1772, 25.6.2024

Current language: EN

Article 2 Reputational impact

Summary What does Article 2 of the RTS on incident classification say?

This article defines how financial entities should determine whether an ICT incident has caused a reputational impact, which is one of the criteria used under Article 18(1) of DORA to classify and assess incidents.

It sets out a list of qualifying conditions — any one of which is sufficient to confirm that reputational harm has occurred — and adds a layer of nuance by requiring entities to factor in the level of visibility the incident has gained or is likely to gain.

Important points:

  • Assess whether at least one reputational impact criterion has been met — media coverage, repetitive client complaints, inability to meet regulatory requirements, or likely loss of clients or financial counterparts with material business impact.
  • Consider the visibility of the incident, both actual and potential, when making your reputational impact assessment.
  • This article feeds directly into the broader incident classification framework under Article 9, where reputational impact is one of the materiality thresholds that can trigger major incident status.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met:

      1. the incident has been reflected in the media;

      2. the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships;

      3. the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident;

      4. the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident.

    1. When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod