Source: OJ L, 2024/1772, 25.6.2024

Current language: EN

Article 8 Major incidents

Summary What does Article 8 of the RTS on incident classification say?

This is a pivotal classification article that defines exactly when an incident crosses the threshold to become a "major incident" triggering the reporting obligations under Article 19(1) of DORA.

It draws directly on the criteria and materiality thresholds established in Articles 6 and 9, acting as the decision-making gateway that ties those detailed criteria together.

Notably, the article also addresses a more nuanced scenario: repeated smaller incidents that do not individually qualify as major can be aggregated and treated as a single major incident if certain conditions are met, closing a potential loophole.

Important points:

  • Ensure you classify an incident as major where it affects critical services and either meets the specific data-loss/unauthorised-access threshold or meets two or more of the other materiality thresholds from Article 9.
  • Assess recurring incidents on a monthly basis, as incidents sharing the same root cause and occurring at least twice within 6 months may collectively constitute one major incident.
  • The recurring incidents aggregation rule does not apply to microenterprises or financial entities listed in Article 16(1) of Regulation (EU) 2022/2554.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled:

      1. the materiality threshold referred to in Article 9(5), point (b), is met;

      2. two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met.

    1. Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions:

      1. they have occurred at least twice within 6 months;

      2. they have the same apparent root cause as referred to in Article 20, first subparagraph, point (b) of Regulation (EU) 2022/2554;

      3. they collectively fulfil the criteria for being considered a major incident set out in paragraph 1.

    2. Financial entities shall assess the existence of recurring incidents on a monthly basis.

    3. This paragraph does not apply to microenterprises and to financial entities listed in Article 16(1) of Regulation (EU) 2022/2554.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod