Article 23 Anomalous activities detection and criteria for ICT-related incidents detection and response

Summary What does Article 23 of the RTS on ICT risk management framework say?

This article provides the operational detail behind the detection and response mechanisms that financial entities must have in place for ICT-related incidents and anomalous activities.

It builds directly on Article 10 of DORA (Regulation (EU) 2022/2554), translating that high-level requirement into concrete obligations around how detection tools must function, what data must be collected and logged, and what criteria should trigger a formal incident response process.

The article covers the full detection lifecycle: collecting and monitoring internal and external signals, generating automated alerts for critical assets, prioritising those alerts around the clock, and securely recording all findings.

It also sets out specific triggers — such as signs of malicious activity, data loss, operational disruption, or system unavailability — that financial entities must use to activate their incident detection and response processes.

Important points:

Implement detection mechanisms that collect, monitor, and analyse internal and external signals — including logs, threat intelligence, and notifications from ICT third-party service providers — and generate automated alerts for assets supporting critical or important functions.
Ensure all recordings of anomalous activities are logged with timestamps and type of activity, and are protected against tampering and unauthorised access at rest, in transit, and where relevant, in use.
Use defined criteria — including indications of malicious activity, data loss, operational impact, and system unavailability — to trigger the ICT-related incident detection and response processes, also taking into account the criticality of the services affected.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

1. Financial entities shall set clear roles and responsibilities to effectively detect and respond to ICT-related incidents and anomalous activities.
1. The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to:
  1. collect, monitor, and analyse all of the following:
    internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity;
    potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity;
    ICT-related incident notification from an ICT third-party service provider of the financial entity detected in the ICT systems and networks of the ICT third-party service provider and that may affect the financial entity;
  2. identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions;
  3. prioritise the alerts referred to in point (b) to allow for the management of the detected ICT-related incidents within the expected resolution time, as specified by financial entities, both during and outside working hours;
  4. record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually.
2. For the purposes of point (b), the tools referred to in that point shall contain the tools that provide automated alerts based on pre-defined rules to identify anomalies affecting the completeness and integrity of the data sources or log collection.
1. Financial entities shall protect any recording of the anomalous activities against tampering and unauthorised access at rest, in transit and, where relevant, in use.
1. Financial entities shall log all relevant information for each detected anomalous activity enabling:
  1. the identification of the date and time of occurrence of the anomalous activity;
  2. the identification of the date and time of detection of the anomalous activity;
  3. the identification of the type of the anomalous activity.
1. Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554:
  1. indications that malicious activity may have been carried out in an ICT system or network, or that such ICT system or network may have been compromised;
  2. data losses detected in relation to the availability, authenticity, integrity, and confidentiality of data;
  3. adverse impact detected on financial entity’s transactions and operations;
  4. ICT systems’ and network unavailability.
1. For the purposes of paragraph 5, financial entities shall also consider the criticality of the services affected.

Relevant recitals

Recital 9 Encryption and cryptographic controls

Cryptographic controls can ensure the availability, authenticity, integrity, and confidentiality of data. Financial entities referred to in Title II of this Regulation should therefore identify and implement such controls on the basis of a risk-based approach. To that end, financial entities should encrypt the data concerned at rest, in transit or, where necessary, in use, on the basis of the results of a two-pronged process, namely data classification and a comprehensive ICT risk assessment. Given the complexity of encrypting data in use, financial entities referred to in Title II of this Regulation should encrypt date in use only where that would be appropriate in light of the results of the ICT risk assessment. Financial entities referred to in Title II of this Regulation should, however, be able, where encryption of data in use is not feasible or is too complex, to protect the confidentiality, integrity, and availability of the data concerned through other ICT security measures. Given the rapid technological developments in the field of cryptographic techniques, financial entities referred to in Title II of this Regulation should remain abreast of relevant developments in cryptanalysis and consider leading practices and standards. Financial entities referred to in Title II of this Regulation should hence follow a flexible approach, based on risk mitigation and monitoring, to deal with the dynamic landscape of cryptographic threats, including threats from quantum advancements.

Recital 19 Detection of anomalous activities

To guarantee an early and effective detection of anomalous activities, financial entities referred to in Title II of this Regulation should collect, monitor, and analyse the different sources of information and should allocate related roles and responsibilities. As regards internal sources of information, logs are an extremely relevant source, but financial entities should not rely on logs alone. Instead, financial entities should consider broader information to include what is reported by other internal functions, as those functions are often a valuable source of relevant information. For the same reason, financial entities should analyse and monitor information gathered from external sources, including information provided by ICT third-party providers on incidents affecting their systems and networks, and other sources of information that financial entities consider relevant. In so far as such information constitutes personal data, the Union data protection law applies. The personal data should be limited to what is necessary for the incident detection.

Recital 20 Incident evidence retention

To facilitate ICT-related incidents detection, financial entities should retain evidence of those incidents. To ensure, on the one hand, that such evidence is retained sufficiently long and to avoid, on the other hand, an excessive regulatory burden, financial entities should determine the retention period considering, among other things, the criticality of the data and retention requirements stemming from Union law.

Recital 21 Comprehensive triggers for ICT-related incidents

To ensure that ICT-related incidents are detected in time, financial entities referred to in Title II of this Regulation should consider the criteria identified for triggering the detection of and responses to ICT-related incidents as not exhaustive. Moreover, while financial entities should consider each of those criteria, the circumstances described in the criteria should not need to occur simultaneously and the importance of the affected ICT services should be appropriately considered to trigger ICT-related incident detection and response processes.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.