Source: OJ L, 2024/2690, 18.10.2024Current language: EN
- High common level of cybersecurity for entities
Implementing acts
- Cybersecurity measures and significant incidents for relevant entities
Article 4 Recurring incidents
Summary What does Article 4 of the Cybersecurity measures and significant incidents for relevant entities say?
This article establishes an important aggregation rule that directly extends the significance thresholds set out in Article 3.
Where individual incidents would not qualify as significant on their own, Article 4 provides that they can be treated collectively as a single significant incident if certain conditions are met together.
It is essentially a safeguard against repeated low-level incidents being overlooked simply because no single occurrence crosses the reporting threshold.
Important points:
- Relevant entities must treat multiple individually non-significant incidents as one significant incident if all three cumulative conditions are satisfied simultaneously.
- The three conditions are: the incidents occurred at least twice within 6 months, share the same apparent root cause, and collectively meet the financial impact threshold in Article 3(1)(a).
- All three criteria must be met together — this is a conjunctive test, not a disjunctive one.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Incidents that individually are not considered a significant incident within the meaning of Article 3, shall be considered collectively as one significant incident where they meet all of the following criteria:
they have occurred at least twice within 6 months;
they have the same apparent root cause;
they collectively meet the criteria set out in Article 3(1)(a).
Relevant recitals
Recital 40 Recurring incidents
Recurring incidents that are linked through the same apparent root cause, which individually do not meet the criteria of a significant incident, should collectively be considered to be a significant incident, provided that they collectively meet the criterion for financial loss, and that they have occurred at least twice within six months. Such recurring incidents can indicate significant deficiencies and weaknesses in the relevant entity’s cybersecurity risk management procedures and their level of cybersecurity maturity. Moreover, such recurring incidents are capable of causing significant financial loss for the relevant entity.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
risk
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
entity
Definition
cybersecurity