Beta

Source: OJ L, 2024/1772, 25.6.2024

EN

Article 10 High materiality thresholds for determining significant cyber threats

  1. For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; shall be considered significant where all of the following conditions are fulfilled:

    1. the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, if materialised, could affect or could have affected critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, or could affect other financial entitiesas defined in Article 2, points (a) to (t), third-party providers, clients or financial counterparts, based on information available to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

    2. the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; has a high probability of materialisation at the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or at other financial entitiesas defined in Article 2, points (a) to (t), taking into account at least the following elements:

      1. applicable risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; related to the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; referred to in point (a), including potential vulnerabilities means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; of the systems of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that can be exploited;

      2. the capabilities and intent of threat actors to the extent known by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

      3. the persistence of the threat and any accrued knowledge about incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; that have impacted the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or its third-party provider, clients or financial counterparts;

    3. the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; could, if materialised, meet any of the following:

      1. the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation;

      2. the materiality threshold set out in Article 9(1);

      3. the materiality threshold set out in Article 9(4).

  2. Where, depending on the type of cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and available information, the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod