Beta

Source: OJ L, 2024/1772, 25.6.2024

EN

Article 9 Materiality thresholds for determining major incidents

    1. The materiality threshold for the criterion ‘clients, financial counterparts and transactions’ is met where any of the following conditions are fulfilled:

      1. the number of affected clients is higher than 10 % of all clients using the affected service;

      2. the number of affected clients using the affected service is higher than 100000;

      3. the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service;

      4. the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; related to the affected service;

      5. the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; related to the affected service;

      6. clients or financial counterparts which have been identified as relevant in accordance with Article 1(3) have been affected.

    2. Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall estimate those numbers or amounts based on available data from comparable reference periods.

    1. The materiality threshold for the criterion ‘reputational impact’ is met where any of the conditions set out in Article 2, points (a) to (d), are fulfilled.

    1. The materiality threshold for the criterion ‘duration and service downtime’ is met where any of the following conditions are fulfilled:

      1. the duration of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; is longer than 24 hours;

      2. the service downtime is longer than 2 hours for ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; that support critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;.

    1. The materiality threshold for the criterion ‘geographical spread’ is met where the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; has an impact in two or more Member States in accordance with Article 4.

    1. The materiality threshold for the criterion ‘data losses’ is met where any of the following conditions are fulfilled:

      1. any impact as referred to in Article 5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or on its ability to meet regulatory requirements;

      2. any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;, where such access may result in data losses.

    1. The materiality threshold for the criterion ‘economic impact’ is met where the costs and losses incurred by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; due to the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; have exceeded or are likely to exceed 100000 euro.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod