Source: OJ L, 2024/1772, 25.6.2024
ENPreamble Recitals
Recital 1 Simple, harmonised and consistent criteria and thresholds
Regulation (EU) 2022/2554 aims to harmonise and streamline reporting requirements for ICT-related incidents means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and for operational or security payment-related incidents means a single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity; concerning credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1)., payment institutions means a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;, account information service providers means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366;, and electronic money institutions means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council; (‘incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;’). Considering that the reporting requirements cover 20 different types of financial entitiesas defined in Article 2, points (a) to (t), the classification criteria and the materiality thresholds for determining major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; should be specified in a simple, harmonised and consistent way that takes into account the specificities of the services and activities of all relevant financial entitiesas defined in Article 2, points (a) to (t).
Recital 2 Principle of proportionality
In order to ensure proportionality, the classification criteria and the materiality thresholds should reflect the size and overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile, and the nature, scale and complexity of the services of all financial entitiesas defined in Article 2, points (a) to (t). Moreover, the criteria and materiality thresholds should be designed in such a way that they apply consistently to all financial entitiesas defined in Article 2, points (a) to (t), irrespective of their size and risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile, and do not pose unproportional reporting burden to smaller financial entitiesas defined in Article 2, points (a) to (t). However, in order to address situations where a significant number of clients are affected by an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; which as such does not exceed the applicable threshold, an absolute threshold mainly targeted at larger financial entitiesas defined in Article 2, points (a) to (t) should be set out.
Recital 3 Alignment towards other guidelines
In relation to incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reporting frameworks, which have existed prior to the entry into force of Regulation (EU) 2022/2554, continuity for financial entitiesas defined in Article 2, points (a) to (t) should be ensured. Therefore, the classification criteria and materiality thresholds should be aligned with and inspired by the EBA Guidelines on major incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reporting under Directive (EU) 2015/2366 of the European Parliament and of the Council (2)Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35, ELI: http://data.europa.eu/eli/dir/2015/2366/oj)., the Guidelines on periodic information and notification of material changes to be submitted to ESMA by Trade Repositories means a trade repository as defined in Article 2, point (2), of Regulation (EU) No 648/2012;, the ECB/SSM Cyber Incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; Reporting Framework and other relevant guidance. The classification criteria and thresholds should also be suitable for the financial entitiesas defined in Article 2, points (a) to (t) that have not been subject to incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reporting requirements prior to Regulation (EU) 2022/2554.
Recital 4 Meaning of transactions
With regard to the classification criterion ‘amount and number of transactions affected’, the notion of transactions is broad and covers different activities and services across the sectorial acts applicable to financial entitiesas defined in Article 2, points (a) to (t). For the purposes of that classification criterion, payment transactions and all forms of exchange of financial instruments, crypto-assets, commodities, or any other assets, also in form of margin, collateral or pledge, both against cash and against any other asset, should be covered. All transactions that involve assets whose value can be expressed in a monetary amount should be considered for classification purposes.
Recital 5 Cyber attacks
The classification criteria should ensure that all relevant types of major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; are captured. Cyber attacks related to intrusion into network or information systems may not necessarily be captured by many classification criteria. However, they are important since any intrusion in network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; may harm the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Accordingly, the classification criteria ‘critical services affected’ and ‘data losses’ should be specified in such a way as to capture these types of major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, in particular unauthorised intrusions which, even if the impacts are not immediately known, may lead to serious consequences, in particular data breaches and data leakages.
Recital 6 Consistent assessment of the economic impact of an incident
Since credit institutions means a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (^32^); Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). are subject both to the framework for classification of incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; under Article 18 of Regulation (EU) 2022/2554 and to the operational risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; framework under Commission Delegated Regulation (EU) 2018/959 (3)Commission Delegated Regulation (EU) 2018/959 of 14 March 2018 supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards of the specification of the assessment methodology under which competent authorities permit institutions to use Advanced Measurement Approaches for operational risk (OJ L 169, 6.7.2018, p. 1, ELI: http://data.europa.eu/eli/reg_del/2018/959/oj)., the approach for assessing the economic impact of an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; based on the calculation of costs and losses should, to the greatest possible extent, be consistent across both frameworks to avoid introducing incompatible or contradicting requirements.
Recital 7 The geographical spread criterion
The criterion in relation to the geographical spread of an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; set out in Article 18(1), point (c), of Regulation (EU) 2022/2554 should focus on the cross-border impact of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, since the impact of an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; on the activities of a financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; within a single jurisdiction will be captured by the other criteria set out in that Article.
Recital 8 Weighting of criteria
Given that the classification criteria are interdependent and linked to each other, the approach for identifying major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; which are to be reported in accordance with Article 19(1) of Regulation (EU) 2022/2554 should be based on a combination of criteria, where some criteria that are closely related to the definitions of an ICT-related incident means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and a major ICT-related incident means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; set out in Article 3(8) and (10) of Regulation (EU) 2022/2554 should have more prominence in the classification of major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; than other criteria.
Recital 9 Focus of materiality thresholds
With a view to ensure that the reports on and notifications of major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; received by competent authoritiesas defined in Article 46 under Article 19(1) of Regulation (EU) 2022/2554 serve both for supervisory purposes and for the prevention of contagion across the financial sector, the materiality thresholds should make it possible to capture major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, by focusing, inter alia, on the impact on entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; specific critical services, the specific absolute and relative thresholds of clients or financial counterparts, transactions that indicate a material impact on the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, and the significance of the impact in other Member States.
Recital 10 Critical services
Incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; that affect ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; or network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; that support critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, or financial services requiring authorisation or malicious unauthorised access to network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; that support critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;, should be considered as incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; affecting critical services of the financial entitiesas defined in Article 2, points (a) to (t). Malicious, unauthorised access to network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; that support critical or important functions means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law; of financial entitiesas defined in Article 2, points (a) to (t) poses serious risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and, as they may affect other financial entitiesas defined in Article 2, points (a) to (t), should always be considered as major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; which are to be reported.
Recital 11 Recurring incidents
Recurring incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; that are linked through a similar apparent root cause, which individually are not major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, can indicate significant deficiencies and weaknesses in the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management procedures. Therefore, recurring incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; should be considered as major collectively where they occur repeatedly over a certain period of time.
Recital 12 Classification of a cyber threats
Considering that cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; can have a negative impact on the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and sector, the significant cyber threats means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; which financial entitiesas defined in Article 2, points (a) to (t) may submit should indicate the probability of materialisation and the criticality of the potential impact. Accordingly, to ensure a clear and consistent assessment of the significance of cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, the classification of a cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; as significant should be dependent on the likelihood that the classification criteria for major incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and their threshold would be met if the threat had materialised, on the type of cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and on the information available to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.
Recital 13 Other member states
Considering that competent authoritiesas defined in Article 46 in other Member States are to be notified of incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; that impact financial entitiesas defined in Article 2, points (a) to (t) and customers in their jurisdiction, the assessment of the impact in another jurisdiction in accordance with Article 19(7) of Regulation (EU) 2022/2554 should be based on the root cause of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, on potential contagion through third-party providers and on financial market infrastructures, as well as on the impact of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; on significant groups means a group as defined in Article 2, point (11), of Directive 2013/34/EU; of clients or financial counterparts.
Recital 14 Forwarding of all information
The reporting and notification processes referred to in Article 19(6) and (7) of Regulation (EU) 2022/2554 should allow the respective recipients to assess the impact of the incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;. Therefore, the transmitted information should cover all details contained in the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; reports submitted by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to the competent authorityas defined in Article 46.
Recital 15 Personal data processing
Where an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; constitutes a personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; breach according to Regulation (EU) 2016/679 of the European Parliament and of the Council (4)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj). and Directive 2002/58/EC of the European Parliament and of the Council (5)Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37, ELI: http://data.europa.eu/eli/dir/2002/58/oj)., this Regulation should not affect the recording and notification obligations for personal data means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; breaches set out in those Union laws. The competent authoritiesas defined in Article 46 should cooperate and exchange information about all relevant matters with the authorities referred to in Regulation (EU) 2016/679 and Directive 2002/58/EC.
Recital 16 Draft regulatory technical standards from ESAs
This Regulation is based on the draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). submitted to the Commission by the European Supervisory Authorities, in consultation with the European Union Agency for Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; (ENISA) and the European Central bank (ECB).
Recital 17 Open public consultations
The Joint Committee means the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; of the European Supervisory Authorities referred to in Article 54 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (6)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj)., in Article 54 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (7)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj). and in Article 54 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (8)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj). has conducted open public consultations on the draft regulatory technical standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). on which this Regulation is based, analysed the potential costs and benefits of the proposed standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). and requested advice of the Banking Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1093/2010, the Insurance and Reinsurance Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and the Occupational Pensions Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1094/2010, and the Securities and Markets Stakeholder Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established in accordance with Article 37 of Regulation (EU) No 1095/2010,
Recital 18 European Data Protection Supervisor consultation
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (9)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj). and delivered an opinion on 24 January 2024,