Enacted Commission Delegated Regulation on the criteria for classifying ICT Incidents

On June 25, 2024, Commission Delegated Regulation (EU) 2024/1772 of March 13, 2024, was published in the Official Journal of the European Union, supplementing Regulation (EU) 2022/2554 (the “DORA” Regulation).

In accordance with the objective of the DORA Regulation, which aims to harmonize and streamline reporting obligations related to information and communication technology (ICT) incidents, the new Regulation supplements the technical standards concerning the criteria for classifying such ICT incidents and cyber threats, as well as the thresholds of significance and details for reporting severe incidents.

The classification criteria introduced by the new Regulation and the thresholds of significance ensure the principle of proportionality, reflecting the size and overall risk profile of financial entities, and also the nature and complexity of the services offered, so as to ensure that the rules are applicable to all financial entities, regardless of their size, without imposing an excessive burden on the smallest ones.
Furthermore, they comply with EBA guidelines on reporting severe incidents, ESMA guidelines on periodic information and communications of substantial changes by trade repositories, and the BCE/SSM framework for reporting cyber incidents.

Among the main criteria for classifying ICT incidents, the following should be mentioned, inter alia:

  • Quantity or number of transactions affected. The concept of “transaction” includes payment operations and exchanges of financial instruments, crypto-assets, commodities, or other assets;
  • Critical services affected and Data losses, which are aimed at detecting unauthorized intrusions that could have severe consequences, such as breaches and data leaks;
  • Geographical extent of an incident, which focuses on the cross-border impact of incidents.

To identify significant ICT incidents that need to be reported, an approach based on a combination of these criteria should be adopted.

As for the thresholds of significance for reporting, these allow for the detection of significant incidents, focusing on (i) the impact on critical services, (ii) the thresholds of customers or financial counterparties, (iii) transactions that have a particular impact on the financial entity, and (iv) the significance of the impact in other Member States.

Therefore, incidents affecting ICT services supporting essential functions, malicious and unauthorized access to systems, and recurring incidents are considered significant.