Article 18 Classification of ICT-related incidents and cyber threats
TL;DR
The Digital Operations Resilience Act from the EU requires financial entities to classify ICT-related incidents and cyber threats based on criteria such as the number of affected clients, the amount or number of transactions affected, the duration of the incident and the data losses that the incident entails. The European Supervisory Authorities (ESAs) have been tasked to develop common draft regulatory technical standards further specifying the criteria that financial entity should use for classification and assessment of relevance. The ESAs must take into account criteria and international standards developed by ENISA and must consider the needs of microenterprises, small and medium-sized enterprises. The ESAs must submit the common draft regulatory technical standards to the Commission by 17 January 2024, with the Commission delegated the power to supplement the Regulation.-
Financial entitiesas defined in Article 2, points (a) to (t) shall classify ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and shall determine their impact based on the following criteria:
-
the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, and whether the ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; has caused reputational impact;
-
the duration of the ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, including the service downtime;
-
the geographical spread with regard to the areas affected by the ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;, particularly if it affects more than two Member States;
-
the data losses that the ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; entails, in relation to availability, authenticity, integrity or confidentiality of data;
-
the criticality of the services affected, including the financial entity’s transactions and operations;
-
the economic impact, in particular direct and indirect costs and losses, of the ICT-related incidentmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; in both absolute and relative terms.
RTS Paragraph is expanded on in a regulatory technical standard. -
-
Financial entitiesas defined in Article 2, points (a) to (t) shall classify cyber threatsmeans ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881; as significant based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk.
RTS Paragraph is expanded on in a regulatory technical standard. -
The ESAsEuropean Supervisory Authority shall, through the Joint Committeemeans the committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010; and in consultation with the ECB and ENISA, develop common draft regulatory technical standards further specifying the following:
-
the criteria set out in paragraph 1, including materiality thresholds for determining major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; or, as applicable, major operational or security payment-related incidentsmeans an operational or security payment-related incident that has a high adverse impact on the payment-related services provided;, that are subject to the reporting obligation laid down in Article 19(1);
-
the criteria to be applied by competent authoritiesas defined in Article 46 for the purpose of assessing the relevance of major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; or, as applicable, major operational or security payment-related incidentsmeans an operational or security payment-related incident that has a high adverse impact on the payment-related services provided;, to relevant competent authoritiesas defined in Article 46 in other Member States’, and the details of reports of major ICT-related incidentsmeans an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity; or, as applicable, major operational or security payment-related incidentsmeans an operational or security payment-related incident that has a high adverse impact on the payment-related services provided;, to be shared with other competent authoritiesas defined in Article 46 pursuant to Article 19(6) and (7);
-
the criteria set out in paragraph 2 of this Article, including high materiality thresholds for determining significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;.
proportionality Paragraph allows for application of the proportionality principle according to Article 4. -
-
When developing the common draft regulatory technical standards referred to in paragraph 3 of this Article, the ESAsEuropean Supervisory Authority shall take into account the criteria set out in Article 4(2), as well as international standards, guidance and specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectors. For the purposes of applying the criteria set out in Article 4(2), the ESAsEuropean Supervisory Authority shall duly consider the need for microenterprisesmeans a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million; and small and medium-sized enterprisesmeans a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; to mobilise sufficient resources and capabilities to ensure that ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; are managed swiftly.
The ESAsEuropean Supervisory Authority shall submit those common draft regulatory technical standards to the Commission by 17 January 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 3 in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.