ICT incident classification

Preamble (Recitals 1 – 18)

Recitals

Chapter I (Articles 1 – 7)

Classification criteria

Article 1

Clients, financial counterparts and transactions

Article 2

Reputational impact

Article 3

Duration and service downtime

Article 4

Geographical spread

Article 5

Data losses

Article 6

Criticality of services affected

Article 7

Economic impact

Chapter II (Articles 8 – 9)

Major incidents and materiality thresholds

Article 8

Major incidents

Article 9

Materiality thresholds for determining major incidents

Chapter III (Article 10)

Significant cyber threats

Article 10

High materiality thresholds for determining significant cyber threats

Chapter IV (Articles 11 – 12)

Relevance of major incidents to competent authorities in other Member States and details of reports to be shared with other competent authorities

Article 11

Relevance of major incidents to competent authorities in other Member States

Article 12

Details of major incidents to be shared with other competent authorities

Chapter V (Article 13)

Final provisions

Article 13

Entry into force

Article 10 High materiality thresholds for determining significant cyber threats

For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threatas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons shall be considered significant where all of the following conditions are fulfilled:

  1. the cyber threatas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons, if materialised, could affect or could have affected critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law of the financial entity, or could affect other financial entitiesas defined in Article 2, points (a) to (t), third-party providers, clients or financial counterparts, based on information available to the financial entity;

  2. the cyber threatas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons has a high probability of materialisation at the financial entity or at other financial entitiesas defined in Article 2, points (a) to (t), taking into account at least the following elements:

    1. applicable risks related to the cyber threatas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons referred to in point (a), including potential vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited of the systems of the financial entity that can be exploited;

    2. the capabilities and intent of threat actors to the extent known by the financial entity;

    3. the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts;

  3. the cyber threatas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons could, if materialised, meet any of the following:

    1. the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation;

    2. the materiality threshold set out in Article 9(1);

    3. the materiality threshold set out in Article 9(4).

Where, depending on the type of cyber threatas defined in Article 2, point (8), of Regulation (EU) 2019/881: any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered.

Table of contents