ICT incident classification

Preamble (Recitals 1 – 18)

Recitals

Chapter I (Articles 1 – 7)

Classification criteria

Article 1

Clients, financial counterparts and transactions

Article 2

Reputational impact

Article 3

Duration and service downtime

Article 4

Geographical spread

Article 5

Data losses

Article 6

Criticality of services affected

Article 7

Economic impact

Chapter II (Articles 8 – 9)

Major incidents and materiality thresholds

Article 8

Major incidents

Article 9

Materiality thresholds for determining major incidents

Chapter III (Article 10)

Significant cyber threats

Article 10

High materiality thresholds for determining significant cyber threats

Chapter IV (Articles 11 – 12)

Relevance of major incidents to competent authorities in other Member States and details of reports to be shared with other competent authorities

Article 11

Relevance of major incidents to competent authorities in other Member States

Article 12

Details of major incidents to be shared with other competent authorities

Chapter V (Article 13)

Final provisions

Article 13

Entry into force

Recital 1

Regulation (EU) 2022/2554 aims to harmonise and streamline reporting requirements for ICT-related incidentsmeans a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity; and for operational or security payment-related incidentsmeans a single event or a series of linked events unplanned by the financial entities referred to in Article 2(1), points (a) to (d), whether ICT-related or not, that has an adverse impact on the availability, authenticity, integrity or confidentiality of payment-related data, or on the payment-related services provided by the financial entity; concerning credit institutionsmeans a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (32);, payment institutionsmeans a payment institution as defined in Article 4, point (4), of Directive (EU) 2015/2366;, account information service providersmeans an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366;, and electronic money institutionsmeans an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council; (‘incidents’). Considering that the reporting requirements cover 20 different types of financial entitiesas defined in Article 2, points (a) to (t), the classification criteria and the materiality thresholds for determining major incidents and significant cyber threatsmeans a cyber threat the technical characteristics of which indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident; should be specified in a simple, harmonised and consistent way that takes into account the specificities of the services and activities of all relevant financial entitiesas defined in Article 2, points (a) to (t).
Table of contents