ICT incident classification

Preamble (Recitals 1 – 18)

Recitals

Chapter I (Articles 1 – 7)

Classification criteria

Article 1

Clients, financial counterparts and transactions

Article 2

Reputational impact

Article 3

Duration and service downtime

Article 4

Geographical spread

Article 5

Data losses

Article 6

Criticality of services affected

Article 7

Economic impact

Chapter II (Articles 8 – 9)

Major incidents and materiality thresholds

Article 8

Major incidents

Article 9

Materiality thresholds for determining major incidents

Chapter III (Article 10)

Significant cyber threats

Article 10

High materiality thresholds for determining significant cyber threats

Chapter IV (Articles 11 – 12)

Relevance of major incidents to competent authorities in other Member States and details of reports to be shared with other competent authorities

Article 11

Relevance of major incidents to competent authorities in other Member States

Article 12

Details of major incidents to be shared with other competent authorities

Chapter V (Article 13)

Final provisions

Article 13

Entry into force

Recital 5

The classification criteria should ensure that all relevant types of major incidents are captured. Cyber attacks related to intrusion into network or information systems may not necessarily be captured by many classification criteria. However, they are important since any intrusion in network and information systemsmeans a network and information system as defined in Article 6, point 1, of Directive (EU) 2022/2555; may harm the financial entity. Accordingly, the classification criteria ‘critical services affected’ and ‘data losses’ should be specified in such a way as to capture these types of major incidents, in particular unauthorised intrusions which, even if the impacts are not immediately known, may lead to serious consequences, in particular data breaches and data leakages.
Table of contents