European Union: Closed consultation on Draft Regulatory Technical Standards on the criteria for classification of ICT related incidents, materiality thresholds for major incidents/significant cyber threats under DORA

Description

Closed consultation on Draft Regulatory Technical Standards on the criteria for classification of ICT related incidents, materiality thresholds for major incidents/significant cyber threats under DORA

On 11 September 2023, the public consultation on the Draft Regulatory Technical Standards outlining criteria for classifying ICT-related incidents and materiality thresholds for major incidents and significant cyber threats, released by the European Supervisory Authorities (ESAs) and mandated by Articles 15 and 16(3) of Regulation (EU) 2022/2554 (DORA), was closed. To achieve DORA's goal of harmonised and streamlined incident reporting rules, the ESAs proposed uniform criteria for all relevant financial entities (FEs) under DORA's scope, rather than entity-specific or sector-specific criteria. For major incident classification, incidents were proposed to be deemed major if they meet the classification thresholds of two primary criteria or three or more criteria (both primary and secondary), including at least one primary criterion. The proposed primary criteria are 'Clients, financial counterparts, and transactions,' 'Data losses,' and 'Critical services affected.' Regarding classification criteria and thresholds for significant cyber threats, the ESAs proposed the assessment of criticality of at-risk services to depend on the potential impact on critical or important functions of the FE, other FEs, third-party providers, clients, or financial counterparts. The threat must also have a high probability of materialising at the FE or other FEs and could meet the conditions of a major ICT-related incident if it were to occur.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
digital payment provider (incl. cryptocurrencies), DLT development, infrastructure provider: cloud computing, storage and databases
Implementation Level
supranational
Government Branch
executive
Government Body
central government

Complete timeline of this policy change

Hide details
2023-06-13
in consultation

On 13 June 2023, the European Supervisory Authorities (ESAs) released the Draft Regulatory Technica…

2023-09-11
processing consultation

On 11 September 2023, the public consultation on the Draft Regulatory Technical Standards outlining…

2024-01-10
under deliberation

On 10 January 2024, the three European Supervisory Authorities (EBA, EIOPA and ESMA) published a dr…

We use cookies and other technologies to perform analytics on our website. By opting in, you consent to the use by us and our third-party partners of cookies and data gathered from your use of our platform. See our Privacy Policy to learn more about the use of data and your rights.