European Union: Closed consultation on Draft Regulatory Technical Standards on the criteria for classification of ICT related incidents, materiality thresholds for major incidents/significant cyber threats under DORA

On 11 September 2023, the public consultation on the Draft Regulatory Technical Standards outlining criteria for classifying ICT-related incidents and materiality thresholds for major incidents and significant cyber threats, released by the European Supervisory Authorities (ESAs) and mandated by Articles 15 and 16(3) of Regulation (EU) 2022/2554 (DORA), was closed. To achieve DORA's goal of harmonised and streamlined incident reporting rules, the ESAs proposed uniform criteria for all relevant financial entities (FEs) under DORA's scope, rather than entity-specific or sector-specific criteria. For major incident classification, incidents were proposed to be deemed major if they meet the classification thresholds of two primary criteria or three or more criteria (both primary and secondary), including at least one primary criterion. The proposed primary criteria are 'Clients, financial counterparts, and transactions,' 'Data losses,' and 'Critical services affected.' Regarding classification criteria and thresholds for significant cyber threats, the ESAs proposed the assessment of criticality of at-risk services to depend on the potential impact on critical or important functions of the FE, other FEs, third-party providers, clients, or financial counterparts. The threat must also have a high probability of materialising at the FE or other FEs and could meet the conditions of a major ICT-related incident if it were to occur.