European Union: Opened consultation on Draft Regulatory Technical Standards on the criteria for classification of ICT related incidents, materiality thresholds for major incidents/significant cyber threats under DORA

On 13 June 2023, the European Supervisory Authorities (ESAs) released the Draft Regulatory Technical Standards outlining criteria for classifying ICT-related incidents and materiality thresholds for major incidents and significant cyber threats, as mandated by Articles 15 and 16(3) of Regulation (EU) 2022/2554 (DORA) and opened a consultation which remains open until 11 September 2023. To achieve DORA's goal of harmonised and streamlined incident reporting rules, the ESAs proposed uniform criteria for all relevant financial entities (FEs) under DORA's scope, rather than entity-specific or sector-specific criteria. For major incident classification, incidents would be deemed major if they meet the classification thresholds of two primary criteria or three or more criteria (both primary and secondary), including at least one primary criterion. The proposed primary criteria are 'Clients, financial counterparts, and transactions,' 'Data losses,' and 'Critical services affected.' Regarding classification criteria and thresholds for significant cyber threats, the ESAs propose the assessment of criticality of at-risk services to depend on the potential impact on critical or important functions of the FE, other FEs, third-party providers, clients, or financial counterparts. The threat would also have a high probability of materialising at the FE or other FEs and could meet the conditions of a major ICT-related incident if it were to occur.