European Union: Drafted Regulatory Technical Standard on the criteria for classification of ICT related incidents, materiality thresholds for major incidents/significant cyber threats under DORA

On 10 January 2024, the three European Supervisory Authorities (EBA, EIOPA and ESMA) published a draft Regulatory Technical Standard on the criteria for the classification of major ICT incidents and significant cyber threats under DORA. The RTS aim to harmonise the criteria and thresholds for classifying and reporting major ICT-related incidents across financial sectors to enable better monitoring and response to cyber risks. Incidents would be defined as major if they impact critical services and involve either a data breach or two other criteria. The latter uses a mix of absolute and relative thresholds to ensure proportionality for firms of different sizes. Testing the proposed standard showed it captures all prominent incidents while reducing over-reporting. The European Commission will review the drafted technical standard with the aim of adopting it.