Article 16 Digital Operational Resilience Act (DORA), Classification of ICT-Related Incidents

Effective management of ICT-related incidents requires a structured approach to classify and assess their impact. Financial entities must adopt specific criteria to categorize these incidents and evaluate their consequences comprehensively. This structured classification and impact assessment ensure that incidents are managed efficiently, minimizing disruption and mitigating potential risks.

Criteria For Classification

Financial entities must classify ICT-related incidents based on the following criteria:

• Affected Users and Reputational Impact:

• User Impact: Assess the number of users or financial counterparts affected by the incident. This includes both direct and indirect users of the entity’s services.

• Reputational Damage: Evaluate any reputational damage resulting from the incident. This involves considering public perception, media coverage, and the potential loss of customer trust.

• Incident Duration:

• Service Downtime: Measure the length of the incident, including any downtime of services. Extended service disruptions can have significant operational and financial repercussions.

• Geographical Spread:

• Scope of Impact: Determine the geographical scope of the incident, especially if it affects more than two Member States. Incidents with a broader geographical impact may require coordinated responses across multiple jurisdictions.

• Data Losses:

• Data Integrity, Confidentiality, and Availability: Assess any data losses in terms of integrity (accuracy and completeness), confidentiality (unauthorized access), or availability (accessibility of data). Data breaches and losses can severely compromise an entity’s operations and compliance with data protection regulations.

• System Impact Severity:

• System Disruption: Evaluate the severity of the incident's impact on the entity’s ICT systems. This includes assessing the extent of system malfunctions, failures, or cyber-attacks.

• Service Criticality:

• Critical Services: Assess the importance of the affected services, including the entity's transactions and operations. Disruption of critical services can have cascading effects on the entity’s overall performance.

• Economic Impact:

• Financial Losses: Measure the economic impact of the incident in both absolute and relative terms. This includes direct financial losses, costs associated with incident response and recovery, and potential long-term economic effects.

Development Of Regulatory Technical Standards

To ensure a harmonized approach to ICT-related incident management, the European Supervisory Authorities (ESAs), through the Joint Committee and in consultation with the European Central Bank (ECB) and the European Union Agency for Cybersecurity (ENISA), will develop common draft regulatory technical standards. These standards will specify the criteria and thresholds for classifying incidents and outline procedures for reporting and assessment.

• Role of ESAs and Joint Committee:

• Drafting Standards: The ESAs, through the Joint Committee, will collaborate with the ECB and ENISA to develop detailed criteria for incident classification and reporting.

• Consultation: The drafting process will involve consultations with relevant stakeholders to ensure the standards are comprehensive and effective.

• Detailed Criteria and Thresholds:

• Materiality Thresholds: Define materiality thresholds for identifying major ICT-related incidents that must be reported under Article 17(1). These thresholds will help in distinguishing between minor and significant incidents, ensuring appropriate responses.

• Incident Reporting: Outline the procedures for reporting incidents to competent authorities. This includes specifying the information required in incident reports to facilitate timely and accurate reporting.

• Assessment Criteria for Authorities:

• Jurisdictional Relevance: Develop criteria for competent authorities to assess the relevance of major ICT-related incidents to other Member States’ jurisdictions. This ensures coordinated and effective responses across different regions.

• Incident Report Sharing: Specify the details of incident reports to be shared with other competent authorities as per points (5) and (6) of Article 17. This promotes transparency and collaboration among regulatory bodies.

• Consideration of International Standards:

• Global Best Practices: When developing these standards, the ESAs will consider international standards and specifications developed by ENISA. This includes standards from other economic sectors to ensure alignment with global best practices.

• Sector-Specific Standards: Incorporate relevant standards from different sectors to address the unique challenges faced by financial entities.

• Submission to the Commission:

• Timeline: The ESAs will submit the draft regulatory technical standards to the Commission by [insert date 1 year after the entry into force]. This timeline ensures timely implementation of the standards.

Delegated Power To The Commission

The Commission is empowered to supplement this regulation by adopting the regulatory technical standards referred to in paragraph 2. This delegation of power ensures that the standards are legally binding and enforceable, promoting uniformity across the financial sector. The adoption process will follow the procedures outlined in Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010, respectively.

The classification and regulation of ICT-related incidents are crucial for maintaining the resilience and stability of financial entities. By establishing clear criteria for incident classification and developing harmonized regulatory technical standards, financial entities can enhance their ability to manage and mitigate ICT risks. The collaborative efforts of the ESAs, ECB, and ENISA, combined with the Commission's delegated powers, ensure a robust and coordinated approach to ICT incident management across the European financial sector.