Criteria for Classifying ICT-related Incidents and Cyber Threats and the Procedure for Reporting them by Financial Entities – A European Perspective

Monika Szaraniec

Abstract:

Innovations in the field of information and communication technologies set the direction for the creation of various cybersecurity rules.  With technological progress, national regulations should be systematically adapted to international standards, in particular to European Union legislation on combating cybercrime and ensuring an adequate level of protection in cyberspace. The cybersecurity of financial institutions, which are considered entities of public trust, is crucial for the stability of legal and economic transactions and for the protection of citizens' rights. Recent changes in EU legislation, such as the introduction of DORA[1] and NIS2[2], have led to the adoption of specific legal standards for the financial sector. The article describes the new obligations of financial entities regarding the classification and reporting of incidents related to information and communication technologies (ICT) following the entry into force of the DORA Regulation. It discusses the definition of an ICT incident, the eight-criteria model for their classification, and the materiality thresholds set out in Implementing Regulation 2024/1772[3]. The author points to the identification of incidents considered serious and to the three-stage model for their reporting procedure. The article also outlines a methodology for classifying incidents, which not only serve a reporting function but are also an important element of ICT risk management and macroprudential supervision.

[1] DORA (Digital Operational Resilience Act) – Regulation on the operational resilience of the digital financial sector, amending Regulation (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, OJ EU No L 333/1 of 27 December 2022. The Regulation will enter into force on 17 January 2025.

[2] NIS2 (Network and Information Systems Directive 2) – Directive (EU) 2022/25555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148, OJ L 333, 27.12.2022, p. 80.

[3] Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council (EU) 2022/2554 with regard to regulatory technical standards specifying the criteria for classifying ICT-related incidents and cyber threats, materiality thresholds and detailed information on the reporting of serious incidents, OJ L of 2024, p. 1772.