Quadprime

NEWS & INSIGHTS

Understanding the New EU Criteria for Classifying Cyber Threats under DORA

On 13 March 2024, the European Commission adopted the new Regulatory Technical Standards (RTS), which supplement the DORA Regulation (EU) 2022/2554 and specify the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and identifying the details of major incidents reports.

The purpose of the RTS is threefold and involves setting the criteria:

• To classify and pinpoint the impact of ICT-related incidents, including materiality thresholds for determining major ICT-related incidents that are subject to the reporting obligations laid down in Article 19(1) of DORA.
• To be applied by competent authorities for the purpose of assessing the relevance of major ICT-related incidents to relevant competent authorities in other Member States and the details of reports of major ICT-related incidents to be shared with other competent authorities.
• To classify cyber threats as significant, including high materiality thresholds.

The RTS aims to support DORA’s objective to harmonise and streamline the ICT-related incident reporting regime for all Financial Entities (FEs) in the EU. To that end, DORA has introduced consistent requirements for FEs on management, classification and reporting of ICT-related incidents.

Where an incident constitutes a personal data breach according to GDPR (Regulation (EU) 2016/679), the RTS does not affect the recording and notification obligations for personal data breaches similar to the existing NIS Directive for essential services providers and critical infrastructure.

Unlike the complex classification and thresholds process of NIS, this RTS for DORA defines seven different categories/criteria:

1. Clients, financial counterparts and transactions relating to the number of clients affected by the incident.
2. Reputational impact when at least one of the following criteria is met:
• The incident has been reflected in the media.
• The incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships.
• The FE will not be able to or is likely not to be able to meet its regulatory requirements.
• The FE will or is likely to lose clients or financial counterparts with a material impact on its business.
3. Duration and service downtime in terms of the duration of an incident from the moment the incident occurs until the moment it is resolved. Network or system logs or other data sources will be required to provide such information.
4. Geographical spread or whether the incident has or had an impact in other Member States, i.e clients and financial counterparts, branches or other FEs within the group carrying out activities in other Member States, or financial market infrastructures or third-party providers, which may affect FEs in other Member States to which they provide services.
5. Data loss in relation to the availability, integrity and confidentiality of data.
6. Criticality of services affected in relation to the impact of the incident on ICT services or network and information systems that support critical or important functions of the FE.
7. Economic impact in relation to direct and indirect costs and losses that they have incurred as a result of the incident. This includes financial assets for which they are liable, assets lost to theft, costs for replacement or relocation of software, hardware or infrastructure, staff costs, etc.

Chapter II of the RTS refers to the actual thresholds for major incidents. An incident shall be considered as “major” under DORA Regulation when it has affected critical services and the FE has sustained data losses, i.e. after successful, malicious and unauthorised access occurs to the network and information systems or two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met.

Recurring incidents that have occurred at least twice within 6 months have the same apparent root cause as referred to in Article 20(b) of DORA. FEs shall assess the existence of recurring incidents on a monthly basis.

Article 9 of the RTS sets additional materiality thresholds for 4 out of the 7 criteria, i.e. ‘clients, financial counterparts and transactions’, ‘duration and service downtime’, ‘data losses’ and ‘economic impact’.

The materiality threshold for the criterion ‘clients, financial counterparts and transactions’ specifies thresholds such as the number of affected clients, the number of affected financial counterparts, and the number of affected transactions, among others.

The materiality threshold for ‘duration and service downtime’ specifies conditions in relation to specific durations, i.e the duration of the incident is longer than 24 hours, the service downtime is longer than 2 hours for ICT services that support critical or important functions, etc.

The materiality threshold for the criterion ‘data losses’ is met where any impact on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the FE or on its ability to meet regulatory requirements, and any successful, malicious and unauthorised access occurs to network and information systems, where such access may result in data losses as mentioned above.

The materiality threshold for the criterion ‘economic impact’ is met where the costs and losses incurred by the FE due to the incident have exceeded or are likely to exceed 100 000 euro.

The last chapter of RTS refers to significant cyber threats and includes some high materiality thresholds for determining significant cyber threats.

a) The cyber threat, if materialised, could affect critical or important functions of the FE, or could affect other FEs, third party providers, and/or clients.
b) The cyber threat has a high probability of occurring, taking into account the applicable risks, vulnerabilities related to the cyber threat, and the capabilities and intent of threat actors, or the persistence of the threat and any intelligence about incidents that have impacted the FE or its third-party provider, clients or financial counterparts.
c) The cyber threat could, if materialised, meet any criterion or thresholds regarding criticality of services, geographical spread, duration, or other materiality thresholds set out in Article 9.

This shift towards potential impact allows for a more proactive approach to incident response. By identifying threats with the potential to cause significant disruption, FEs can now take steps to mitigate the impact before it occurs.

How Quadprime can help you?

Quadprime offers customised DORA implementation services, empowering organizations to build robust Digital Operational Resilience frameworks that meet supervisory authority requirements. Enhance risk and threat analysis and mitigation.

Contact us today to discuss your DORA compliance needs.

Is DORA geared towards ICT or business direction?

From EBA Guidelines to DORA: Building a Robust Cybersecurity & Resilience Framework in the Financial Services Sector

The Dark Side of AI: How Artificial Intelligence Empowers Hackers

Funding scheme for Cyprus SMEs to enhance their Cybersecurity

Two-day Seminar by Quadprime for Digital Security Authority

IT and cybersecurity: no grounds for complacency

Special Bundle DORA consultancy package for Microenterprises

X