Classification of ICT-Related Incidents under DORA

In this article within our DORA Series, we delve into how financial institutions should categorize ICT-related incidents and assess their impact based on the criteria outlined in the legislation. Companies will need to take into account factors such as the number of affected clients, downtime resulting from the incident, the geographical scope of the incident, data loss, the importance of the affected services, and the economic consequences of the incident. Detailed guidelines regarding these requirements can be found in the draft Regulatory Technical Standards on criteria for classifying ICT-related incidents (the “Draft RTS“), which were published as part of a broader Consultation Paper.

Understanding DORA’s ICT-related incident classification, major incident materiality thresholds, and significant cyber threats:

Are You Affected?

In accordance with the proportionality principle established by DORA, the classification criteria and materiality thresholds are designed to be proportionate to the size, overall risk profile, and the nature, scale, and complexity of services provided by all financial institutions. Consequently, these criteria and thresholds are uniform across financial entities, regardless of their size and risk profile, to ensure that smaller institutions are not burdened with excessive reporting requirements.

However, in certain instances where an incident affects a substantial number of clients and transactions without surpassing the relative thresholds, these incidents should still be reported using absolute thresholds. This approach is primarily intended for larger financial institutions.

What Are Your Responsibilities?

Financial entities must categorize ICT-related incidents and evaluate their impact based on the following criteria:

• The number and relevance of affected clients or financial counterparts, along with the number or amount of transactions influenced by the ICT-related incident.
• The extent of reputational damage caused by the ICT-related incident.
• The duration of the incident and the resulting service downtime.
• The geographic extent of the areas affected, especially if it spans more than two Member States.
• Data losses incurred, including impacts on data availability, authenticity, integrity, or confidentiality.
• The significance of the affected services, including financial entity transactions and operations.
• The economic ramifications of the ICT-related incident in both absolute and relative terms, including direct and indirect costs and losses.

Conclusion

DORA is more than a set of regulations; it stands as a cornerstone for ensuring the future resilience of the financial sector. Embracing these standards and maintaining constant vigilance is not just a means for financial institutions to shield themselves but also a way to actively participate in the collective pursuit of a secure and robust digital financial ecosystem. As DORA continues to mold the financial landscape, it is imperative to stay informed and proactive. We strongly recommend initiating internal project work without delay to ensure timely compliance and fortify the foundation of financial resilience.

How Zeidler Group can help

If you have any questions or require support, the Zeidler team is here to help.  Get in touch with our team of legal and regulatory professionals to remain up to date on the latest legal, regulatory, ESG, and compliance changes affecting the asset management industry.