Incident classification

Major Incident Classification

The incident is classified as major if it has impacted critical services and if either of the following conditions are met:

• There has been any successful, malicious and unauthorised access not covered by (Article 9(5-a), Delegated Regulation (EU) 2024/1772)* to network and information systems and access may result in data losses (Article 9(5-b), Delegated Regulation (EU) 2024/1772)
• Two or more of the materiality thresholds outlined in additional criteria (Articles 9(1)-(6), Delegated Regulation (EU) 2024/1772) are met

*see first bullet point data losses

Critical Services

(Article 6, Delegated Regulation (EU) 2024/1772)

To determine the criticality of the services, financial entities should assess whether the incident:

• impacts or has impacted ICT services or network and information systems that support critical or important functions
• impacts or has impacted financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities
• constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems

Note

Understanding which services are critical under DORA is crucial for correctly identifying whether an incident is considered major.

• Do you have an understanding of which services are considered critical under DORA?
• Are your DORA critical services clearly documented and well understood within your organisation?

Additional criteria

There are six additional criteria.

1. Reputational Impact

(Article 2, Delegated Regulation (EU) 2024/1772)

At least one of the following criteria has to be met:

• You are unable or unlikely to meet regulatory requirements as a result of the incident
• You are likely going to lose clients as a result of the incident which could have a material impact on your business
• The incident has been in the media
• The incident has resulted in repetitive complaints about your services by different clients or industry peers

Note

When evaluating whether the criteria for reputational impact has been met, consider the level of visibility the incident has already gained or will gain.

2. Duration and service downtime

(Article 3, Delegated Regulation (EU) 2024/1772)

The materiality threshold for this criteria will be met when (Article 9(3), Delegated Regulation (EU) 2024/1772):

• The incident duration exceeds 24 hours; or
• The critical service or function is down for more than 2 hours

Incident duration is measured from when the incident occurs until the moment the incident has been resolved. If you don’t know exactly when the incident occurred, measure the duration from when the incident has been detected.

Service downtime is measured from when the service becomes partially or completely unavailable to clients until the service has been fully restored to its pre-incident state.

3. Geographical Spread

(Article 4, Delegated Regulation (EU) 2024/1772)

The materiality threshold for geographical spread (Article 9(4), Delegated Regulation (EU) 2024/1772) is met if at least two EU member states are impacted by the incident.

Note

If you operate in more than one EU member state and your branches share critical services, consider isolating your critical services. If services fail, the repercussions are localised and don’t propagate across borders.

4. Data Losses

(Article 5, Delegated Regulation (EU) 2024/1772)

The materiality threshold will be met if either of the below occur (Article 9(5), Delegated Regulation (EU) 2024/1772):

• If the incident impacts the availability, authenticity, integrity or confidentiality of data that will have or has negatively impacted the financial entities business or the ability for the entity to meet regulatory requirements
• If the incident results in data losses due to unauthorised access to network systems or services

Some questions to consider

• Does your business continuity plan cover large scale data loss?
• Do you have the appropriate backups in place?
• What is classified as critical data for your organisation?
• How will you recover any critical data?
• Have you tested your data recovery protocols?
• Do you know how long it will take you to recover your data?
• Would you know who has had unauthorised access to your data, when they have had access and what they accessed?

5. Economic Impact

(Article 7, Delegated Regulation (EU) 2024/1772)

The materiality threshold will be met if the incident will incur costs and losses that are anticipated to be greater than €100,000 (Article 9(6), Delegated Regulation (EU) 2024/1772).

Example

An example of a cost incurred would be if you have to replace any hardware infrastructure as a result of the incident. For the full list of costs and losses that need to be taken into account refer to Article 7 of Delegated Regulation (EU) 2024/1772.

6. Clients, financial counterparts and transactions

(Article 1, Delegated Regulation (EU) 2024/1772)

The materiality threshold will be met if any of the following circumstances are satisfied (Article 9(1), Delegated Regulation (EU) 2024/1772):

• The number of impacted clients using the affected service is >10% of all clients or exceeds 100,000 impacted clients
• The number of impacted financial counterparts is >30% of all the financial counterparts dependent on the affected service
• The number or amount of impacted transactions is >10% of your daily average number of transactions or daily average value of transactions* related to the impacted service
• Clients or financial counterparts which have been identified as relevant in Article 1(3)** have been impacted

*at least one part of the transaction has to have been carried out in the EU
**the number of all affected financial counterparts that have a contractual arrangement with the financial entity

Further Reading

• Commission Delegated Regulation (EU) 2024/1772 covers the criteria for the classification of incidents and cyber threats

---

The information on this site is for general information purposes only and is not intended to serve as legal advice. Laws governing the subject matter may change quickly, so Guanciale Technologies Ltd cannot guarantee that all the information on this site is current or correct. Should you have specific legal questions about any of the information on this site, you should consult with a lawyer in your area.