Digital Operational Resilience Act (DORA), Article 16, Classification of ICT-related incidents.
1. Financial entities shall classify ICT-related incidents and shall determine their impact based on the following criteria:
(a) the number of users or financial counterparts affected by the disruption caused by the ICT-related incident, and whether the ICT-related incident has caused reputational impact;
(b) the duration of the ICT-related incident, including service downtime;
(c) the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States;
(d) the data losses that the ICT-related incident entails, such as integrity loss, confidentiality loss or availability loss;
(e) the severity of the impact of the ICT-related incident on the financial entity’s ICT systems;
(f) the criticality of the services affected, including the financial entity’s transactions and operations;
(g) the economic impact of the ICT-related incident in both absolute and relative terms.
2. The ESAs shall, through the Joint Committee of the ESAs (the ‘Joint Committee’) and after consultation with the European Central Bank (ECB) and ENISA, develop common draft regulatory technical standards further specifying the following:
(a) the criteria set out in paragraph 1, including materiality thresholds for determining major ICT-related incidents which are subject to the reporting obligation laid down in Article 17(1);
(b) the criteria to be applied by competent authorities for the purpose of assessing the relevance of major ICT-related incidents to other Member States’ jurisdictions, and the details of ICT-related incidents reports to be shared with other competent authorities pursuant to points (5) and (6) of Article 17.
3. When developing the common draft regulatory technical standards referred to in paragraph 2, the ESAs shall take into account international standards, as well as specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectors.
The ESAs shall submit those common draft regulatory technical standards to the Commission by [PO: insert date 1 year after the date of entry into force].
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 2 in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, respectively.