0004013
JC 2024 34, Final Report Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554
European Banking Authority
Regulatory Directive or Guidance
Free
Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents
JC 2024 34, Final Report Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554
2024-07-17
The document as a whole was last reviewed and released on 2024-12-09T00:00:00-0800.
0004013
Free
European Banking Authority
Regulatory Directive or Guidance
Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents
JC 2024 34, Final Report Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554
2024-07-17
The document as a whole was last reviewed and released on 2024-12-09T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2025 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within JC 2024 34, Final Report Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for JC 2024 34, Final Report Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents under Regulation (EU) 2022/2554 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a financial management program. CC ID 13228 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 [Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: financial entities should aggregate the gross costs and losses and the financial recoveries across major class="term_primary-noun">ICT-related incidents. 7. (c) Financial entities should include in the report of their estimation of the aggregated annual costs and losses also the breakdown of gross costs and losses and of financial recoveries for each major ICT-related incident that were ry-noun">="background-color:#F0BBBC;" class="term_primary-noun">class="term_secondary-verb">included in the ;" class="term_primary-noun">r:#B2E2E3;" class="term_secondary-noun">aggregation. 10.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 | Establish/Maintain Documentation | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 [{be available} As basis for the estimations, financial entities should refer to the costs, losses and financial recoveries that are reflected in their -noun">:#F0BBBC;" class="term_prackground-color:#CBD0E5;" class="term_secondary-verb">imary-noun">financial statements such as the profit and loss account, or where applicable in their supervisory reporting, of the relevant reference year. In their estimation, financial entities should also include accounting provisions that are reflected in their financial statements such as the profit and loss account of the relevant reference year. Where accurate data is not available, financial entities should base their estimation on other available data and information to the extent possible. 8.] | Establish/Maintain Documentation | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 [{be available} As basis for the estimations, financial entities should refer to the costs, losses and financial recoveries that are reflected in their financial statements such as the profit and loss account, or where applicable in their supervisory reporting, of the relevant reference year. In their estimation, financial entities should also _primary-verb">include accounting provisions that are reflected in their term_pr Financial entities should include adjustments on the costs and losses of an estimation that it submitted for a previous ss="term_secondary-verb">m_secondary-noun">year in the estimation of the relevant reference year in which the adjustments are made. 9.] | Establish/Maintain Documentation | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 [Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual costs and losses. The financial entity may change that decision by notifying the competent authority, and provided that the competent authority does not object within two months of receiving the notification. Financial entities should not include costs and losses related to those incidents that fall before or after that reference {major incident} Financial entities should include in the estimation all ICT-related incidents that, irrespective of the reason, were classified as major in accordance with Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification] on incident classification and any incident for which the financial entity submitted in previous reference years a final report in ackground-color:#B2E2E3;" class="term_secondary-noun">accordance with Article 19(4)(c) of Regulation (EU) 2022/2554 that had a quantifiable finae="background-color:#B7D8ED;" class="term_primary-verb">ncial impact on the financial entity in the relevant reference ;" class="term_pr Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses taking into account the lor:#F0BBBC;" class="term_prima"term_primary-noun">ry-noun">s="term_secondary-noun">types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: financial entities should aggregate the -noun">gross costs and losses and the financial recoveries across major ICT-related incidents. 7. (c) {be available} As basis for the estimations, financial entities should refer to the costs, losses and financial recoveries that are reflected in their financial statements such as the profit and loss account, or where applicable in their supervisory reporting, of the relevant reference year. In their estimation, financial entities should also include accounting provisions that are reflected in their financial statements such as the profit and loss account of the relevant reference year. Where accurate data is not available, financial entities should " class="term_secondary-noun">color:#B7D8ED;" class="term_primary-verb">base their estimation on other available data and ondary-verb">round-color:#F0BBBC;" class="term_primary-noun">BBC;" class="term_primary-noun">information to the extent possible. 8. Financial entities should use the template in the Annex to submit to the competent authority the estimation of their aggregated annual costs<erm_primary-verb">/span> and losses for the reference | Actionable Reports or Measurements | Detective | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [{major incident} Financial entities should include in the estimation all ICT-related incidents that, irrespective of the reason, wekground-color:#F0BBBC;" class="term_primary-noun">re tyle="background-color:#B7D8ED;" class="term_primary-verb">classified as major in accordance with Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification] on incident classification and 6. {major incident} Financial entities should include in the estimation all ICT-related incidents that, irrespective of the reason, were classified as major in accordance with Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification] on incident classification and for which the financial entity has submitted a final report in accordance with Article 19(4)(c) Regulation (EU) 2022/2554 in the relevant reference year, or 6. (a)] | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Establish/Maintain Documentation | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 [Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses ary-verb">taking into account the yle="background-colo"term_primary-noun">r:#B2E2E3;" class="term_secondary-noun">types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: financial entities should aggregate the gross c-noun">osts</span> and losses and the financial recoveries across major ICT-related incidents. 7. (c)] | Process or Activity | Detective | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Create an incident response report. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
| Include the incident reference code in the incident response report. CC ID 17297 [Financial entities should use the template in the Annex to submit to the competent authority the estimation of their aggregated annual costs and losses for the reference year. For each item under paragraph 6 and 9 that is included in the estimation of the reference year, financial entities should use the same incident reference codes provided by the financial entity as the ones : | Establish/Maintain Documentation | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 [Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the _secondary="background-color:#CBD0E5;" class="term_secondary-verb">-noun">estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual costs and losses. The financial entity may change that decision by notifying the competent authority, and provided that the competent authority does not object within two months of receiving the notification. Financial entities should not include costs and losses related to those incidents that fall before or after that reference year. 5. Financial entities should estimate the aggregated annual mary-noun">costs and losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses taking into account the types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should include in the report of their estimation of the aggregated annual costs and losses also the breakdown of gross costs and losses and of financial recoveries for each major ICT-related incident that were ry-noun">="background-color:#F0BBBC;" class="term_primary-noun">imary-noun">rkground-color:#F0BBBC;" class="term_primary-noun">y-ve</span>rb">included in the r:#B2E2E3;" class="term_secondary-noun">aggregation. 10.] | Establish/Maintain Documentation | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 [Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the _secondary="background-color:#CBD0E5;" class="term_secondary-verb">-noun">estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual costs and losses. The financial entity may change that decision by notifying the competent authority, and provided that the competent authority does not object within two months of receiving the notification. Financial entities should not include costs and losses related to those incidents that fall before or after that reference year. 5. Financial entities should estimate the aggregated annual costs and ="term_primary-noun">losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses taking into account the types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should include in the report of their estimation of the aggregated annual costs and losses also the breakdown of gross costs and losses and of financial recoveries for each major ICT-related incident that were ry-noun">="background-color:#F0BBBC;" class="term_primary-noun">class="term_skground-color:#F0BBBC;" class="term_primary-noun">econdary-verb">included in the r:#B2E2E3;" class="term_secondary-noun">aggregation. 10.] | Establish/Maintain Documentation | Preventive | |
| Include recovery measures in the incident response report. CC ID 17299 [Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: for each major dary-noun">ICT-related incident, financial entities should also und-color:#B7D8ED;" class="term_primary-verb">estimate the financial recoveries as specified in Annex II to Commission Implementing Regulation [insert OJ given number once published for ITS on incident reporting]; 7. (b)] | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 [Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual costs and losses. The financial entity may change that decision by notifying the competent authority, and provided that the competent authority does not object within two months of receiving the notification. Financial entities should not include costs and losses related to those incidents that fall before or after that reference {major incident} Financial entities should include in the estimation all ICT-related incidents that, irrespective of the reason, were classified as major in accordance with Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification] on incident classification and any incident for which the financial entity submitted in previous reference years a final report in ackground-color:#B2E2E3;" class="term_secondary-noun">accordance with Article 19(4)(c) of Regulation (EU) 2022/2554 that had a quantifiable finae="background-color:#B7D8ED;" class="term_primary-verb">ncial impact on the financial entity in the relevant reference ;" class="term_pr Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses taking into account the lor:#F0BBBC;" class="term_prima"term_primary-noun">ry-noun">s="term_secondary-noun">types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: financial entities should aggregate the -noun">gross costs and losses and the financial recoveries across major ICT-related incidents. 7. (c) {be available} As basis for the estimations, financial entities should refer to the costs, losses and financial recoveries that are reflected in their financial statements such as the profit and loss account, or where applicable in their supervisory reporting, of the relevant reference year. In their estimation, financial entities should also include accounting provisions that are reflected in their financial statements such as the profit and loss account of the relevant reference year. Where accurate data is not available, financial entities should " class="term_secondary-noun">color:#B7D8ED;" class="term_primary-verb">base their estimation on other available data and ondary-verb">round-color:#F0BBBC;" class="term_primary-noun">BBC;" class="term_primary-noun">information to the extent possible. 8. Financial entities should use the template in the Annex to submit to the competent authority the estimation of their aggregated annual costs<erm_primary-verb">/span> and losses for the reference | Monitoring and measurement | Detective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a financial management program. CC ID 13228 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Preventive | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 [Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: financial entities should aggregate the gross costs and losses and the financial recoveries across major class="term_primary-noun">ICT-related incidents. 7. (c) Financial entities should include in the report of their estimation of the aggregated annual costs and losses also the breakdown of gross costs and losses and of financial recoveries for each major ICT-related incident that were ry-noun">="background-color:#F0BBBC;" class="term_primary-noun">class="term_secondary-verb">included in the ;" class="term_primary-noun">r:#B2E2E3;" class="term_secondary-noun">aggregation. 10.] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 [{be available} As basis for the estimations, financial entities should refer to the costs, losses and financial recoveries that are reflected in their -noun">:#F0BBBC;" class="term_prackground-color:#CBD0E5;" class="term_secondary-verb">imary-noun">financial statements such as the profit and loss account, or where applicable in their supervisory reporting, of the relevant reference year. In their estimation, financial entities should also include accounting provisions that are reflected in their financial statements such as the profit and loss account of the relevant reference year. Where accurate data is not available, financial entities should base their estimation on other available data and information to the extent possible. 8.] | Leadership and high level objectives | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 [{be available} As basis for the estimations, financial entities should refer to the costs, losses and financial recoveries that are reflected in their financial statements such as the profit and loss account, or where applicable in their supervisory reporting, of the relevant reference year. In their estimation, financial entities should also _primary-verb">include accounting provisions that are reflected in their term_pr Financial entities should include adjustments on the costs and losses of an estimation that it submitted for a previous ss="term_secondary-verb">m_secondary-noun">year in the estimation of the relevant reference year in which the adjustments are made. 9.] | Leadership and high level objectives | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [{major incident} Financial entities should include in the estimation all ICT-related incidents that, irrespective of the reason, wekground-color:#F0BBBC;" class="term_primary-noun">re tyle="background-color:#B7D8ED;" class="term_primary-verb">classified as major in accordance with Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification] on incident classification and 6. {major incident} Financial entities should include in the estimation all ICT-related incidents that, irrespective of the reason, were classified as major in accordance with Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification] on incident classification and for which the financial entity has submitted a final report in accordance with Article 19(4)(c) Regulation (EU) 2022/2554 in the relevant reference year, or 6. (a)] | Operational management | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Create an incident response report. CC ID 12700 | Operational management | Preventive | |
| Include the incident reference code in the incident response report. CC ID 17297 [Financial entities should use the template in the Annex to submit to the competent authority the estimation of their aggregated annual costs and losses for the reference year. For each item under paragraph 6 and 9 that is included in the estimation of the reference year, financial entities should use the same incident reference codes provided by the financial entity as the ones : | Operational management | Preventive | |
| Include costs associated with the incident in the incident response report. CC ID 12725 [Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the _secondary="background-color:#CBD0E5;" class="term_secondary-verb">-noun">estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual costs and losses. The financial entity may change that decision by notifying the competent authority, and provided that the competent authority does not object within two months of receiving the notification. Financial entities should not include costs and losses related to those incidents that fall before or after that reference year. 5. Financial entities should estimate the aggregated annual mary-noun">costs and losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses taking into account the types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should include in the report of their estimation of the aggregated annual costs and losses also the breakdown of gross costs and losses and of financial recoveries for each major ICT-related incident that were ry-noun">="background-color:#F0BBBC;" class="term_primary-noun">imary-noun">rkground-color:#F0BBBC;" class="term_primary-noun">y-ve</span>rb">included in the r:#B2E2E3;" class="term_secondary-noun">aggregation. 10.] | Operational management | Preventive | |
| Include losses due to the incident in the incident response report. CC ID 12724 [Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the _secondary="background-color:#CBD0E5;" class="term_secondary-verb">-noun">estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual costs and losses. The financial entity may change that decision by notifying the competent authority, and provided that the competent authority does not object within two months of receiving the notification. Financial entities should not include costs and losses related to those incidents that fall before or after that reference year. 5. Financial entities should estimate the aggregated annual costs and ="term_primary-noun">losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses taking into account the types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should include in the report of their estimation of the aggregated annual costs and losses also the breakdown of gross costs and losses and of financial recoveries for each major ICT-related incident that were ry-noun">="background-color:#F0BBBC;" class="term_primary-noun">class="term_skground-color:#F0BBBC;" class="term_primary-noun">econdary-verb">included in the r:#B2E2E3;" class="term_secondary-noun">aggregation. 10.] | Operational management | Preventive | |
| Include recovery measures in the incident response report. CC ID 17299 [Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: for each major dary-noun">ICT-related incident, financial entities should also und-color:#B7D8ED;" class="term_primary-verb">estimate the financial recoveries as specified in Annex II to Commission Implementing Regulation [insert OJ given number once published for ITS on incident reporting]; 7. (b)] | Operational management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine the cost of the incident when assessing security incidents. CC ID 17188 [Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses ary-verb">taking into account the yle="background-colo"term_primary-noun">r:#B2E2E3;" class="term_secondary-noun">types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: financial entities should aggregate the gross c-noun">osts</span> and losses and the financial recoveries across major ICT-related incidents. 7. (c)] | Operational management | Detective | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 [Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual costs and losses. The financial entity may change that decision by notifying the competent authority, and provided that the competent authority does not object within two months of receiving the notification. Financial entities should not include costs and losses related to those incidents that fall before or after that reference {major incident} Financial entities should include in the estimation all ICT-related incidents that, irrespective of the reason, were classified as major in accordance with Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification] on incident classification and any incident for which the financial entity submitted in previous reference years a final report in ackground-color:#B2E2E3;" class="term_secondary-noun">accordance with Article 19(4)(c) of Regulation (EU) 2022/2554 that had a quantifiable finae="background-color:#B7D8ED;" class="term_primary-verb">ncial impact on the financial entity in the relevant reference ;" class="term_pr Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses taking into account the lor:#F0BBBC;" class="term_prima"term_primary-noun">ry-noun">s="term_secondary-noun">types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: financial entities should aggregate the -noun">gross costs and losses and the financial recoveries across major ICT-related incidents. 7. (c) {be available} As basis for the estimations, financial entities should refer to the costs, losses and financial recoveries that are reflected in their financial statements such as the profit and loss account, or where applicable in their supervisory reporting, of the relevant reference year. In their estimation, financial entities should also include accounting provisions that are reflected in their financial statements such as the profit and loss account of the relevant reference year. Where accurate data is not available, financial entities should " class="term_secondary-noun">color:#B7D8ED;" class="term_primary-verb">base their estimation on other available data and ondary-verb">round-color:#F0BBBC;" class="term_primary-noun">BBC;" class="term_primary-noun">information to the extent possible. 8. Financial entities should use the template in the Annex to submit to the competent authority the estimation of their aggregated annual costs<erm_primary-verb">/span> and losses for the reference | Monitoring and measurement | Actionable Reports or Measurements | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 [Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses ary-verb">taking into account the yle="background-colo"term_primary-noun">r:#B2E2E3;" class="term_secondary-noun">types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: financial entities should aggregate the gross c-noun">osts</span> and losses and the financial recoveries across major ICT-related incidents. 7. (c)] | Operational management | Process or Activity | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a financial management program. CC ID 13228 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 [Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: financial entities should aggregate the gross costs and losses and the financial recoveries across major class="term_primary-noun">ICT-related incidents. 7. (c) Financial entities should include in the report of their estimation of the aggregated annual costs and losses also the breakdown of gross costs and losses and of financial recoveries for each major ICT-related incident that were ry-noun">="background-color:#F0BBBC;" class="term_primary-noun">class="term_secondary-verb">included in the ;" class="term_primary-noun">r:#B2E2E3;" class="term_secondary-noun">aggregation. 10.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include financial statements in the financial report, as necessary. CC ID 14775 [{be available} As basis for the estimations, financial entities should refer to the costs, losses and financial recoveries that are reflected in their -noun">:#F0BBBC;" class="term_prackground-color:#CBD0E5;" class="term_secondary-verb">imary-noun">financial statements such as the profit and loss account, or where applicable in their supervisory reporting, of the relevant reference year. In their estimation, financial entities should also include accounting provisions that are reflected in their financial statements such as the profit and loss account of the relevant reference year. Where accurate data is not available, financial entities should base their estimation on other available data and information to the extent possible. 8.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 [{be available} As basis for the estimations, financial entities should refer to the costs, losses and financial recoveries that are reflected in their financial statements such as the profit and loss account, or where applicable in their supervisory reporting, of the relevant reference year. In their estimation, financial entities should also _primary-verb">include accounting provisions that are reflected in their term_pr Financial entities should include adjustments on the costs and losses of an estimation that it submitted for a previous ss="term_secondary-verb">m_secondary-noun">year in the estimation of the relevant reference year in which the adjustments are made. 9.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [{major incident} Financial entities should include in the estimation all ICT-related incidents that, irrespective of the reason, wekground-color:#F0BBBC;" class="term_primary-noun">re tyle="background-color:#B7D8ED;" class="term_primary-verb">classified as major in accordance with Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification] on incident classification and 6. {major incident} Financial entities should include in the estimation all ICT-related incidents that, irrespective of the reason, were classified as major in accordance with Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification] on incident classification and for which the financial entity has submitted a final report in accordance with Article 19(4)(c) Regulation (EU) 2022/2554 in the relevant reference year, or 6. (a)] | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Create an incident response report. CC ID 12700 | Operational management | Establish/Maintain Documentation | |
| Include the incident reference code in the incident response report. CC ID 17297 [Financial entities should use the template in the Annex to submit to the competent authority the estimation of their aggregated annual costs and losses for the reference year. For each item under paragraph 6 and 9 that is included in the estimation of the reference year, financial entities should use the same incident reference codes provided by the financial entity as the ones : | Operational management | Establish/Maintain Documentation | |
| Include costs associated with the incident in the incident response report. CC ID 12725 [Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the _secondary="background-color:#CBD0E5;" class="term_secondary-verb">-noun">estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual costs and losses. The financial entity may change that decision by notifying the competent authority, and provided that the competent authority does not object within two months of receiving the notification. Financial entities should not include costs and losses related to those incidents that fall before or after that reference year. 5. Financial entities should estimate the aggregated annual mary-noun">costs and losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses taking into account the types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should include in the report of their estimation of the aggregated annual costs and losses also the breakdown of gross costs and losses and of financial recoveries for each major ICT-related incident that were ry-noun">="background-color:#F0BBBC;" class="term_primary-noun">imary-noun">rkground-color:#F0BBBC;" class="term_primary-noun">y-ve</span>rb">included in the r:#B2E2E3;" class="term_secondary-noun">aggregation. 10.] | Operational management | Establish/Maintain Documentation | |
| Include losses due to the incident in the incident response report. CC ID 12724 [Financial entities should estimate the aggregate annual costs and losses of major ICT-related incidents by aggregating the costs and losses for major ICT-related incidents that fall within the reference year for which the competent authority requested the _secondary="background-color:#CBD0E5;" class="term_secondary-verb">-noun">estimation. The financial entity may choose whether the reference year should correspond to either the completed calendar year, or to the completed accounting year of the financial entity for which the financial entity has finalised its financial statements. Once a financial entity has decided whether it will provide the estimation based on the calendar year or its accounting year, such a decision should be applied to future estimations of aggregated annual costs and losses. The financial entity may change that decision by notifying the competent authority, and provided that the competent authority does not object within two months of receiving the notification. Financial entities should not include costs and losses related to those incidents that fall before or after that reference year. 5. Financial entities should estimate the aggregated annual costs and ="term_primary-noun">losses by applying the follow sequential steps: estimate the costs and losses of each major ICT-related incident as referred to in paragraph 6 individually. Those estimations should produce the gross costs and losses taking into account the types of costs and losses as set out in Article 7(1) and (2) of the Commission Delegated Regulation [insert OJ given number once published for RTS on incident classification]; 7. (a) Financial entities should include in the report of their estimation of the aggregated annual costs and losses also the breakdown of gross costs and losses and of financial recoveries for each major ICT-related incident that were ry-noun">="background-color:#F0BBBC;" class="term_primary-noun">class="term_skground-color:#F0BBBC;" class="term_primary-noun">econdary-verb">included in the r:#B2E2E3;" class="term_secondary-noun">aggregation. 10.] | Operational management | Establish/Maintain Documentation | |
| Include recovery measures in the incident response report. CC ID 17299 [Financial entities should estimate the aggregated annual costs and losses by applying the follow sequential steps: for each major dary-noun">ICT-related incident, financial entities should also und-color:#B7D8ED;" class="term_primary-verb">estimate the financial recoveries as specified in Annex II to Commission Implementing Regulation [insert OJ given number once published for ITS on incident reporting]; 7. (b)] | Operational management | Establish/Maintain Documentation | |