0003976
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
European Union
Regulations
Free
RTS specifying the criteria for classification of ICT-related incidents
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
2024-03-13
The document as a whole was last reviewed and released on 2024-09-06T00:00:00-0700.
0003976
Free
European Union
Regulations
RTS specifying the criteria for classification of ICT-related incidents
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
2024-03-13
The document as a whole was last reviewed and released on 2024-09-06T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2025 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Address past incidents in the risk assessment program. CC ID 12743 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Audits and Risk Management | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Audits and Risk Management | Preventive | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Process or Activity | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Process or Activity | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Process or Activity | Detective | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Process or Activity | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Establish/Maintain Documentation | Preventive | |
| Identify and document security vulnerabilities. CC ID 11857 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Technical Security | Detective | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 9 1. ¶ 2] | Business Processes | Preventive | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Business Processes | Preventive | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Technical Security | Preventive | |
| Evaluate cyber threat intelligence. CC ID 12747 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the _primary-noun">capabilities and intent of threat actors to the extent known by the financial entity; Article 10 ¶ 1(b)(ii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Process or Activity | Detective | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{is not usable} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity, its clients or its counterparts temporarily or permanently inaccessible or unusable; Article 5 ¶ 1(a) For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the authenticity of data, whether the incident has compromised the trustworthiness of the source of data; Article 5 ¶ 1(b) {is incomplete} {unauthorized modification} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the integrity of data, whether the incident has resulted in non-authorised modification of data that has rendered it inaccurate or incomplete; Article 5 ¶ 1(c) {unauthorized party} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the confidentiality of data, whether the incident has resulted in data having been accessed by or disclosed to an unauthorised party or system. Article 5 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: Article 8 1. Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have occurred at least twice within 6 months; Article 8 2. ¶ 1(a) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have the same apparent root cause as referred to in Article 20, first subparagraph, point (b) of Regulation (EU) 2022/2554; Article 8 2. ¶ 1(b) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they collectively fulfil the criteria for being considered a major incident set out in paragraph 1. Article 8 2. ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 [In relation to the amount or number of transactions affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account all affected transactions involving a monetary amount where at least one part of the transaction is carried out in the Union. Article 1 4.] | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 [The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554 shall reflect the number of all affected financial counterparts that have concluded a contractual arrangement with the financial entity. Article 1 2.] | Establish/Maintain Documentation | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Financial entities shall assess the existence of recurring incidents on a monthly basis. Article 8 2. ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has been reflected in the media; Article 2 1.(a) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; Article 2 1.(b) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; Article 2 1.(c) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident. Article 2 1.(d) When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1. Article 2 2. An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: the materiality threshold referred to in Article 9(5), point (b), is met; Article 8 1.(a) An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met. Article 8 1.(b) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service; Article 9 1. ¶ 1(c) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(d) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(e) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: clients or financial counterparts which have been identified as relevant in accordance with Article 1(3) have been affected. Article 9 1. ¶ 1(f) {reputational impact} The materiality threshold for the criterion 'reputational impact' is met where any of the conditions set out in Article 2, points (a) to (d), are fulfilled. Article 9 2. {geographical spread} The materiality threshold for the criterion 'geographical spread' is met where the incident has an impact in two or more Member States in accordance with Article 4. Article 9 4. {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any impact as referred to in Article 5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements; Article 9 5.(a) {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses. Article 9 5.(b) {economic impact} The materiality threshold for the criterion 'economic impact' is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100 000 euro. Article 9 6. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(4). Article 10 ¶ 1(c)(iii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(1); Article 10 ¶ 1(c)(ii) Where, depending on the type of cyber threat and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered. Article 10 ¶ 2 The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: clients or financial counterparts; Article 11 ¶ 1(a) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a branch of the financial entity or another financial entity within the group; Article 11 ¶ 1(b) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a financial market infrastructure or a third-party provider which may affect financial entities to which they provide services. Article 11 ¶ 1(c) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: Article 4 ¶ 1 For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: expropriated funds or financial assets for which they are liable, including assets lost to theft; Article 7 1.(a) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for replacement or relocation of software, hardware or infrastructure; Article 7 1.(b) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills; Article 7 1.(c) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: fees due to non-compliance with contractual obligations; Article 7 1.(d) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for redress and compensation to customers; Article 7 1.(e) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: losses due to forgone revenues; Article 7 1.(f) {internal communication} For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs associated with internal and external communication; Article 7 1.(g) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: advisory costs, including costs associated with legal counselling, forensic services and remediation services. Article 7 1.(h) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients is higher than 10 % of all clients using the affected service; Article 9 1. ¶ 1(a) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients using the affected service is higher than 100 000; Article 9 1. ¶ 1(b) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the duration of the incident is longer than 24 hours; Article 9 3.(a) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the service downtime is longer than 2 hours for ICT services that support critical or important functions. Article 9 3.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date; Article 7 2.(a) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives; Article 7 2.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: insurance premiums. Article 7 2.(c) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: Article 7 2.] | Establish/Maintain Documentation | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 [Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. When assessing the economic impact of the incident, financial entities shall sum up the costs and losses referred to in paragraph 1. Article 7 4.] | Process or Activity | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Where financial entities are unable to determine the moment when the service downtime started, they shall measure the service downtime from the moment it was detected. Article 3 2. ¶ 2] | Process or Activity | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 [Financial entities shall measure the duration of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the incident occurs until the moment when it is resolved. Article 3 1. ¶ 1 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 {measure} {duration} Where financial entities do not yet know when the incident will be resolved or are unable to verify records in logs or other data sources, they shall apply estimates. Article 3 1. ¶ 3] | Process or Activity | Detective | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [In relation to the relevance of clients and financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account the extent to which the impact on a client or a financial counterpart will affect the implementation of the business objectives of the financial entity, as well as the potential impact of the incident on market efficiency. Article 1 3. Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 1 5. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation; Article 10 ¶ 1(c)(i) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: clients and financial counterparts in other Member States; Article 4 ¶ 1(a) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: branches or other financial entities within the group carrying out activities in other Member States; Article 4 ¶ 1(b) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services, to the extent such information is available. Article 4 ¶ 1(c) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat, if materialised, could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third-party providers, clients or financial counterparts, based on information available to the financial entity; Article 10 ¶ 1(a) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: Article 10 ¶ 1(b)] | Monitor and Evaluate Occurrences | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Monitor and Evaluate Occurrences | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Monitor and Evaluate Occurrences | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Monitor and Evaluate Occurrences | Corrective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Process or Activity | Corrective | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Technical Security | Corrective | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Establish/Maintain Documentation | Preventive | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity. Article 6 ¶ 1(c) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities; Article 6 ¶ 1(b) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity; Article 6 ¶ 1(a)] | Testing | Corrective | |
| Redact restricted data before sharing incident information. CC ID 16994 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Communicate | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Communicate | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Establish/Maintain Documentation | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Communicate | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Communicate | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Establish/Maintain Documentation | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Communicate | Preventive | |
| Revoke the written request to delay the notification. CC ID 16843 | Process or Activity | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Establish/Maintain Documentation | Corrective | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Business Processes | Preventive | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Actionable Reports or Measurements | Preventive | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Establish/Maintain Documentation | Preventive | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 | Establish/Maintain Documentation | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Establish/Maintain Documentation | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Establish/Maintain Documentation | Preventive | |
| Include the incident reference code in incident response notifications. CC ID 17292 | Establish/Maintain Documentation | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Establish/Maintain Documentation | Preventive | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 | Establish/Maintain Documentation | Preventive | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 | Establish/Maintain Documentation | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Establish/Maintain Documentation | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Communicate | Corrective | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Business Processes | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Communicate | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Process or Activity | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Process or Activity | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Establish/Maintain Documentation | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Communicate | Corrective | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Establish/Maintain Documentation | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Establish/Maintain Documentation | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Establish/Maintain Documentation | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Data and Information Management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Data and Information Management | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Address past incidents in the risk assessment program. CC ID 12743 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Audits and risk management | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 9 1. ¶ 2] | Monitoring and measurement | Preventive | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Preventive | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Corrective | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Preventive | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Preventive | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Preventive | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Preventive | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Corrective | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Preventive | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Corrective | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Preventive | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Preventive | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{is not usable} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity, its clients or its counterparts temporarily or permanently inaccessible or unusable; Article 5 ¶ 1(a) For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the authenticity of data, whether the incident has compromised the trustworthiness of the source of data; Article 5 ¶ 1(b) {is incomplete} {unauthorized modification} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the integrity of data, whether the incident has resulted in non-authorised modification of data that has rendered it inaccurate or incomplete; Article 5 ¶ 1(c) {unauthorized party} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the confidentiality of data, whether the incident has resulted in data having been accessed by or disclosed to an unauthorised party or system. Article 5 ¶ 1(d)] | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: Article 8 1. Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have occurred at least twice within 6 months; Article 8 2. ¶ 1(a) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have the same apparent root cause as referred to in Article 20, first subparagraph, point (b) of Regulation (EU) 2022/2554; Article 8 2. ¶ 1(b) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they collectively fulfil the criteria for being considered a major incident set out in paragraph 1. Article 8 2. ¶ 1(c)] | Operational management | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 [In relation to the amount or number of transactions affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account all affected transactions involving a monetary amount where at least one part of the transaction is carried out in the Union. Article 1 4.] | Operational management | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 [The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554 shall reflect the number of all affected financial counterparts that have concluded a contractual arrangement with the financial entity. Article 1 2.] | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Financial entities shall assess the existence of recurring incidents on a monthly basis. Article 8 2. ¶ 2] | Operational management | Preventive | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has been reflected in the media; Article 2 1.(a) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; Article 2 1.(b) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; Article 2 1.(c) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident. Article 2 1.(d) When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1. Article 2 2. An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: the materiality threshold referred to in Article 9(5), point (b), is met; Article 8 1.(a) An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met. Article 8 1.(b) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service; Article 9 1. ¶ 1(c) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(d) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(e) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: clients or financial counterparts which have been identified as relevant in accordance with Article 1(3) have been affected. Article 9 1. ¶ 1(f) {reputational impact} The materiality threshold for the criterion 'reputational impact' is met where any of the conditions set out in Article 2, points (a) to (d), are fulfilled. Article 9 2. {geographical spread} The materiality threshold for the criterion 'geographical spread' is met where the incident has an impact in two or more Member States in accordance with Article 4. Article 9 4. {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any impact as referred to in Article 5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements; Article 9 5.(a) {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses. Article 9 5.(b) {economic impact} The materiality threshold for the criterion 'economic impact' is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100 000 euro. Article 9 6. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(4). Article 10 ¶ 1(c)(iii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(1); Article 10 ¶ 1(c)(ii) Where, depending on the type of cyber threat and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered. Article 10 ¶ 2 The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: clients or financial counterparts; Article 11 ¶ 1(a) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a branch of the financial entity or another financial entity within the group; Article 11 ¶ 1(b) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a financial market infrastructure or a third-party provider which may affect financial entities to which they provide services. Article 11 ¶ 1(c) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: Article 4 ¶ 1 For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: expropriated funds or financial assets for which they are liable, including assets lost to theft; Article 7 1.(a) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for replacement or relocation of software, hardware or infrastructure; Article 7 1.(b) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills; Article 7 1.(c) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: fees due to non-compliance with contractual obligations; Article 7 1.(d) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for redress and compensation to customers; Article 7 1.(e) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: losses due to forgone revenues; Article 7 1.(f) {internal communication} For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs associated with internal and external communication; Article 7 1.(g) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: advisory costs, including costs associated with legal counselling, forensic services and remediation services. Article 7 1.(h) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients is higher than 10 % of all clients using the affected service; Article 9 1. ¶ 1(a) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients using the affected service is higher than 100 000; Article 9 1. ¶ 1(b) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the duration of the incident is longer than 24 hours; Article 9 3.(a) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the service downtime is longer than 2 hours for ICT services that support critical or important functions. Article 9 3.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date; Article 7 2.(a) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives; Article 7 2.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: insurance premiums. Article 7 2.(c) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: Article 7 2.] | Operational management | Preventive | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Preventive | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Preventive | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Preventive | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Preventive | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Preventive | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Corrective | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Preventive | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 | Operational management | Preventive | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Preventive | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Preventive | |
| Include the incident reference code in incident response notifications. CC ID 17292 | Operational management | Preventive | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Preventive | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 | Operational management | Preventive | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 | Operational management | Preventive | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Preventive | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Preventive | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Preventive | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Preventive | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [In relation to the relevance of clients and financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account the extent to which the impact on a client or a financial counterpart will affect the implementation of the business objectives of the financial entity, as well as the potential impact of the incident on market efficiency. Article 1 3. Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 1 5. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation; Article 10 ¶ 1(c)(i) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: clients and financial counterparts in other Member States; Article 4 ¶ 1(a) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: branches or other financial entities within the group carrying out activities in other Member States; Article 4 ¶ 1(b) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services, to the extent such information is available. Article 4 ¶ 1(c) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat, if materialised, could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third-party providers, clients or financial counterparts, based on information available to the financial entity; Article 10 ¶ 1(a) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: Article 10 ¶ 1(b)] | Operational management | Corrective | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Detective | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Detective | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Corrective | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Evaluate cyber threat intelligence. CC ID 12747 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the _primary-noun">capabilities and intent of threat actors to the extent known by the financial entity; Article 10 ¶ 1(b)(ii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Monitoring and measurement | Detective | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Detective | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Audits and risk management | Preventive | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 [Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. When assessing the economic impact of the incident, financial entities shall sum up the costs and losses referred to in paragraph 1. Article 7 4.] | Operational management | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Where financial entities are unable to determine the moment when the service downtime started, they shall measure the service downtime from the moment it was detected. Article 3 2. ¶ 2] | Operational management | Detective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 [Financial entities shall measure the duration of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the incident occurs until the moment when it is resolved. Article 3 1. ¶ 1 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 {measure} {duration} Where financial entities do not yet know when the incident will be resolved or are unable to verify records in logs or other data sources, they shall apply estimates. Article 3 1. ¶ 3] | Operational management | Detective | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Corrective | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Preventive | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Preventive | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Identify and document security vulnerabilities. CC ID 11857 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Monitoring and measurement | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Corrective | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess all incidents to determine what information was accessed. CC ID 01226 [For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity. Article 6 ¶ 1(c) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities; Article 6 ¶ 1(b) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity; Article 6 ¶ 1(a)] | Operational management | Corrective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [In relation to the relevance of clients and financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account the extent to which the impact on a client or a financial counterpart will affect the implementation of the business objectives of the financial entity, as well as the potential impact of the incident on market efficiency. Article 1 3. Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 1 5. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation; Article 10 ¶ 1(c)(i) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: clients and financial counterparts in other Member States; Article 4 ¶ 1(a) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: branches or other financial entities within the group carrying out activities in other Member States; Article 4 ¶ 1(b) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services, to the extent such information is available. Article 4 ¶ 1(c) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat, if materialised, could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third-party providers, clients or financial counterparts, based on information available to the financial entity; Article 10 ¶ 1(a) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: Article 10 ¶ 1(b)] | Operational management | Monitor and Evaluate Occurrences | |
| Escalate incidents, as necessary. CC ID 14861 | Operational management | Monitor and Evaluate Occurrences | |
| Include support from law enforcement authorities when conducting incident response activities, as necessary. CC ID 13197 | Operational management | Process or Activity | |
| Wipe data and memory after an incident has been detected. CC ID 16850 | Operational management | Technical Security | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity. Article 6 ¶ 1(c) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities; Article 6 ¶ 1(b) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity; Article 6 ¶ 1(a)] | Operational management | Testing | |
| Establish, implement, and maintain incident response notifications. CC ID 12975 | Operational management | Establish/Maintain Documentation | |
| Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767 | Operational management | Communicate | |
| Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766 | Operational management | Business Processes | |
| Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347 | Operational management | Communicate | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Identify and document security vulnerabilities. CC ID 11857 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Monitoring and measurement | Technical Security | |
| Evaluate cyber threat intelligence. CC ID 12747 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the _primary-noun">capabilities and intent of threat actors to the extent known by the financial entity; Article 10 ¶ 1(b)(ii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Monitoring and measurement | Process or Activity | |
| Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with individuals. CC ID 17170 | Audits and risk management | Process or Activity | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
| Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 | Audits and risk management | Process or Activity | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 | Audits and risk management | Process or Activity | |
| Determine the cost of the incident when assessing security incidents. CC ID 17188 [Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts. Article 7 3. When assessing the economic impact of the incident, financial entities shall sum up the costs and losses referred to in paragraph 1. Article 7 4.] | Operational management | Process or Activity | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Where financial entities are unable to determine the moment when the service downtime started, they shall measure the service downtime from the moment it was detected. Article 3 2. ¶ 2] | Operational management | Process or Activity | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 [Financial entities shall measure the duration of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the incident occurs until the moment when it is resolved. Article 3 1. ¶ 1 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 {measure} {duration} Where financial entities do not yet know when the incident will be resolved or are unable to verify records in logs or other data sources, they shall apply estimates. Article 3 1. ¶ 3] | Operational management | Process or Activity | |
| Require personnel to monitor for and report known or suspected compromise of assets. CC ID 16453 | Operational management | Monitor and Evaluate Occurrences | |
| Require personnel to monitor for and report suspicious account activity. CC ID 16462 | Operational management | Monitor and Evaluate Occurrences | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 [Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 9 1. ¶ 2] | Monitoring and measurement | Business Processes | |
| Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
| Provide intelligence support to the organization, as necessary. CC ID 14020 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain cyber threat intelligence tools. CC ID 12696 | Monitoring and measurement | Technical Security | |
| Address past incidents in the risk assessment program. CC ID 12743 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: the persistence of the threat and any accrued knowledge about incidents that have impacted the financial entity or its third-party provider, clients or financial counterparts; Article 10 ¶ 1(b)(iii)] | Audits and risk management | Audits and Risk Management | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: applicable risks related to the cyber threat referred to in point (a), including potential vulnerabilities of the systems of the financial entity that can be exploited; Article 10 ¶ 1(b)(i)] | Audits and risk management | Audits and Risk Management | |
| Approve the risk acceptance level, as necessary. CC ID 17168 | Audits and risk management | Process or Activity | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{is not usable} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity, its clients or its counterparts temporarily or permanently inaccessible or unusable; Article 5 ¶ 1(a) For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the authenticity of data, whether the incident has compromised the trustworthiness of the source of data; Article 5 ¶ 1(b) {is incomplete} {unauthorized modification} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the integrity of data, whether the incident has resulted in non-authorised modification of data that has rendered it inaccurate or incomplete; Article 5 ¶ 1(c) {unauthorized party} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the confidentiality of data, whether the incident has resulted in data having been accessed by or disclosed to an unauthorised party or system. Article 5 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: Article 8 1. Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have occurred at least twice within 6 months; Article 8 2. ¶ 1(a) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have the same apparent root cause as referred to in Article 20, first subparagraph, point (b) of Regulation (EU) 2022/2554; Article 8 2. ¶ 1(b) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they collectively fulfil the criteria for being considered a major incident set out in paragraph 1. Article 8 2. ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 [In relation to the amount or number of transactions affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account all affected transactions involving a monetary amount where at least one part of the transaction is carried out in the Union. Article 1 4.] | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 [The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554 shall reflect the number of all affected financial counterparts that have concluded a contractual arrangement with the financial entity. Article 1 2.] | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Financial entities shall assess the existence of recurring incidents on a monthly basis. Article 8 2. ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
| Define and document the criteria to be used in categorizing incidents. CC ID 10033 [For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has been reflected in the media; Article 2 1.(a) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; Article 2 1.(b) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; Article 2 1.(c) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident. Article 2 1.(d) When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1. Article 2 2. An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: the materiality threshold referred to in Article 9(5), point (b), is met; Article 8 1.(a) An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met. Article 8 1.(b) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service; Article 9 1. ¶ 1(c) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(d) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(e) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: clients or financial counterparts which have been identified as relevant in accordance with Article 1(3) have been affected. Article 9 1. ¶ 1(f) {reputational impact} The materiality threshold for the criterion 'reputational impact' is met where any of the conditions set out in Article 2, points (a) to (d), are fulfilled. Article 9 2. {geographical spread} The materiality threshold for the criterion 'geographical spread' is met where the incident has an impact in two or more Member States in accordance with Article 4. Article 9 4. {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any impact as referred to in Article 5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements; Article 9 5.(a) {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses. Article 9 5.(b) {economic impact} The materiality threshold for the criterion 'economic impact' is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100 000 euro. Article 9 6. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(4). Article 10 ¶ 1(c)(iii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(1); Article 10 ¶ 1(c)(ii) Where, depending on the type of cyber threat and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered. Article 10 ¶ 2 The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: clients or financial counterparts; Article 11 ¶ 1(a) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a branch of the financial entity or another financial entity within the group; Article 11 ¶ 1(b) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a financial market infrastructure or a third-party provider which may affect financial entities to which they provide services. Article 11 ¶ 1(c) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: Article 4 ¶ 1 For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: expropriated funds or financial assets for which they are liable, including assets lost to theft; Article 7 1.(a) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for replacement or relocation of software, hardware or infrastructure; Article 7 1.(b) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills; Article 7 1.(c) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: fees due to non-compliance with contractual obligations; Article 7 1.(d) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for redress and compensation to customers; Article 7 1.(e) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: losses due to forgone revenues; Article 7 1.(f) {internal communication} For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs associated with internal and external communication; Article 7 1.(g) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: advisory costs, including costs associated with legal counselling, forensic services and remediation services. Article 7 1.(h) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients is higher than 10 % of all clients using the affected service; Article 9 1. ¶ 1(a) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients using the affected service is higher than 100 000; Article 9 1. ¶ 1(b) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the duration of the incident is longer than 24 hours; Article 9 3.(a) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the service downtime is longer than 2 hours for ICT services that support critical or important functions. Article 9 3.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date; Article 7 2.(a) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives; Article 7 2.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: insurance premiums. Article 7 2.(c) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: Article 7 2.] | Operational management | Establish/Maintain Documentation | |
| Include the investigation methodology in the forensic investigation report. CC ID 17071 | Operational management | Establish/Maintain Documentation | |
| Include corrective actions in the forensic investigation report. CC ID 17070 | Operational management | Establish/Maintain Documentation | |
| Include the investigation results in the forensic investigation report. CC ID 17069 | Operational management | Establish/Maintain Documentation | |
| Redact restricted data before sharing incident information. CC ID 16994 | Operational management | Data and Information Management | |
| Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539 | Operational management | Communicate | |
| Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538 | Operational management | Communicate | |
| Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547 | Operational management | Establish/Maintain Documentation | |
| Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797 | Operational management | Communicate | |
| Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782 | Operational management | Communicate | |
| Include required information in the written request to delay the notification to affected parties. CC ID 16785 | Operational management | Establish/Maintain Documentation | |
| Submit written requests to delay the notification of affected parties. CC ID 16783 | Operational management | Communicate | |
| Revoke the written request to delay the notification. CC ID 16843 | Operational management | Process or Activity | |
| Refrain from charging for providing incident response notifications. CC ID 13876 | Operational management | Business Processes | |
| Refrain from including restricted information in the incident response notification. CC ID 16806 | Operational management | Actionable Reports or Measurements | |
| Include the affected parties rights in the incident response notification. CC ID 16811 | Operational management | Establish/Maintain Documentation | |
| Include the incident classification criteria in incident response notifications. CC ID 17293 | Operational management | Establish/Maintain Documentation | |
| Include details of the investigation in incident response notifications. CC ID 12296 | Operational management | Establish/Maintain Documentation | |
| Include the issuer's name in incident response notifications. CC ID 12062 | Operational management | Establish/Maintain Documentation | |
| Include the incident reference code in incident response notifications. CC ID 17292 | Operational management | Establish/Maintain Documentation | |
| Include the identification of the data source in incident response notifications. CC ID 12305 | Operational management | Establish/Maintain Documentation | |
| Include activations of the business continuity plan in incident response notifications. CC ID 17295 | Operational management | Establish/Maintain Documentation | |
| Include costs associated with the incident in incident response notifications. CC ID 17300 | Operational management | Establish/Maintain Documentation | |
| Include the reporting individual's contact information in incident response notifications. CC ID 12297 | Operational management | Establish/Maintain Documentation | |
| Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085 | Operational management | Communicate | |
| Post the incident response notification on the organization's website. CC ID 16809 | Operational management | Process or Activity | |
| Document the determination for providing a substitute incident response notification. CC ID 16841 | Operational management | Process or Activity | |
| Include contact information in the substitute incident response notification. CC ID 16776 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a containment strategy. CC ID 13480 | Operational management | Establish/Maintain Documentation | |
| Include the containment approach in the containment strategy. CC ID 13486 | Operational management | Establish/Maintain Documentation | |
| Include response times in the containment strategy. CC ID 13485 | Operational management | Establish/Maintain Documentation | |
| Include a description of the restored data that was restored manually in the restoration log. CC ID 15463 | Operational management | Data and Information Management | |
| Include a description of the restored data in the restoration log. CC ID 15462 | Operational management | Data and Information Management | |