0003976
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
European Union
Regulations
Free
RTS specifying the criteria for classification of ICT-related incidents
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
2024-03-13
The document as a whole was last reviewed and released on 2024-09-06T00:00:00-0700.
0003976
Free
European Union
Regulations
RTS specifying the criteria for classification of ICT-related incidents
Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
2024-03-13
The document as a whole was last reviewed and released on 2024-09-06T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a customer service program. CC ID 00846 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Business Processes | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{is not usable} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity, its clients or its counterparts temporarily or permanently inaccessible or unusable; Article 5 ¶ 1(a) For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the authenticity of data, whether the incident has compromised the trustworthiness of the source of data; Article 5 ¶ 1(b) {is incomplete} {unauthorized modification} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the integrity of data, whether the incident has resulted in non-authorised modification of data that has rendered it inaccurate or incomplete; Article 5 ¶ 1(c) {unauthorized party} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the confidentiality of data, whether the incident has resulted in data having been accessed by or disclosed to an unauthorised party or system. Article 5 ¶ 1(d)] | Establish/Maintain Documentation | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: Article 8 1. Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have occurred at least twice within 6 months; Article 8 2. ¶ 1(a) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have the same apparent root cause as referred to in Article 20, first subparagraph, point (b) of Regulation (EU) 2022/2554; Article 8 2. ¶ 1(b) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they collectively fulfil the criteria for being considered a major incident set out in paragraph 1. Article 8 2. ¶ 1(c)] | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 [The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554 shall reflect the number of all affected financial counterparts that have concluded a contractual arrangement with the financial entity. Article 1 2.] | Establish/Maintain Documentation | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 [In relation to the amount or number of transactions affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account all affected transactions involving a monetary amount where at least one part of the transaction is carried out in the Union. Article 1 4.] | Establish/Maintain Documentation | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Financial entities shall assess the existence of recurring incidents on a monthly basis. Article 8 2. ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Categorize the incident following an incident response. CC ID 13208 | Technical Security | Preventive | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 [For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has been reflected in the media; Article 2 1.(a) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; Article 2 1.(b) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; Article 2 1.(c) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident. Article 2 1.(d) When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1. Article 2 2. An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: the materiality threshold referred to in Article 9(5), point (b), is met; Article 8 1.(a) An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met. Article 8 1.(b) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service; Article 9 1. ¶ 1(c) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(d) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(e) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: clients or financial counterparts which have been identified as relevant in accordance with Article 1(3) have been affected. Article 9 1. ¶ 1(f) {reputational impact} The materiality threshold for the criterion 'reputational impact' is met where any of the conditions set out in Article 2, points (a) to (d), are fulfilled. Article 9 2. {geographical spread} The materiality threshold for the criterion 'geographical spread' is met where the incident has an impact in two or more Member States in accordance with Article 4. Article 9 4. {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any impact as referred to in Article 5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements; Article 9 5.(a) {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses. Article 9 5.(b) {economic impact} The materiality threshold for the criterion 'economic impact' is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100 000 euro. Article 9 6. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(4). Article 10 ¶ 1(c)(iii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(1); Article 10 ¶ 1(c)(ii) Where, depending on the type of cyber threat and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered. Article 10 ¶ 2 The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: clients or financial counterparts; Article 11 ¶ 1(a) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a branch of the financial entity or another financial entity within the group; Article 11 ¶ 1(b) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a financial market infrastructure or a third-party provider which may affect financial entities to which they provide services. Article 11 ¶ 1(c) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: Article 4 ¶ 1 For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: expropriated funds or financial assets for which they are liable, including assets lost to theft; Article 7 1.(a) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for replacement or relocation of software, hardware or infrastructure; Article 7 1.(b) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills; Article 7 1.(c) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: fees due to non-compliance with contractual obligations; Article 7 1.(d) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for redress and compensation to customers; Article 7 1.(e) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: losses due to forgone revenues; Article 7 1.(f) {internal communication} For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs associated with internal and external communication; Article 7 1.(g) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: advisory costs, including costs associated with legal counselling, forensic services and remediation services. Article 7 1.(h) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients is higher than 10 % of all clients using the affected service; Article 9 1. ¶ 1(a) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients using the affected service is higher than 100 000; Article 9 1. ¶ 1(b) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the duration of the incident is longer than 24 hours; Article 9 3.(a) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the service downtime is longer than 2 hours for ICT services that support critical or important functions. Article 9 3.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date; Article 7 2.(a) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives; Article 7 2.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: insurance premiums. Article 7 2.(c) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: Article 7 2.] | Establish/Maintain Documentation | Preventive | |
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [In relation to the relevance of clients and financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account the extent to which the impact on a client or a financial counterpart will affect the implementation of the business objectives of the financial entity, as well as the potential impact of the incident on market efficiency. Article 1 3. Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 1 5. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation; Article 10 ¶ 1(c)(i) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: clients and financial counterparts in other Member States; Article 4 ¶ 1(a) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: branches or other financial entities within the group carrying out activities in other Member States; Article 4 ¶ 1(b) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services, to the extent such information is available. Article 4 ¶ 1(c) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat, if materialised, could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third-party providers, clients or financial counterparts, based on information available to the financial entity; Article 10 ¶ 1(a) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: Article 10 ¶ 1(b)] | Monitor and Evaluate Occurrences | Corrective | |
| Determine the duration of the incident when assessing security incidents. CC ID 17181 [Financial entities shall measure the duration of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the incident occurs until the moment when it is resolved. Article 3 1. ¶ 1 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 {measure} {duration} Where financial entities do not yet know when the incident will be resolved or are unable to verify records in logs or other data sources, they shall apply estimates. Article 3 1. ¶ 3] | Process or Activity | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Where financial entities are unable to determine the moment when the service downtime started, they shall measure the service downtime from the moment it was detected. Article 3 2. ¶ 2] | Process or Activity | Detective | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity. Article 6 ¶ 1(c) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities; Article 6 ¶ 1(b) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity; Article 6 ¶ 1(a)] | Testing | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Monitor and Evaluate Occurrences | Corrective | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Preventive | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Preventive | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{is not usable} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity, its clients or its counterparts temporarily or permanently inaccessible or unusable; Article 5 ¶ 1(a) For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the authenticity of data, whether the incident has compromised the trustworthiness of the source of data; Article 5 ¶ 1(b) {is incomplete} {unauthorized modification} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the integrity of data, whether the incident has resulted in non-authorised modification of data that has rendered it inaccurate or incomplete; Article 5 ¶ 1(c) {unauthorized party} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the confidentiality of data, whether the incident has resulted in data having been accessed by or disclosed to an unauthorised party or system. Article 5 ¶ 1(d)] | Operational management | Preventive | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: Article 8 1. Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have occurred at least twice within 6 months; Article 8 2. ¶ 1(a) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have the same apparent root cause as referred to in Article 20, first subparagraph, point (b) of Regulation (EU) 2022/2554; Article 8 2. ¶ 1(b) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they collectively fulfil the criteria for being considered a major incident set out in paragraph 1. Article 8 2. ¶ 1(c)] | Operational management | Preventive | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 [The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554 shall reflect the number of all affected financial counterparts that have concluded a contractual arrangement with the financial entity. Article 1 2.] | Operational management | Preventive | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 [In relation to the amount or number of transactions affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account all affected transactions involving a monetary amount where at least one part of the transaction is carried out in the Union. Article 1 4.] | Operational management | Preventive | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Financial entities shall assess the existence of recurring incidents on a monthly basis. Article 8 2. ¶ 2] | Operational management | Preventive | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 [For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has been reflected in the media; Article 2 1.(a) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; Article 2 1.(b) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; Article 2 1.(c) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident. Article 2 1.(d) When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1. Article 2 2. An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: the materiality threshold referred to in Article 9(5), point (b), is met; Article 8 1.(a) An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met. Article 8 1.(b) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service; Article 9 1. ¶ 1(c) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(d) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(e) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: clients or financial counterparts which have been identified as relevant in accordance with Article 1(3) have been affected. Article 9 1. ¶ 1(f) {reputational impact} The materiality threshold for the criterion 'reputational impact' is met where any of the conditions set out in Article 2, points (a) to (d), are fulfilled. Article 9 2. {geographical spread} The materiality threshold for the criterion 'geographical spread' is met where the incident has an impact in two or more Member States in accordance with Article 4. Article 9 4. {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any impact as referred to in Article 5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements; Article 9 5.(a) {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses. Article 9 5.(b) {economic impact} The materiality threshold for the criterion 'economic impact' is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100 000 euro. Article 9 6. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(4). Article 10 ¶ 1(c)(iii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(1); Article 10 ¶ 1(c)(ii) Where, depending on the type of cyber threat and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered. Article 10 ¶ 2 The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: clients or financial counterparts; Article 11 ¶ 1(a) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a branch of the financial entity or another financial entity within the group; Article 11 ¶ 1(b) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a financial market infrastructure or a third-party provider which may affect financial entities to which they provide services. Article 11 ¶ 1(c) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: Article 4 ¶ 1 For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: expropriated funds or financial assets for which they are liable, including assets lost to theft; Article 7 1.(a) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for replacement or relocation of software, hardware or infrastructure; Article 7 1.(b) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills; Article 7 1.(c) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: fees due to non-compliance with contractual obligations; Article 7 1.(d) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for redress and compensation to customers; Article 7 1.(e) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: losses due to forgone revenues; Article 7 1.(f) {internal communication} For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs associated with internal and external communication; Article 7 1.(g) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: advisory costs, including costs associated with legal counselling, forensic services and remediation services. Article 7 1.(h) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients is higher than 10 % of all clients using the affected service; Article 9 1. ¶ 1(a) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients using the affected service is higher than 100 000; Article 9 1. ¶ 1(b) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the duration of the incident is longer than 24 hours; Article 9 3.(a) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the service downtime is longer than 2 hours for ICT services that support critical or important functions. Article 9 3.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date; Article 7 2.(a) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives; Article 7 2.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: insurance premiums. Article 7 2.(c) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: Article 7 2.] | Operational management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [In relation to the relevance of clients and financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account the extent to which the impact on a client or a financial counterpart will affect the implementation of the business objectives of the financial entity, as well as the potential impact of the incident on market efficiency. Article 1 3. Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 1 5. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation; Article 10 ¶ 1(c)(i) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: clients and financial counterparts in other Member States; Article 4 ¶ 1(a) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: branches or other financial entities within the group carrying out activities in other Member States; Article 4 ¶ 1(b) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services, to the extent such information is available. Article 4 ¶ 1(c) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat, if materialised, could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third-party providers, clients or financial counterparts, based on information available to the financial entity; Article 10 ¶ 1(a) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: Article 10 ¶ 1(b)] | Operational management | Corrective | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Corrective | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine the duration of the incident when assessing security incidents. CC ID 17181 [Financial entities shall measure the duration of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the incident occurs until the moment when it is resolved. Article 3 1. ¶ 1 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 {measure} {duration} Where financial entities do not yet know when the incident will be resolved or are unable to verify records in logs or other data sources, they shall apply estimates. Article 3 1. ¶ 3] | Operational management | Detective | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Where financial entities are unable to determine the moment when the service downtime started, they shall measure the service downtime from the moment it was detected. Article 3 2. ¶ 2] | Operational management | Detective | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess all incidents to determine what information was accessed. CC ID 01226 [For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity. Article 6 ¶ 1(c) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities; Article 6 ¶ 1(b) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity; Article 6 ¶ 1(a)] | Operational management | Corrective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Determine the incident severity level when assessing the security incidents. CC ID 01650 [In relation to the relevance of clients and financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account the extent to which the impact on a client or a financial counterpart will affect the implementation of the business objectives of the financial entity, as well as the potential impact of the incident on market efficiency. Article 1 3. Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods. Article 1 5. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the criterion regarding criticality of services set out in Article 18(1), point (e), of Regulation (EU) 2022/2554, as specified in Article 6 of this Regulation; Article 10 ¶ 1(c)(i) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: clients and financial counterparts in other Member States; Article 4 ¶ 1(a) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: branches or other financial entities within the group carrying out activities in other Member States; Article 4 ¶ 1(b) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services, to the extent such information is available. Article 4 ¶ 1(c) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat, if materialised, could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third-party providers, clients or financial counterparts, based on information available to the financial entity; Article 10 ¶ 1(a) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat has a high probability of materialisation at the financial entity or at other financial entities, taking into account at least the following elements: Article 10 ¶ 1(b)] | Operational management | Monitor and Evaluate Occurrences | |
| Assess all incidents to determine what information was accessed. CC ID 01226 [For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity. Article 6 ¶ 1(c) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities; Article 6 ¶ 1(b) For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident: affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity; Article 6 ¶ 1(a)] | Operational management | Testing | |
| Check the precursors and indicators when assessing the security incidents. CC ID 01761 | Operational management | Monitor and Evaluate Occurrences | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Determine the duration of the incident when assessing security incidents. CC ID 17181 [Financial entities shall measure the duration of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the incident occurs until the moment when it is resolved. Article 3 1. ¶ 1 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources. Article 3 1. ¶ 2 {measure} {duration} Where financial entities do not yet know when the incident will be resolved or are unable to verify records in logs or other data sources, they shall apply estimates. Article 3 1. ¶ 3] | Operational management | Process or Activity | |
| Determine the duration of unscheduled downtime when assessing security incidents CC ID 17182 [Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided. Article 3 2. ¶ 1 Where financial entities are unable to determine the moment when the service downtime started, they shall measure the service downtime from the moment it was detected. Article 3 2. ¶ 2] | Operational management | Process or Activity | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a customer service program. CC ID 00846 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Incident Management program. CC ID 00853 | Operational management | Business Processes | |
| Define the characteristics of the Incident Management program. CC ID 00855 | Operational management | Establish/Maintain Documentation | |
| Include the criteria for a data loss event in the Incident Management program. CC ID 12179 [{is not usable} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity, its clients or its counterparts temporarily or permanently inaccessible or unusable; Article 5 ¶ 1(a) For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the authenticity of data, whether the incident has compromised the trustworthiness of the source of data; Article 5 ¶ 1(b) {is incomplete} {unauthorized modification} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the integrity of data, whether the incident has resulted in non-authorised modification of data that has rendered it inaccurate or incomplete; Article 5 ¶ 1(c) {unauthorized party} For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following: in relation to the confidentiality of data, whether the incident has resulted in data having been accessed by or disclosed to an unauthorised party or system. Article 5 ¶ 1(d)] | Operational management | Establish/Maintain Documentation | |
| Include the criteria for an incident in the Incident Management program. CC ID 12173 [An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: Article 8 1. Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have occurred at least twice within 6 months; Article 8 2. ¶ 1(a) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they have the same apparent root cause as referred to in Article 20, first subparagraph, point (b) of Regulation (EU) 2022/2554; Article 8 2. ¶ 1(b) Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions: they collectively fulfil the criteria for being considered a major incident set out in paragraph 1. Article 8 2. ¶ 1(c)] | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected parties in the incident criteria. CC ID 17179 [The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service. Article 1 1. The number of financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554 shall reflect the number of all affected financial counterparts that have concluded a contractual arrangement with the financial entity. Article 1 2.] | Operational management | Establish/Maintain Documentation | |
| Include a definition of affected transactions in the incident criteria. CC ID 17180 [In relation to the amount or number of transactions affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account all affected transactions involving a monetary amount where at least one part of the transaction is carried out in the Union. Article 1 4.] | Operational management | Establish/Maintain Documentation | |
| Include incident monitoring procedures in the Incident Management program. CC ID 01207 [Financial entities shall assess the existence of recurring incidents on a monthly basis. Article 8 2. ¶ 2] | Operational management | Establish/Maintain Documentation | |
| Categorize the incident following an incident response. CC ID 13208 | Operational management | Technical Security | |
| Define and document impact thresholds to be used in categorizing incidents. CC ID 10033 [For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has been reflected in the media; Article 2 1.(a) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships; Article 2 1.(b) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident; Article 2 1.(c) For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met: the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident. Article 2 1.(d) When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1. Article 2 2. An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: the materiality threshold referred to in Article 9(5), point (b), is met; Article 8 1.(a) An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met. Article 8 1.(b) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service; Article 9 1. ¶ 1(c) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(d) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service; Article 9 1. ¶ 1(e) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: clients or financial counterparts which have been identified as relevant in accordance with Article 1(3) have been affected. Article 9 1. ¶ 1(f) {reputational impact} The materiality threshold for the criterion 'reputational impact' is met where any of the conditions set out in Article 2, points (a) to (d), are fulfilled. Article 9 2. {geographical spread} The materiality threshold for the criterion 'geographical spread' is met where the incident has an impact in two or more Member States in accordance with Article 4. Article 9 4. {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any impact as referred to in Article 5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements; Article 9 5.(a) {data losses} The materiality threshold for the criterion 'data losses' is met where any of the following conditions are fulfilled: any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses. Article 9 5.(b) {economic impact} The materiality threshold for the criterion 'economic impact' is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100 000 euro. Article 9 6. {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(4). Article 10 ¶ 1(c)(iii) {be significant} For the purposes of Article 18(2) of Regulation (EU) 2022/2554, a cyber threat shall be considered significant where all of the following conditions are fulfilled: the cyber threat could, if materialised, meet any of the following: the materiality threshold set out in Article 9(1); Article 10 ¶ 1(c)(ii) Where, depending on the type of cyber threat and available information, the financial entity concludes that the materiality thresholds set out in Article 9(2), (3), (5) and (6) could be met, those thresholds may also be considered. Article 10 ¶ 2 The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: clients or financial counterparts; Article 11 ¶ 1(a) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a branch of the financial entity or another financial entity within the group; Article 11 ¶ 1(b) The assessment of whether the major incident is relevant for competent authorities in other Member States as referred to in Article 19(7) of Regulation (EU) 2022/2554 shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: a financial market infrastructure or a third-party provider which may affect financial entities to which they provide services. Article 11 ¶ 1(c) For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: Article 4 ¶ 1 For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: expropriated funds or financial assets for which they are liable, including assets lost to theft; Article 7 1.(a) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for replacement or relocation of software, hardware or infrastructure; Article 7 1.(b) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills; Article 7 1.(c) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: fees due to non-compliance with contractual obligations; Article 7 1.(d) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs for redress and compensation to customers; Article 7 1.(e) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: losses due to forgone revenues; Article 7 1.(f) {internal communication} For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: costs associated with internal and external communication; Article 7 1.(g) For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident: advisory costs, including costs associated with legal counselling, forensic services and remediation services. Article 7 1.(h) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients is higher than 10 % of all clients using the affected service; Article 9 1. ¶ 1(a) The materiality threshold for the criterion 'clients, financial counterparts and transactions' is met where any of the following conditions are fulfilled: the number of affected clients using the affected service is higher than 100 000; Article 9 1. ¶ 1(b) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the duration of the incident is longer than 24 hours; Article 9 3.(a) The materiality threshold for the criterion 'duration and service downtime' is met where any of the following conditions are fulfilled: the service downtime is longer than 2 hours for ICT services that support critical or important functions. Article 9 3.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date; Article 7 2.(a) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives; Article 7 2.(b) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: insurance premiums. Article 7 2.(c) Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following: Article 7 2.] | Operational management | Establish/Maintain Documentation | |