RTS on ICT Incident Classification & Reporting
Commission Delegated Regulation (EU) 2024/1772 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
Abstract
Regulatory Technical Standards under DORA defining harmonised criteria for classifying ICT-related incidents and cyber threats, setting quantitative and qualitative materiality thresholds for determining major incidents, and specifying the required structure and content of incident reports to competent authorities. Covers client and transaction impact, reputational effects, downtime, geographic spread, data losses, service criticality, economic impact, and rules for recurring incidents and significant cyber threats.
Key Takeaways
- Establishes harmonised EU-wide criteria to classify ICT-related incidents and cyber threats under DORA Article 18.
- Defines materiality thresholds to determine when incidents qualify as major and must be reported to supervisors.
- Specifies measurable indicators including affected clients, transactions, downtime, geographic spread, data loss and economic impact.
- Introduces rules for recurring incidents and for identifying significant cyber threats before materialisation.
- Standardises the content and detail of incident reports shared with competent authorities across Member States.
Keywords
Need DORA-Aligned AI Architecture?
We build AI systems that satisfy DORA requirements from day one. Audit trails, governance, exit readiness - built in, not bolted on.
Schedule Architecture Reviewviktor@intellectumlab.com | Response within 24 hours