Article 16 Digital Operational Resilience Act (DORA), Classification of ICT-Related Incidents
Article 16 of the Digital Operational Resilience Act (DORA) outlines the framework for classifying ICT-related incidents and determining their impact. This classification system is crucial for managing and reporting such incidents effectively, ensuring that financial entities can respond appropriately and comply with regulatory requirements.
Classification Criteria
- Impact Assessment: Financial entities are required to classify ICT-related incidents based on several key criteria to assess their impact:
- User and Reputational Impact: The classification should consider the number of users or financial counterparts affected by the incident and whether the incident has had a reputational impact on the entity.
- Incident Duration: The length of time the ICT-related incident lasts, including any service downtime, must be evaluated.
- Geographical Spread: The geographical extent of the incident is important, particularly if it affects multiple Member States. Incidents affecting more than two Member States should be classified with particular attention.
- Data Loss: The type of data loss involved, such as loss of data integrity, confidentiality, or availability, must be considered in the classification.
- Severity: The severity of the incident’s impact on the financial entity’s ICT systems should be assessed.
- Service Criticality: The criticality of the affected services, including key transactions and operations of the financial entity, should be evaluated.
- Economic Impact: The economic consequences of the incident, both in absolute terms and relative to the entity’s size and operations, must be assessed.
Development of Regulatory Technical Standards
- Common Standards Development: The European Supervisory Authorities (ESAs) are tasked with developing common draft regulatory technical standards for incident classification and reporting. This process involves:
- Criteria Specification: The ESAs, through the Joint Committee and after consulting with the European Central Bank (ECB) and the European Union Agency for Cybersecurity (ENISA), will specify the criteria outlined in paragraph 1. This includes setting materiality thresholds for identifying major ICT-related incidents that are subject to mandatory reporting under Article 17(1).
- Assessment Criteria: The ESAs will establish criteria for competent authorities to assess the relevance of major ICT-related incidents to other Member States. They will also detail how ICT-related incident reports should be shared with other competent authorities, as stipulated in points (5) and (6) of Article 17.
- International Standards and ENISA Specifications: In developing these standards, the ESAs must consider international standards and specifications published by ENISA, including those applicable to other economic sectors where relevant. This ensures that the regulatory technical standards are comprehensive and align with broader best practices in ICT risk management.
Submission and Adoption
- Submission Deadline: The ESAs are required to submit the draft regulatory technical standards to the European Commission by a date specified to be one year after the entry into force of DORA.
- Delegated Authority: The Commission is granted the authority to adopt these regulatory technical standards in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010, and (EU) No 1095/2010. This delegated power ensures that the standards are formally implemented and enforced across the EU.
Conclusion
Article 16 of DORA establishes a comprehensive framework for the classification of ICT-related incidents, requiring financial entities to assess and report the impact of such incidents based on defined criteria. The development of common regulatory technical standards by the ESAs aims to ensure consistent and effective incident management and reporting across the EU. By setting clear criteria and considering international standards, Article 16 helps enhance the overall digital operational resilience of financial entities and ensures a coordinated approach to managing ICT-related risks.