Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplements Regulation (EU) 2022/2554 by establishing regulatory technical standards (RTS) that specify the criteria for classifying ICT-related incidents and cyber threats within the financial sector. It sets out detailed materiality thresholds to determine when an incident qualifies as a major ICT-related incident, based on criteria such as the number and relevance of clients affected, data losses, duration and service downtime, geographical spread, reputational and economic impact, and whether critical services are affected. The regulation also specifies the detailed content and format of reports that financial entities must submit for major incidents, ensuring harmonized and streamlined reporting across the EU. Furthermore, it addresses the classification of significant cyber threats by assessing their potential impact on critical or important business functions and the likelihood of their materialization. This framework aims to enhance digital operational resilience by providing clear guidance on incident classification and reporting obligations under the Digital Operational Resilience Act (DORA).
Publication's URL
https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj/engAdditional documents on this topic
- EU Commission Delegated Regulation 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
- EU Commission Delegated Regulation 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
- EU Regulation 2022/2554 Digital Operational Resilience Act (DORA)
- EU Commission Implementing Regulation 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat
- EU Commission Delegated Regulation 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats