Skip to content
DORA
CHAPTER I

CLASSIFICATION CRITERIA

Article 1Clients, financial counterparts and transactions

Section titled “Clients, financial counterparts and transactions”

  1. The number of clients affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, shall reflect the number of all affected clients, whether natural or legal persons, that are or were unable to make use of the service provided by the financial entity during the incident or that were adversely impacted by the incident. That number shall also include third parties explicitly covered by the contractual agreement between the financial entity and the client as beneficiaries of the affected service.

  2. The number of financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554 shall reflect the number of all affected financial counterparts that have concluded a contractual arrangement with the financial entity.

  3. In relation to the relevance of clients and financial counterparts affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account the extent to which the impact on a client or a financial counterpart will affect the implementation of the business objectives of the financial entity, as well as the potential impact of the incident on market efficiency.

  4. In relation to the amount or number of transactions affected by the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, the financial entity shall take into account all affected transactions involving a monetary amount where at least one part of the transaction is carried out in the Union.

  5. Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods.

Article 2Reputational impact

Section titled “Reputational impact”

  1. For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met:

    • (a)

      the incident has been reflected in the media;

    • (b)

      the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships;

    • (c)

      the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident;

    • (d)

      the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident.

  2. When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1.

Article 3Duration and service downtime

Section titled “Duration and service downtime”

  1. Financial entities shall measure the duration of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the incident occurs until the moment when it is resolved.

    Where financial entities are unable to determine the moment when the incident occurred, they shall measure the duration of the incident from the moment it was detected. Where financial entities become aware that the incident occurred prior to its detection, they shall measure the duration from the moment the incident is recorded in network or system logs or other data sources.

    Where financial entities do not yet know when the incident will be resolved or are unable to verify records in logs or other data sources, they shall apply estimates.

  2. Financial entities shall measure the service downtime of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the service is fully or partially unavailable to clients, financial counterparts or other internal or external users to the moment when regular activities or operations have been restored to the level of service that was provided prior to the incident. Where the service downtime causes a delay in the provision of service after regular activities or operations have been restored, the downtime shall be measured from the start of the incident to the moment when that delayed service is fully provided.

    Where financial entities are unable to determine the moment when the service downtime started, they shall measure the service downtime from the moment it was detected.

Article 4Geographical spread

Section titled “Geographical spread”

For the purpose of determining the geographical spread with regard to the areas affected by the incident as referred to in Article 18(1), point (c), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following:

  • (a)

    clients and financial counterparts in other Member States;

  • (b)

    branches or other financial entities within the group carrying out activities in other Member States;

  • (c)

    financial market infrastructures or third-party providers, which may affect financial entities in other Member States to which they provide services, to the extent such information is available.

Article 5Data losses

Section titled “Data losses”

For the purpose of determining the data losses that the incident entails as referred to in Article 18(1), point (d), of Regulation (EU) 2022/2554, financial entities shall take into account the following:

  • (a)

    in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity, its clients or its counterparts temporarily or permanently inaccessible or unusable;

  • (b)

    in relation to the authenticity of data, whether the incident has compromised the trustworthiness of the source of data;

  • (c)

    in relation to the integrity of data, whether the incident has resulted in non-authorised modification of data that has rendered it inaccurate or incomplete;

  • (d)

    in relation to the confidentiality of data, whether the incident has resulted in data having been accessed by or disclosed to an unauthorised party or system.

Article 6Criticality of services affected

Section titled “Criticality of services affected”

For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident:

  • (a)

    affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity;

  • (b)

    affects or has affected financial services provided by the financial entity that require

  • (c)

    constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity.

Article 7Economic impact

Section titled “Economic impact”

  1. For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident:

    • (a)

      expropriated funds or financial assets for which they are liable, including assets lost to theft; (b) costs for replacement or relocation of software, hardware or infrastructure;

    • (c)

      staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills;

    • (d)

      fees due to non-compliance with contractual obligations;

    • (e)

      costs for redress and compensation to customers;

    • (f)

      losses due to forgone revenues;

    • (g)

      costs associated with internal and external communication;

    • (h)

      advisory costs, including costs associated with legal counselling, forensic services and remediation services.

  2. Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following:

    • (a)

      costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date;

    • (b)

      internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives;

    • (c)

      insurance premiums.

  3. Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts.

  4. When assessing the economic impact of the incident, financial entities shall sum up the costs and losses referred to in paragraph 1.