MAJOR INCIDENTS AND MATERIALITY THRESHOLDS
Article 8Major incidents
Section titled “Major incidents”An incident shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled:
- (a)
the materiality threshold referred to in Article 9(5), point (b), is met;
- (b)
two or more of the other materiality thresholds referred to in Articles 9(1) to (6) are met.
Recurring incidents that individually are not considered a major incident in accordance with paragraph 1 shall be considered as one major incident where they meet all of the following conditions:
- (a)
they have occurred at least twice within 6 months;
- (b)
they have the same apparent root cause as referred to in Article 20, first subparagraph, point (b) of Regulation (EU) 2022/2554;
- (c)
they collectively fulfil the criteria for being considered a major incident set out in paragraph 1.
Financial entities shall assess the existence of recurring incidents on a monthly basis.
This paragraph does not apply to microenterprises and to financial entities listed in Article 16(1) of Regulation (EU) 2022/2554.
Article 9Materiality thresholds for determining major incidents
Section titled “Materiality thresholds for determining major incidents”The materiality threshold for the criterion ‘clients, financial counterparts and transactions’ is met where any of the following conditions are fulfilled:
- (a)
the number of affected clients is higher than 10 % of all clients using the affected service;
- (b)
the number of affected clients using the affected service is higher than 100 000;
- (c)
the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service;
- (d)
the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service;
- (e)
the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service;
- (f)
clients or financial counterparts which have been identified as relevant in accordance with Article 1(3) have been affected.
Where the actual number of clients or financial counterparts affected or the actual number or amount of transactions affected cannot be determined, the financial entity shall estimate those numbers or amounts based on available data from comparable reference periods.
The materiality threshold for the criterion ‘reputational impact’ is met where any of the conditions set out in Article 2, points (a) to (d), are fulfilled.
The materiality threshold for the criterion ‘duration and service downtime’ is met where any of the following conditions are fulfilled:
- (a)
the duration of the incident is longer than 24 hours;
- (b)
the service downtime is longer than 2 hours for ICT services that support critical or important functions.
The materiality threshold for the criterion ‘geographical spread’ is met where the incident has an impact in two or more Member States in accordance with Article 4.
The materiality threshold for the criterion ‘data losses’ is met where any of the following conditions are fulfilled:
- (a)
any impact as referred to in Article 5 on the availability, authenticity, integrity or confidentiality of data has or will have an adverse impact on the implementation of the business objectives of the financial entity or on its ability to meet regulatory requirements;
- (b)
any successful, malicious and unauthorised access not covered by point (a) occurs to network and information systems, where such access may result in data losses.
The materiality threshold for the criterion ‘economic impact’ is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed 100 000 euro.