Classification of ICT-related incidents and cyber threats

Article 18 introduces harmonized classification criteria for ICT-related incidents, addressing a significant gap in the pre-DORA regulatory landscape where different sectoral regulations used different classification schemes. This harmonization ensures consistent reporting and comparable data across the EU financial sector.

The classification framework uses multiple impact indicators to assess incident severity: the number of clients or financial counterparts affected, the duration of the incident, the geographical spread of impact, data losses (availability, authenticity, integrity, or confidentiality), the criticality of affected services, and the economic impact. An incident is classified as "major" when it meets or exceeds materiality thresholds on these indicators.

The thresholds for major incident classification are specified in related RTS, providing quantitative benchmarks that financial entities must apply consistently. This quantitative approach reduces subjectivity in classification and ensures that comparable incidents across different entities receive comparable treatment and reporting.

Article 18 also extends classification to significant cyber threats — not just incidents that have materialized but threats that could reasonably be expected to have a high probability of crystallizing. This forward-looking dimension ensures that near-misses and credible threats receive appropriate attention, not just confirmed incidents.