Scribd
Upload
19 views13 pages

DORA - Classification of Major Incidents Final

DORA- Classification of major incidents final

Uploaded by

Sabin Dragoman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views13 pages

DORA - Classification of Major Incidents Final

DORA- Classification of major incidents final

Uploaded by

Sabin Dragoman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Bent

DORAu klaar voor de aankomende


AFM self-assessment
Classification of major incidents

duurzaamheidsregelgeving?

Projective Group projectivegroup.com


+31 (0)20 416 54 03 [email protected]
Content
Introduction 3

Bent u klaar voor de aankomende


Decision tree 4
Step 1. Critical services affected? 5
Step 2. Assessment of other classification criteria 6

AFM self-assessment
Criterium 1: Clients, financial counterparts and transactions
Criterium 2: Data loss
6
7
Criterium 3: Reputational impact 8

duurzaamheidsregelgeving?
Criterium 4: Duration and service downtime
Criterium 5: Geographical spread
9
10
Criterium 6: Economic impact 11
Step 3: Incident classification 12
Need help? 13
Incident detection in line with DORA
The purpose of the Digital Operational Resilience Act (DORA) is to ensure the
resilience of digital services and infrastructure in the financial sector. A key part of
the legislation is the handling of digital incidents.

Bent u klaar voor de aankomende


One of the most important aspects of this is incident classification: the
establishment of criteria to determine when an incident is considered a 'major'
incident. Major incidents pose a significant threat to the continuity of digital

AFM self-assessment
services and can cause great harm to users, businesses and the economy as a
whole. It is therefore important to have a clear framework for identifying and
dealing with these incidents.

duurzaamheidsregelgeving?
The criteria for classifying an incident as major have been carefully developed and
include a number of factors. To qualify as major the incident needs to affect critical
or important services and (i) the incident constitutes any malicious unauthorised
access to network and security systems or (ii) at least two of the ‘Other Criteria’ are
met. These criteria originate from the Regulatory Technical Standards (RTS) on the
classification of major incidents. The current status of this RTS is 'final report'. The
ESAs will submit the RTS to the European Commission for adoption.

In this e-paper we cover each criterion and its factors and help you to determine
step by step whether or not an incident can be classified as major.

3
Decision tree: incident detection

STEP 2 STEP 3
STEP 1
Assessment of Incident
Critical services
other classification classification
affected?
criteria

Any successful
malicious Check criterion 1
Two or more
unauthorised ‘Clients, financial counterparts and
additional criteria
access to network transactions’
met
and information
systems Incident
Check criterion 2 classified as
‘Data loss’ major

Check criterion 3
Check criterion ‘Reputational impact’
Assessment of
‘Critical services
other classification
affected’
criteria
Check criterion 4
‘Duration and service downtime’ None or one
additional criteria
met
Check criterion 5 Incident not
‘Geographical spread’ classified as
Critical services major
affected criterion
Check criterion 6
not met
‘Economic impact’

4
Step 1. Critical services affected?

To determine if critical services are affected, you must consider the following
questions.

Criterion
Has the incident affected financial services that is met
require authorisation, registration or are otherwise
supervised by competent authorities?
Has the incident affected ICT services or
OR
network and information systems that
Represents the incident a successful, malicious and
support critical or important functions?
unauthorised access to the network and information
systems of the financial entity?

Criterion is not met, so no


major incident possible

5
Step 2. Assessment of other classification criteria

Criterion 1: Clients, financial counterparts and transactions affected


To determine if clients, financial counterparts and transactions are affected, you
must consider the following questions.

Is the amount of affected


transactions higher than 10% Criterion
Have more than 10% of all of the daily average value of is met
clients using the disturbed Is the # of affected transactions carried out by the
service been affected by the transactions higher than financial entity related to the
Have more than 30%
incident? 10% of the daily average affected service?
of financial
OR number of transactions OR
counterparts been
Have more than 100.000 carried out by the financial Any identified impact on
affected?
clients been affected by the entity related to the clients or financial counterpart
incident? affected service? which have been identified as
relevant ? Criterion
is not met

6
Step 2. Assessment of other classification criteria

Criterion 2: Data loss


To determine if the incident has impacted the confidentiality of data, you must
consider the following questions.

Has the incident resulted in


data having been accessed by Criterion
or disclosed to unauthorised is met
Has the incident left the parties or systems?
Has the incident Has the incident resulted
data on demand by the OR
compromised the in non-authorised
financial entity, its Has the incident resulted in
trustworthiness and modification of data that
clients or counterparts any successful, malicious and
reliability of data or has rendered it
inaccessible or unauthorised access occurs
their source? inaccurate or
unusable? to network and information
incomplete?
systems not covered by last
steps which may result to data Criterion
losses? is not met

7
Step 2. Assessment of other classification criteria

Criterion 3: Reputational impact


To determine if the reputational impact criterion is met, you must consider the
following questions.

Has the financial Criterion


entity received Is the financial entity is met
repetitive complaints Is the financial entity likely to lose clients
Has the incident or financial
from different clients unable or not likely to
been reflected in the counterparts with an
or financial meet regulatory
media? impact on its business
counterparts on requirements?
client-facing services as a result of the
or critical business incident?
relationships? Criterion
is not met

8
Step 2. Assessment of other classification criteria

Criterion 4: Duration and service downtime


To determine if clients, financial counterparts and transactions are affected, you
must consider the following questions.

Criterion is met
Was the service downtime Was the duration of the incident
of critical functions longer more than 24 hours?
than 2 hours?

Criterion is not met.

9
Step 2. Assessment of other classification criteria

Criterion 5: Geographical spread


To determine the geographical spread, you must consider the following questions.

Did the incident have a material impact in two or


Criterion is met
more member states on:
the clients and financial counterparts affected,
branches of the financial entity or other financial
entities within the group carrying out activities
financial market infrastructures or third-party
providers, which potentially may affect financial
entities to which they provide services, to the extent Criterion is not met
this information is available to the financial entity

10
Step 2. Assessment of other classification criteria

Criterion 6: Economic impact


To determine the economic impact, you must consider the following questions.

Criterion is met

Were the total gross direct and indirect costs and


losses of the incident greater than or likely to be
greater than 100.000 EUR?

Criterion is not met

11
Step 3: Major incident detected - what’s next?
There is a major incident when critical services are affected and (i) the
incident involves any malicious unauthorized access to network and
security systems, or (ii) at least two of the 'Other Criteria' are met.

When a major incident is detected, it is important to resolve the


incident as quickly as possible. But that is not all, the institution must
also report the incident.

Reports must be made to the supervisory authority at three different


moments in time. These moments are specified in the Draft
Implementing Technical Standards. Therefore they are not yet final
and could be subjected to be changed.
You have to submit:
an initial report, preferably within 4 hours of the classification of
the incident and no later than 24 hours thereafter; and
an interim report, 72 hours after classification or earlier if the
incident has been rectified and business is back to normal; and
a final report, 1 month after classification. If the incident is not
resolved after one month, the report should be submitted the day
after the incident is resolved.
Reporting needs to be done using templates, which are currently only
specified in Draft RTS and are not final yet.

The AFM and DNB will both oversee the implementation of DORA.
The exact process for reporting incidents is not yet known.
12
Need help?
Do you have any questions about DORA
incident detection and reporting? Or do
you need help becoming DORA compliant?
We are happy to help.

GET IN TOUCH

Projective Group projectivegroup.com


+31 (0)20 416 54 03 [email protected]
13

You might also like