Article 6 – Criticality of services affected

For the purpose of determining the criticality of the services affected as referred to in Article 18(1), point (e), of Regulation (EU) 2022/2554, financial entities shall assess whether the incident:

  1. affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity;
  2. affects or has affected financial services provided by the financial entity that require authorisation, registration or that are supervised by competent authorities;
  3. constitutes or has constituted a successful, malicious and unauthorised access to the network and information systems of the financial entity.