Commission Delegated Regulation that supports DORA regulation
Full Text of CDR 2024-1772
Criteria for the classification of ICT-related incidents and cyber threats
Article 2 – Reputational impact
- For the purposes of determining the reputational impact of the incident as referred to in Article 18(1), point (a), of Regulation (EU) 2022/2554, financial entities shall consider that a reputational impact has occurred where at least one of the following criteria is met:
- the incident has been reflected in the media;
- the incident has resulted in repetitive complaints from different clients or financial counterparts on client-facing services or critical business relationships;
- the financial entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident;
- the financial entity will or is likely to lose clients or financial counterparts with a material impact on its business as a result of the incident.
- When assessing the reputational impact of the incident, financial entities shall take into account the level of visibility that the incident has gained or is likely to gain in relation to each criterion listed in paragraph 1.