Criteria For Classifying ICT-Related Incidents and Cyber Threats and The Procedure for Reporting Them by Financial Entities: A European Perspective

The rapid development of information and communication technologies necessitates the implementation of national legal frameworks that take into account cybersecurity standards, in particular in accordance with European Union legislation. Cybersecurity in financial entities forms the basis for legal and economic transactions and protects public interests. This article analyses the new regulatory obligations resulting from the implementation of the Digital Operational Resilience Act (DORA) and the NIS2 Directive, focusing on the identification  and classification of incidents related to information and communication technologies (ICT).

The author presents a comprehensive framework for classifying ICT incidents, introducing an eight-criteria model that assesses incidents based on: significance and impact, reputational consequences, duration, geographical scope, data loss, service criticality, and side effects. Particular attention is paid to the materiality threshold set out in Implementing Regulation 2024/1772, which is a key mechanism for determining whether an incident is material. The article presents a three-step procedural model that financial institutions should follow when an incident occurs.

The analysis shows that the new incident classification methodology goes beyond mere reporting requirements – it is an integral part of ICT management and macroprudential supervision systems in the financial sector. The standardisation of reporting procedures, including the elimination of duplicate notifications that were previously required under PSD2, enables more effective use of this tool in improving the efficiency of cyber monitoring at the international level.