Cybersecurity Governance Briefing — February 18, 2025
EU financial regulators finalised Digital Operational Resilience Act incident-classification criteria, locking in severity thresholds and timelines firms must operationalise before 2025 enforcement.
Executive briefing: The European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA) released their joint Final Report on the draft Implementing Technical Standards on incident classification criteria under DORA on January 17, 2025 and followed with February FAQs clarifying reporting thresholds. Financial entities now have binding severity scoring, impact metrics, and notification timelines for ICT incidents starting January 17, 2025.
Key industry signals
- Harmonised thresholds. Incidents with customer impact above 10% of active clients, service unavailability beyond 24 hours, or cross-border spillover automatically qualify as major.
- 15-hour reporting. Firms must deliver initial notifications to competent authorities within four hours of classifying an incident as major and submit final reports within 20 business days.
- ICT third parties. Critical suppliers must support classification evidence, aligning with DORA’s oversight of ICT service providers.
Control alignment
- Incident response. Update runbooks so severity scoring reflects the ITS criteria and integrates with SOC escalation tooling.
- Third-party governance. Amend contractual clauses requiring ICT providers to supply telemetry and recovery evidence within the regulatory timeframes.
Detection and response priorities
- Automate triggers in SIEM/SOAR platforms to flag when incident metrics meet DORA thresholds and alert regulatory liaison teams.
- Establish cross-border coordination cells to handle multi-jurisdiction incidents, as required by the ESAs’ guidance.
Enablement moves
- Conduct tabletop exercises with risk, compliance, and ICT suppliers covering the four-hour initial notification window.
- Map ITS severity metrics to existing Basel operational risk taxonomies so finance and cyber teams share consistent reporting language.
Sources
- ESAs: Final report on DORA incident classification criteria
- ESAs Q&A on DORA incident reporting (February 2025)
- ESAs press release on DORA technical standards
Zeph Tech equips financial institutions to meet DORA’s aggressive reporting windows with auditable workflows.