DORA consultancy - helping financial institutes across the UK and Europe.

Denitsa Kireva, Aerial Footage of a Muddy Soil


Incident Management


ESA has recently released several draft Regulatory Technical Standards (RTSs), which provide some flavour of expected control levels.
This is the fourth article, focusing on Incident Management technical standards.
The first and second articles, focusing on Risk Management RTS, and the third article about Third-Party Risk Management are available here, here and here.

TL;DR Incident management must be an efficient process. Efficient means that it is working in line with the regulator's expectations.

DORA prescribes the classification criteria, which are split in the draft RTS into seven distinct criteria, namely:
  • Clients, financial counterparts and transactions affected
  • Reputational impact
  • Duration and service downtime
  • Geographical spread
  • Data losses
  • Critical services affected
  • Economic impact

ESA provides the suggested decision flow to identify the incident criticality. The flow is a good starting point, which needs to be reviewed and adjusted taking into account each financial entity’s circumstances and linked with Asset Management processes.
DORA consultancy - helping financial institutes across the UK and Europe.


Additional considerations should be given to the assessment of whether the geographical impact in two Member States will suffice to trigger the materiality threshold for major incidents, provided that there is material impact in both jurisdictions.
The economic impact is set to EUR 100,000 or above for the gross direct and indirect costs and losses incurred by the incident.

ESA also introduces the relative and absolute thresholds.
The relative threshold will have to be calculated based on the number of clients affected by the incident and equal 10% of the client base.
The absolute threshold number of 50,000 clients, leveraging the EBA Guidelines on major incident reporting under PSD2.
The financial entity, in addition, will need to consider:
  • the number of financial counterparts affected’ by the incidnet, the ESAs propose to use a relative threshold only and to set its value at 10%, based on the same rationale as the ‘clients part of the criterion.
  • the materiality thresholds for the ‘amount or number of transactions affected’, to use both relative and absolute thresholds with values of 10% of the volume of transactions and 15 million EUR value of transactions.

Since it may be challenging for financial entities to identify the number of clients affected or the financial counterparts or the number or amount of transactions impacted, the draft RTS envisages that financial entities can resort to estimates.
Financial entities shall measure the duration of an incident from the moment the incident occurs until the moment when the incident is resolved. The detectable record should not be understood as a recording in an incident management system but as a traceable log in a network or a system.
The threshold of service downtime of critical functions is longer than 2 calendar hours - with exceptions. The total ‘duration of the incident’, the ESA consider appropriate a threshold of 24 hours.

ESA also introduces the criteria for recurring incidents that will have to be classified as major where, in the aggregate, they meet the classification criteria and materiality thresholds in the preceding 3 months for most financial entities. For central securities depositories, central counterparties, trading venues, trade repositories, data reporting service providers, credit rating agencies, administrators of critical benchmarks and securitisation repositories, the period is up to 12 months.


Our opinion:
The suggested thresholds and their rationale are straightforward. However, the incident management process will require significant ongoing effort to identify an incident, evaluate its impact, remediate it within a defined timeframe and conduct a post-mortem analysis to avoid the recurrence of the incidents. The latter will be an avoidable embarrassment.

Please contact us if you have any questions.

Would you like to talk about DORA compliance? Contact us.