Joint Guidelines on the Assessment of Aggregated Annual Costs and Losses Resulting from Significant ICT Incidents under Regulation (EU) 2022/2554 (JC 2024 34)

JC 2024 34 June 5, 2024

Joint Guidelines on the assessment of aggregated annual costs and losses resulting from significant ICT incidents in accordance with Regulation (EU) 2022/2554

These Guidelines contain references to delegated and implementing Commission Regulations of the EU that have not yet been published in the Official Journal of the EU. Once these forthcoming regulations are published in the Official Journal, these Guidelines will be finalized by including those references. The references will be added to sections marked in yellow. The start date for the application of these Guidelines can only be determined after their finalization. The expected start date for the application of these Guidelines is January 17, 2025. In the event of a delay in the finalization of these Guidelines, the last day for the application of these Guidelines will be two months after the date of publication of the translation of these Guidelines in all official EU languages.

JOINT COMMITTEE GUIDELINES ON THE ASSESSMENT OF AGGREGATED ANNUAL COSTS AND LOSSES RESULTING FROM SIGNIFICANT ICT INCIDENTS 2

Joint Guidelines on the assessment of aggregated annual costs and losses resulting from significant ICT incidents

Status of these Joint Guidelines This document contains joint guidelines issued pursuant to Article 16 of Regulation (EU) No 1093/20101, Article 16 of Regulation (EU) No 1094/20102 and Article 16 of Regulation (EU) No 1095/20103 – the “European Supervisory Authorities Regulations”. In accordance with Article 16(3) of the relevant European Supervisory Authorities Regulations, competent authorities and financial institutions must make efforts to comply with these Guidelines. Joint Guidelines establish the views of the European Supervisory Authorities regarding appropriate supervisory practices within the European System of Financial Supervision or regarding the way Union law should be applied in a particular area. Competent authorities to which the Joint Guidelines apply should comply with them by incorporating them into their supervisory practices appropriately (e.g., by amending their legal framework or supervisory procedures), including cases where the Joint Guidelines are primarily intended for institutions.

Reporting Requirements In accordance with Article 16(3) of the Regulations establishing the European Supervisory Authorities, competent authorities must notify the relevant European Supervisory Authority whether they comply or intend to comply with these joint guidelines/recommendations or, if not, state the reasons for non-compliance by 19.05.2025 (two months after their issuance). In the absence of such notification within that deadline, the relevant European Supervisory Authority shall consider that the competent authorities are not in compliance. Notifications should be sent to compliance@eba.europa.eu, compliance@eiopa.europa.eu and DORA@esma.europa.eu with the reference “JC/GL/2024/34”. The notification form is available on the websites of the European Supervisory Authorities. Notifications should be sent by persons with appropriate authority to report on compliance on behalf of their competent authorities. Notifications will be published on the websites of the European Supervisory Authorities in accordance with Article 16(3).

1 Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EU and repealing Commission Decision 2009/78/EZ (OJ L 331, 15.12.2010, p. 12.). 2 Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EU and repealing Commission Decision 2009/79/EZ (OJ L 331, 15.12.2010, p. 48.). 3 Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EU and repealing Commission Decision 2009/77/EZ (OJ L 331, 15.12.2010, p. 84.).

SMJERNICE ZAJEDNIČKOG ODBORA O PROCJENI AGREGIRANIH GODIŠNJIH TROŠKOVA I GUBITAKA KOJI SU POSLJEDICA ZNAČAJNIH IKT INCIDENATA 3

Chapter I. – Subject matter, scope, addressees and definitions Subject matter and scope

1. The objective of these Guidelines is to fulfil the mandate given to the European Supervisory Authorities under Article 11(11) of Regulation (EU) 2022/25544 to develop joint guidelines on the assessment of aggregated annual costs and losses resulting from significant ICT incidents referred to in Article 11(10) of that Regulation. These Guidelines also establish a common template for the submission of aggregated annual costs and losses.

Addressees 2. These Guidelines are addressed to competent authorities as defined in Article 46 of Regulation (EU) 2022/2554 and to financial institutions as defined in Article 4(1) of Regulation (EU) 1093/2010, Article 4(1) of Regulation (EU) 1094/2010 and Article 4(1) of Regulation (EU) 1095/2010.

Definitions 3. Terms used and defined in Regulation (EU) 2022/2554 have the same meaning in these Guidelines.

Chapter II. Implementation Start date of application 4. These Guidelines shall apply from 19.05.2025.

4 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1.-79.).

SMJERNICE ZAJEDNIČKOG ODBORA O PROCJENI AGREGIRANIH GODIŠNJIH TROŠKOVA I GUBITAKA KOJI SU POSLJEDICA ZNAČAJNIH IKT INCIDENATA 4

Chapter III. – Provisions on the assessment of aggregated annual costs and losses resulting from significant ICT incidents 5. Financial entities shall assess the aggregated annual costs and losses resulting from significant ICT incidents by aggregating the costs and losses from significant ICT incidents covered by the reference year for which the competent authority has requested the assessment. A financial entity may choose whether the reference year refers to a completed calendar year or to a completed financial year of the financial entity for which the financial entity has finalized its financial statements. Once a financial entity decides whether to submit an assessment based on a calendar year or a financial year, such decision shall be applied to future assessments of aggregated annual costs and losses. A financial entity may change that decision by notifying the competent authority, provided that the competent authority does not raise an objection within two months of receipt of the notification. Financial entities are not required to include costs and losses related to incidents that occurred before or after that reference year.

6. Financial entities shall include in the assessment all ICT incidents that, regardless of the reason, are classified as significant in accordance with the Commission Delegated Regulation on the classification of incidents [OJ L, 2024/1772, 25.6.2024]5 and (a) for which the financial entity has submitted a final report in accordance with Article 19(4)(c) of Regulation (EU) 2022/2554 in the relevant reference year or (b) any incident for which the financial entity submitted a final report in previous reference years in accordance with Article 19(4)(c) of Regulation (EU) 2022/2554 that had a measurable financial impact on the financial entity in the relevant reference year.

7. Financial entities shall assess the aggregated annual costs and losses by applying the following sequential steps: (a) by assessing the costs and losses of each major incident resulting from significant ICT incidents referred to in paragraph 6 individually. These assessments shall determine gross costs and losses, taking into account the types of costs and losses as determined in Article 7(1) and (2) of the Commission Delegated Regulation [OJ L, 2024/1772, 25.6.2024] (b) for each significant ICT incident, financial entities shall also assess financial recoveries, as set out in Annex II to the Commission Implementing Regulation [OJ L, 2025/302, 20.2.2025]6

5 Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council as regards regulatory technical standards determining criteria for the classification of ICT incidents and cyber threats, significance thresholds and details of reporting on significant incidents, [OJ L, 2024/1772, 25.6.2024, ELI: http://data.europa.eu/eli/reg_del/2024/1772/oj] 6 Commission Implementing Regulation (EU) 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council as regards standard templates, forms and procedures that financial entities use for reporting on significant ICT incidents and notifying of serious cyber threats, [OJ L, 2025/302, 20.2.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/302/oj]

SMJERNICE ZAJEDNIČKOG ODBORA O PROCJENI AGREGIRANIH GODIŠNJIH TROŠKOVA I GUBITAKA KOJI SU POSLJEDICA ZNAČAJNIH IKT INCIDENATA 5

(c) financial entities shall aggregate the gross costs and losses and financial recoveries for significant ICT incidents.

8. The basis for the assessments conducted by financial entities shall be the costs, losses and financial recoveries presented in their financial statements, such as the income statement or, if applicable, in their supervisory reporting for the relevant reference year. In their assessment, financial entities shall also include accounting provisions reflected in their financial statements, such as the income statement for the relevant reference year. If exact data are not available, financial entities shall base their assessment on other available data and information to the extent possible.

9. Financial entities shall include adjustments to the costs and losses of the assessment submitted for the previous year in the assessment of the relevant reference year in which the adjustments were made.

10. Financial entities shall include in the report on their assessment of aggregated annual costs and losses a breakdown of gross costs and losses and financial recoveries for each significant ICT incident that was included in the aggregation.

11. Financial entities shall use the form in the Annex to submit to the competent authority their assessment of aggregated annual costs and losses for the reference year. For each item from points 6 and 9 included in the assessment of the reference year, financial entities shall use the same incident reference numbers provided by the financial entity as those used in the final report in accordance with Article 19(4)(c) of Regulation (EU) 2022/2554.

SMJERNICE ZAJEDNIČKOG ODBORA O PROCJENI AGREGIRANIH GODIŠNJIH TROŠKOVA I GUBITAKA KOJI SU POSLJEDICA ZNAČAJNIH IKT INCIDENATA 6

Annex: Reporting form for gross costs and losses and financial recovery in the reference year

Name of the financial entity Legal Entity Identifier Start and end date of the reference year of the financial entity Currency

Number of incident Date of submission of the final incident report Incident reference number Gross costs and losses due to the incident in the reference year (in thousands of units) Recovery from the incident in the reference year (in thousands of units) 1 2 … Total for the reference year

---