# Art. 18 — Classification of incidents 1. Financial entities shall classify [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) and shall determine their impact based on the following criteria: 1. the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident), and whether the [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) has caused reputational impact; 2. the duration of the [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident), including the service downtime; 3. the geographical spread with regard to the areas affected by the [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident), particularly if it affects more than two Member States; 4. the data losses that the [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) entails, in relation to availability, authenticity, integrity or confidentiality of data; 5. the criticality of the services affected, including the financial entity's transactions and operations; 6. the economic impact, in particular direct and indirect costs and losses, of the [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) in both absolute and relative terms. 2. Financial entities shall classify [cyber threats](https://www.mica.wtf/definitions/definitions/dora/cyber-threat) as significant based on the criticality of the services at risk, including the financial entity's transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk. 3. The ESAs shall, through the [Joint Committee](https://www.mica.wtf/definitions/definitions/dora/joint-committee) and in consultation with the ECB and ENISA, develop common draft regulatory technical standards further specifying the following: 1. the criteria set out in paragraph 1, including materiality thresholds for determining [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) or, as applicable, [major operational or security payment-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-operational-or-security-payment-related-incident), that are subject to the reporting obligation laid down in [Article 19(1)](/dora/digital-operational-resilience-act/chapter-iii-ict-related-incident-classification-reporting/article-19-reporting-of-major-incidents.md); 2. the criteria to be applied by competent authorities for the purpose of assessing the relevance of [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) or, as applicable, [major operational or security payment-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-operational-or-security-payment-related-incident), to relevant competent authorities in other Member States', and the details of reports of [major ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-ict-related-incident) or, as applicable, [major operational or security payment-related incidents](https://www.mica.wtf/definitions/definitions/dora/major-operational-or-security-payment-related-incident), to be shared with other competent authorities pursuant to [Article 19(6)](/dora/digital-operational-resilience-act/chapter-iii-ict-related-incident-classification-reporting/article-19-reporting-of-major-incidents.md) and (7); 3. the criteria set out in paragraph 2 of this Article, including high materiality thresholds for determining [significant cyber threats](https://www.mica.wtf/definitions/definitions/dora/significant-cyber-threat). 4. When developing the common draft regulatory technical standards referred to in paragraph 3 of this Article, the ESAs shall take into account the criteria set out in [Article 4(2)](/dora/digital-operational-resilience-act/chapter-i-general-provisions/article-4-proportionality-principle.md), as well as international standards, guidance and specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectors. For the purposes of applying the criteria set out in [Article 4(2)](/dora/digital-operational-resilience-act/chapter-i-general-provisions/article-4-proportionality-principle.md), the ESAs shall duly consider the need for [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise) and small and [medium-sized enterprises](https://www.mica.wtf/definitions/definitions/dora/medium-sized-enterprise) to mobilise sufficient resources and capabilities to ensure that [ICT-related incidents](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident) are managed swiftly. The ESAs shall submit those common draft regulatory technical standards to the Commission by 17 January 2024. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in paragraph 3 in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-iii-ict-related-incident-classification-reporting/article-18-classification-of-ict-related-incidents.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.