Contents
- Mechanisms to promptly detect anomalous activities
- Purpose and Scope
- Mandatory Functional Requirements under Article 10(1)–(4) DORA
- Detailed Requirements for Anomaly Detection Mechanisms (Article 23 RTS RMF)
- Roles and Responsibilities (Article 23(1))
- Collection, Monitoring, and Analysis of Relevant Information (Article 23(2)(a))
- Identification and Alerting of Anomalous Behaviour (Article 23(2)(b))
- Prioritisation of Alerts (Article 23(2)(c))
- Recording, Analysis, and Evaluation of Anomalies (Article 23(2)(d))
- Protection of Anomaly Records (Article 23(3))
- Logging of Anomaly Information (Article 23(4))
- Criteria for Triggering ICT-Related Incident Response (Article 23(5)–(6))
- Article 10 DORA
- Article 23 RTS RMF
Mechanisms to promptly detect anomalous activities
Purpose and Scope
Financial entities must establish mechanisms capable of promptly detecting anomalous activities, including:
- ICT network performance issues,
- ICT-related incidents,
- cyber-attacks, and
- potential material single points of failure.
These mechanisms form a core component of the detection capabilities under the ICT risk management framework (Article 6(1) DORA) and must be designed to support timely initiation of ICT-related incident response processes.
The detection mechanisms must operate across all information assets and ICT assets, with enhanced coverage for those supporting critical or important functions.
Mandatory Functional Requirements under Article 10(1)–(4) DORA
Ability to Promptly Detect Anomalous Activities
Detection mechanisms must promptly identify:
- anomalous user behaviour,
- deviations in ICT system performance,
- signs of compromise or malicious activity,
- network degradation and performance failures,
- anomalies that may indicate ICT-related incidents.
These mechanisms must operate continuously and produce timely alerts.
Identification of Potential Single Points of Failure
The mechanisms must detect patterns or conditions that indicate:
- dependencies that may create a single point of failure,
- potential concentration risks in ICT assets, networks, or services.
This requirement supports proactive resilience management.
Regular Testing of All Detection Mechanisms
All detection mechanisms must be regularly tested in accordance with Article 25 DORA to validate:
- effectiveness,
- coverage,
- accuracy,
- reliability, and
- timely alerting.
Testing must reflect the entity’s actual ICT architecture and risk profile.
Multi-Layered Control Structure and Alert Thresholds
Detection mechanisms must:
- enable multiple layers of control,
- define alert thresholds,
- establish criteria to trigger ICT-related incident response processes,
- include automatic alert mechanisms directing notifications to relevant staff responsible for incident response.
These criteria ensure timely escalation and structured response activation.
Monitoring Resources and Capabilities
Financial entities must allocate sufficient:
- human resources,
- technological tools,
- operational processes, and
- analytical capabilities
to continuously monitor:
- user activity,
- ICT anomalies,
- ICT-related incidents, and
- cyber-attacks.
This includes adequate staffing during and outside working hours.
Additional Requirement for Data Reporting Service Providers
Where applicable, data reporting service providers must operate:
- systems checking trade reports for completeness,
- systems identifying omissions and errors,
- mechanisms requesting re-transmission.
Detailed Requirements for Anomaly Detection Mechanisms (Article 23 RTS RMF)
Roles and Responsibilities (Article 23(1))
Clear, documented roles and responsibilities must be established for:
- detecting anomalous activities,
- analysing anomalies,
- responding to ICT-related incidents,
- escalating alerts,
- initiating response and recovery processes.
Collection, Monitoring, and Analysis of Relevant Information (Article 23(2)(a))
Mechanisms must enable the collection, monitoring, and analysis of:
- Internal and external factors, including:
- logs (Article 12 RTS RMF),
- data from business and ICT functions,
- end-user problem reports.
- Potential cyber threats, both internal and external, taking into account:
- threat intelligence activity,
- known threat actor techniques,
- attack scenarios.
- Notifications from ICT third-party service providers regarding anomalies or incidents in their own ICT systems that may impact the financial entity.
Identification and Alerting of Anomalous Behaviour (Article 23(2)(b))
Mechanisms must:
- identify anomalous activities and behaviours,
- implement tools generating automated alerts,
- apply to all ICT assets and information assets supporting critical or important functions.
Tools must use predefined rules to detect anomalies affecting:
- completeness of log data,
- integrity of data sources,
- deviations from expected norms.
Prioritisation of Alerts (Article 23(2)(c))
The mechanisms must:
- prioritise alerts to ensure processing within defined resolution times,
- operate effectively during and outside business hours,
- consider operational impact and risk severity.
Recording, Analysis, and Evaluation of Anomalies (Article 23(2)(d))
Mechanisms must:
- record all relevant information regarding detected anomalies,
- enable automated or manual analysis,
- support evaluation to identify context and root causes.
Protection of Anomaly Records (Article 23(3))
Any recording of anomalous activities must be protected against:
- tampering,
- deletion,
- unauthorised access,
across:
- data at rest,
- data in transit,
- data in use (where relevant).
Logging of Anomaly Information (Article 23(4))
Records must include at least:
- the date and time of occurrence,
- the date and time of detection,
- the type of anomalous activity.
These logs support forensics, compliance, and auditability.
Criteria for Triggering ICT-Related Incident Response (Article 23(5)–(6))
Mechanisms must escalate and trigger ICT-related incident detection and response processes when any of the following criteria are met:
Indications of Malicious Activity or Potential Compromise
Any indications of:
- malicious activity in ICT systems or networks,
- potential compromise of ICT systems or networks.
Detected Data Losses
Data losses affecting:
- availability,
- authenticity,
- integrity, or
- confidentiality.
Adverse Impact on Transactions or Operations
Any anomaly resulting in adverse impact on:
- business processes,
- customer operations,
- financial transactions.
Any unavailability that may impair:
- critical or important functions,
- operational resilience.
Detection mechanisms must always consider the criticality of affected services, ensuring that higher criticality triggers faster escalation.