2. The mechanism to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, as referred to in Article 10(1) of Regulation (EU) 2022/2554, shall enable financial entities to:

• (a) collect, monitor, and analyse all of the following:
  • (i) internal and external factors, including at least the logs collected in accordance with Article 12 of this Regulation, information from business and ICT functions, and any problem reported by users of the financial entity;
  • (ii) potential internal and external cyber threats, considering scenarios commonly used by threat actors and scenarios based on threat intelligence activity;
  • (iii) ICT-related incident notification from an ICT third-party service provider of the financial entity detected in the ICT systems and networks of the ICT third-party service provider and that may affect the financial entity;
• (b) identify anomalous activities and behaviour, and implement tools generating alerts for anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions;
  • For the purposes of point (b), the tools referred to in that point shall contain the tools that provide automated alerts based on pre-defined rules to identify anomalies affecting the completeness and integrity of the data sources or log collection.
• (c) prioritise the alerts referred to in point (b) to allow for the management of the detected ICT-related incidents within the expected resolution time, as specified by financial entities, both during and outside working hours;
• (d) record, analyse, and evaluate any relevant information on all anomalous activities and behaviours automatically or manually.

4. Financial entities shall log all relevant information for each detected anomalous activity enabling:

• (a) the identification of the date and time of occurrence of the anomalous activity;
• (b) the identification of the date and time of detection of the anomalous activity;

5. Financial entities shall consider all of the following criteria to trigger the ICT-related incident detection and response processes referred to in Article 10(2) of Regulation (EU) 2022/2554:

• (a) indications that malicious activity may have been carried out in an ICT system or network, or that such ICT system or network may have been compromised;
• (b) data losses detected in relation to the availability, authenticity, integrity, and confidentiality of data;
• (c) adverse impact detected on financial entity’s transactions and operations;
• (d) ICT systems’ and network unavailability.