Commission Delegated Regulation that supports DORA regulation
Full Text of CDR 2024-1772
Criteria for the classification of ICT-related incidents and cyber threats
Article 7 – Economic impact
- For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident:
- expropriated funds or financial assets for which they are liable, including assets lost to theft;
- costs for replacement or relocation of software, hardware or infrastructure;
- staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills;
- fees due to non-compliance with contractual obligations;
- costs for redress and compensation to customers;
- losses due to forgone revenues;
- costs associated with internal and external communication;
- advisory costs, including costs associated with legal counselling, forensic services and remediation services.
- Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following:
- costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date;
- internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives;
- insurance premiums.
- Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts.
- When assessing the economic impact of the incident, financial entities shall sum up the costs and losses referred to in paragraph 1.