- An incident shall be considered to be significant for the purposes of Article 23(3) of Directive (EU) 2022/2555 with regard to the relevant entities where one or more of the following criteria are fulfilled:
- the incident has caused or is capable of causing direct financial loss for the relevant entity that exceeds EUR 500 000 or 5 % of the relevant entity’s total annual turnover in the preceding financial year, whichever is lower;
- the incident has caused or is capable of causing the exfiltration of trade secrets as set out in Article 2 point (1), of Directive (EU) 2016/943 of the relevant entity;
- the incident has caused or is capable of causing the death of a natural person;
- the incident has caused or is capable of causing considerable damage to a natural person’s health;
- a successful, suspectedly malicious and unauthorised access to network and information systems occurred, which is capable of causing severe operational disruption;
- the incident meets the criteria set out in Article 4;
- the incident meets one or more of the criteria set out in Articles 5 to 14.
- Scheduled interruptions of service and planned consequences of scheduled maintenance operations carried out by or on behalf of the relevant entities shall not be considered to be significant incidents.
- When calculating the number of users impacted by an incident for the purpose of Articles 7 and 9 to 14, the relevant entities shall consider all of the following:
- the number of customers that have a contract with the relevant entity which grants them access to the relevant entity’s network and information systems or services offered by, or accessible via, those network and information systems;
- the number of natural and legal persons associated with business customers that use the entities’ network and information systems or services offered by, or accessible via, those network and information systems.
Article 3 – Significant incidents