Source: OJ L, 2024/1772, 25.6.2024

Current language: EN

Article 7 Economic impact

Summary What does Article 7 of the RTS on incident classification say?

This article defines how financial entities must calculate the economic impact of an ICT incident, feeding directly into the broader incident classification criteria set out in Article 18(1) of DORA.

It draws a clear boundary between what counts as incident-related costs and what does not, ensuring that only genuine losses stemming from the incident are factored into the assessment.

Notably, calculations are made without accounting for any financial recoveries, meaning the gross impact is what matters here.

Important points:

  • Calculate economic impact by summing all direct and indirect costs and losses from the incident — covering everything from stolen assets and staff costs to advisory fees and forgone revenues.
  • Exclude routine business costs such as general maintenance, post-incident upgrades, and insurance premiums from the calculation.
  • Where actual costs cannot be determined, estimate the amounts based on data available at the time of reporting.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. For the purpose of determining the economic impact of the incident as referred to in Article 18(1), point (f), of Regulation (EU) 2022/2554, financial entities shall, without accounting for financial recoveries, take into account the following types of direct and indirect costs and losses which they have incurred as a result of the incident:

      1. expropriated funds or financial assets for which they are liable, including assets lost to theft;

      2. costs for replacement or relocation of software, hardware or infrastructure;

      3. staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills;

      4. fees due to non-compliance with contractual obligations;

      5. costs for redress and compensation to customers;

      6. losses due to forgone revenues;

      7. costs associated with internal and external communication;

      8. advisory costs, including costs associated with legal counselling, forensic services and remediation services.

    1. Costs and losses referred to in paragraph 1 shall not include costs that are necessary for the day-to-day operation of the business, in particular the following:

      1. costs for general maintenance of infrastructure, equipment, hardware and software, and costs for keeping skills of staff up to date;

      2. internal or external costs to enhance the business after the incident, including upgrades, improvements and risk assessment initiatives;

      3. insurance premiums.

    1. Financial entities shall calculate the amounts of costs and losses based on data available at the time of reporting. Where the actual amounts of costs and losses cannot be determined, financial entities shall estimate those amounts.

    1. When assessing the economic impact of the incident, financial entities shall sum up the costs and losses referred to in paragraph 1.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod