In order to determine the economic impact of an ICT-related incident, in accordance with Article 18(1)(f) of Regulation (EU) 2022/2554 in conjunction with Article 7(1)(c) Delegated Regulation (EU) 2024/1772 „staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills” shall be taken into account. According to Article 4(e) Delegated Regulation (EU) 2025/301, these costs are to be reported as part of the final report in accordance with Article 19(4)(c) of Regulation (EU) 2022/2554.

There is no further specification, particularly with regard to imputed staff costs that do not lead directly to a monetary outflow. Article 7(2) of Delegated Regulation (EU) 2024/1772 does not provide any information on this either, according to which only „costs that are necessary for the day-to-day operation of the business” are excluded from the above-mentioned regulation.

The question submitted is intended to ensure legal certainty in the interpretation of the aforementioned Delegated Regulation as well as the consistency and comparability of reports of major ICT-related incidents.

In particular, it is not clear whether the staff costs to be taken into account in accordance with Article 7(1) of the Delegated Regulation also include imputed staff costs. These can arise, for example, if employees are unable to perform their line tasks due to the priority processing of an ICT-related incident or postpone them to a later date, or if they build up overtime to process an ICT-related incident, which is then reduced by way of compensatory time off. Besides these rather indirect costs the term imputed staff costs also cover (direct) costs for personnel hired and responsible for processing of ICT-related incidents.

Additionally, with regard to Article 7(2) of Delegated Regulation (EU) 2024/1772, we do not find clear whether staff costs for resources which have already been earmarked and planned for incident handling fall within the day-to-day operation of the business and are hence excluded. In particular, it is unclear what is the distinction between the costs “for keeping skills of staff up to date” and those for “the recovery of lost or impaired skills”.