2025_7439 Staff costs | European Banking Authority

Question ID: 2025_7439
Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
Topic: ICT-related incidents (management / classification / reporting)
Article: 18(4)
Subparagraph: Subparagraph (c)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2024/1772 - RTS on the classification of ICT-related incidents and cyber threats
Article/Paragraph: 7
Type of submitter: Competent authority
Subject matter: Staff costs
Question: Do imputed staff costs count as part of staff costs in accordance with Article 18(1)(f) of Regulation (EU) 2022/2554 in conjunction with Article 7(1)(c) Delegated Regulation (EU) 2024/1772 and Article 4(e) Delegated Regulation (EU) 2025/301 and must, therefore, be reported as part of gross direct and indirect costs and losses of an incident?
Background on the question: In order to determine the economic impact of an ICT-related incident, in accordance with Article 18(1)(f) of Regulation (EU) 2022/2554 in conjunction with Article 7(1)(c) Delegated Regulation (EU) 2024/1772 „staff costs, including costs associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills” shall be taken into account. According to Article 4(e) Delegated Regulation (EU) 2025/301, these costs are to be reported as part of the final report in accordance with Article 19(4)(c) of Regulation (EU) 2022/2554.

There is no further specification, particularly with regard to imputed staff costs that do not lead directly to a monetary outflow. Article 7(2) of Delegated Regulation (EU) 2024/1772 does not provide any information on this either, according to which only „costs that are necessary for the day-to-day operation of the business” are excluded from the above-mentioned regulation.

The question submitted is intended to ensure legal certainty in the interpretation of the aforementioned Delegated Regulation as well as the consistency and comparability of reports of major ICT-related incidents.

In particular, it is not clear whether the staff costs to be taken into account in accordance with Article 7(1) of the Delegated Regulation also include imputed staff costs. These can arise, for example, if employees are unable to perform their line tasks due to the priority processing of an ICT-related incident or postpone them to a later date, or if they build up overtime to process an ICT-related incident, which is then reduced by way of compensatory time off. Besides these rather indirect costs the term imputed staff costs also cover (direct) costs for personnel hired and responsible for processing of ICT-related incidents.

Additionally, with regard to Article 7(2) of Delegated Regulation (EU) 2024/1772, we do not find clear whether staff costs for resources which have already been earmarked and planned for incident handling fall within the day-to-day operation of the business and are hence excluded. In particular, it is unclear what is the distinction between the costs “for keeping skills of staff up to date” and those for “the recovery of lost or impaired skills”.
Submission date: 12/05/2025
Final publishing date: 14/11/2025
Final answer: Article 7 of Delegated Regulation (EU) 2024/1772 specifying the criteria for the classification of ICT-related incidents outlines the types of direct and indirect costs and losses that entities must take into account to determine the economic impact due to a ICT-related incident.
Article 7(1) (c) of the Delegated Regulation (EU) 2024/1772 specifies that the economic impact of an ICT-incident includes staff costs. The provision also specifies that staff costs include costs “associated with replacement or relocation of staff, recruitment of extra staff, remuneration of overtime and recovery of lost or impaired skills”. Where the overtime is not remunerated but compensated through working time arrangements, the incident-related overtime should still count towards the staff costs, if those costs can clearly be attributed to the incident. Similarly, working time that is clearly allocated to the handling of the incident, should count towards staff costs. This consideration also applies where the resources have been earmarked or planned for incident handling in general. This ensures a consistent assessment of costs irrespective of internal processes and resource planning and allocation of financial entities.
Staff training activities aimed to prevent or minimize the consequence of potential incidents fall under the exclusion of the costs in accordance with Article 7(2) of the Delegated Regulation (EU) 2024/1772 for keeping skills of staff up to date, as a cost necessary for the day-to-day operation of the business. Instead, costs for recovery of skills lost or impaired, are those which occur as a consequence of an incident in accordance with Article 7(1) of the Delegation Regulation (EU) 2024/1772, for example addressing retraining of staff that had to be reallocated.
It is to be noted that the Delegation Regulation (EU) 2024/1772 does not prescribe a specific calculation methodology for these costs. This omission reflects the inherent complexity and the variability of cost structures across different financial entities and activities.
Status: Final Q&A
Answer prepared by: Answer prepared by the Joint ESAs Q&A

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre

Disclaimer