1. Financial entities shall classify ICT-related incidents and shall determine their impact based on the following criteria:
(a) the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incident, and whether the ICT-related incident has caused reputational impact;
(b) the duration of the ICT-related incident, including the service downtime;
(c) the geographical spread with regard to the areas affected by the ICT-related incident, particularly if it affects more than two Member States;
(d) the data losses that the ICT-related incident entails, in relation to availability, authenticity, integrity or confidentiality of data;
(e) the criticality of the services affected, including the financial entity's transactions and operations;
(f) the economic impact, in particular direct and indirect costs and losses, of the ICT-related incident in both absolute and relative terms.
2. Financial
…