Article 2
The factors determining whether a cyber-attack has a significant effect as referred to in Article 1(1) include any of the following:
(a)
the scope, scale, impact or severity of disruption caused, including to economic and societal activities, essential services, critical State functions, public order or public safety;
(b)
the number of natural or legal persons, entities or bodies affected;
(c)
the number of Member States concerned;
(d)
the amount of economic loss caused, such as through large-scale theft of funds, economic resources or intellectual property;
(e)
the economic benefit gained by the perpetrator, for himself or for others;
(f)
the amount or nature of data stolen or the scale of data breaches; or
(g)
the nature of commercially sensitive data accessed.