The response time with the maximum expected concurrence
must be no more than 5 seconds.
Response time is a relevant measure of a system’s availability and
adaptability to stress.
It is also important when it comes to usability and reliance.
For these reasons the response time must not surpass 5 seconds when the
number of concurrent users reaches its peak.
CWE-400: Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a
limited resource thereby enabling an actor to influence the amount of resources
eventually leading to the exhaustion of available resources.
GDPR. Art. 32: Security of processing.(1)(c).
The controller and the processor shall implement appropriate technical and
organizational measures to ensure an appropriate level of security,
including the the ability to restore the availability and access to personal
data in a timely manner in the event of a physical or technical incident.