(a) obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity (single points of contact) and computer security incident response teams (CSIRTs); (b) cybersecurity risk-management measures and reporting obligations for entities of a type referred to in Annex I or II as well as for entities identified as critical entities under Directive (EU) 2022/2557; (c) rules and obligations on cybersecurity information sharing; (d) supervisory and enforcement obligations on Member States.
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)
Corrected by
- Corrigendum to Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), 32022L2555R(04), December 22, 2023
(a) services are provided by: (i) providers of public electronic communications networks or of publicly available electronic communications services; (ii) trust service providers; (iii) top-level domain name registries and domain name system service providers;
(b) the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities; (c) disruption of the service provided by the entity could have a significant impact on public safety, public security or public health; (d) disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact; (e) the entity is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State; (f) the entity is a public administration entity: (i) of central government as defined by a Member State in accordance with national law; or (ii) at regional level as defined by a Member State in accordance with national law that, following a risk-based assessment, provides services the disruption of which could have a significant impact on critical societal or economic activities.
(a) public administration entities at local level; (b) education institutions, in particular where they carry out critical research activities.
(a) entities of a type referred to in Annex I which exceed the ceilings for medium-sized enterprises provided for in Article 2(1) of the Annex to Recommendation 2003/361/EC; (b) qualified trust service providers and top-level domain name registries as well as DNS service providers, regardless of their size; (c) providers of public electronic communications networks or of publicly available electronic communications services which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC; (d) public administration entities referred to in Article 2(2), point (f)(i); (e) any other entities of a type referred to in Annex I or II that are identified by a Member State as essential entities pursuant to Article 2(2), points (b) to (e); (f) entities identified as critical entities under Directive (EU) 2022/2557, referred to in Article 2(3) of this Directive; (g) if the Member State so provides, entities which that Member State identified before 16 January 2023 as operators of essential services in accordance with Directive (EU) 2016/1148 or national law.
(a) the name of the entity; (b) the address and up-to-date contact details, including email addresses, IP ranges and telephone numbers; (c) where applicable, the relevant sector and subsector referred to in Annex I or II; and (d) where applicable, a list of the Member States where they provide services falling within the scope of this Directive.
(a) the Commission and the Cooperation Group of the number of essential and important entities listed pursuant to paragraph 3 for each sector and subsector referred to in Annex I or II; and (b) the Commission of relevant information about the number of essential and important entities identified pursuant to Article 2(2), points (b) to (e), the sector and subsector referred to in Annex I or II to which they belong, the type of service that they provide, and the provision, from among those laid down in Article 2(2), points (b) to (e), pursuant to which they were identified.
(a) cybersecurity risk-management measures are at least equivalent in effect to those laid down in Article 21(1) and (2); or (b) the sector-specific Union legal act provides for immediate access, where appropriate automatic and direct, to the incident notifications by the CSIRTs, the competent authorities or the single points of contact under this Directive and where requirements to notify significant incidents are at least equivalent in effect to those laid down in Article 23(1) to (6) of this Directive.
(1) "network and information system" means: (a) an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; (b) any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or (c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
(2) "security of network and information systems" means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; (3) "cybersecurity" means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; (4) "national cybersecurity strategy " means a coherent framework of a Member State providing strategic objectives and priorities in the area of cybersecurity and the governance to achieve them in that Member State; (5) "near miss" means an event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise; (6) "incident" means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; (7) "large-scale cybersecurity incident" means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States; (8) "incident handling" means any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident; (9) "risk" means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; (10) "cyber threat" means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; (11) "significant cyber threat" means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; (12) "ICT product" means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; (13) "ICT service" means an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; (14) "ICT process" means an ICT process as defined in Article 2, point (14), of Regulation (EU) 2019/881; (15) "vulnerability" means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; (16) "standard" means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12 ).(17) "technical specification" means a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012; (18) "internet exchange point" means a network facility which enables the interconnection of more than two independent networks (autonomous systems), primarily for the purpose of facilitating the exchange of internet traffic, which provides interconnection only for autonomous systems and which neither requires the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomous system nor alters or otherwise interferes with such traffic; (19) "domain name system" or "DNS" means a hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources; (20) "DNS service provider" means an entity that provides: (a) publicly available recursive domain name resolution services for internet end-users; or (b) authoritative domain name resolution services for third-party use, with the exception of root name servers;
(21) "top-level domain name registry" or "TLD name registry" means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are carried out by the entity itself or are outsourced, but excluding situations where TLD names are used by a registry only for its own use; (22) "entity providing domain name registration services" means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; (23) "digital service" means a service as defined in Article 1(1), point (b), of Directive (EU) 2015/1535 of the European Parliament and of the Council Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1 ).(24) "trust service" means a trust service as defined in Article 3, point (16), of Regulation (EU) No 910/2014; (25) "trust service provider" means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014; (26) "qualified trust service" means a qualified trust service as defined in Article 3, point (17), of Regulation (EU) No 910/2014; (27) "qualified trust service provider" means a qualified trust service provider as defined in Article 3, point (20), of Regulation (EU) No 910/2014; (28) "online marketplace" means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council ("Unfair Commercial Practices Directive") (OJ L 149, 11.6.2005, p. 22 ).(29) "online search engine" means an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57 ).(30) "cloud computing service" means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; (31) "data centre service" means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; (32) "content delivery network" means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; (33) "social networking services platform" means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations; (34) "representative" means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; (35) "public administration entity" means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: (a) it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; (b) it has legal personality or is entitled by law to act on behalf of another entity with legal personality; (c) it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; (d) it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital;
(36) "public electronic communications network" means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; (37) "electronic communications service" means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972; (38) "entity" means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; (39) "managed service provider" means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely; (40) "managed security service provider" means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management; (41) "research organisation" means an entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions.
(a) objectives and priorities of the Member State’s cybersecurity strategy covering in particular the sectors referred to in Annexes I and II; (b) a governance framework to achieve the objectives and priorities referred to in point (a) of this paragraph, including the policies referred to in paragraph 2; (c) a governance framework clarifying the roles and responsibilities of relevant stakeholders at national level, underpinning the cooperation and coordination at the national level between the competent authorities, the single points of contact, and the CSIRTs under this Directive, as well as coordination and cooperation between those bodies and competent authorities under sector-specific Union legal acts; (d) a mechanism to identify relevant assets and an assessment of the risks in that Member State; (e) an identification of the measures ensuring preparedness for, responsiveness to and recovery from incidents, including cooperation between the public and private sectors; (f) a list of the various authorities and stakeholders involved in the implementation of the national cybersecurity strategy; (g) a policy framework for enhanced coordination between the competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2557 for the purpose of information sharing on risks, cyber threats, and incidents as well as on non-cyber risks, threats and incidents and the exercise of supervisory tasks, as appropriate; (h) a plan, including necessary measures, to enhance the general level of cybersecurity awareness among citizens.
(a) addressing cybersecurity in the supply chain for ICT products and ICT services used by entities for the provision of their services; (b) on the inclusion and specification of cybersecurity-related requirements for ICT products and ICT services in public procurement, including in relation to cybersecurity certification, encryption and the use of open-source cybersecurity products; (c) managing vulnerabilities, encompassing the promotion and facilitation of coordinated vulnerability disclosure under Article 12(1); (d) related to sustaining the general availability, integrity and confidentiality of the public core of the open internet, including, where relevant, the cybersecurity of undersea communications cables; (e) promoting the development and integration of relevant advanced technologies aiming to implement state-of-the-art cybersecurity risk-management measures; (f) promoting and developing education and training on cybersecurity, cybersecurity skills, awareness raising and research and development initiatives, as well as guidance on good cyber hygiene practices and controls, aimed at citizens, stakeholders and entities; (g) supporting academic and research institutions to develop, enhance and promote the deployment of cybersecurity tools and secure network infrastructure; (h) including relevant procedures and appropriate information-sharing tools to support voluntary cybersecurity information sharing between entities in accordance with Union law; (i) strengthening the cyber resilience and the cyber hygiene baseline of small and medium-sized enterprises, in particular those excluded from the scope of this Directive, by providing easily accessible guidance and assistance for their specific needs; (j) promoting active cyber protection.
(a) the objectives of national preparedness measures and activities; (b) the tasks and responsibilities of the cyber crisis management authorities; (c) the cyber crisis management procedures, including their integration into the general national crisis management framework and information exchange channels; (d) national preparedness measures, including exercises and training activities; (e) the relevant public and private stakeholders and infrastructure involved; (f) national procedures and arrangements between relevant national authorities and bodies to ensure the Member State’s effective participation in and support of the coordinated management of large-scale cybersecurity incidents and crises at Union level.
(a) the CSIRTs shall ensure a high level of availability of their communication channels by avoiding single points of failure, and shall have several means for being contacted and for contacting others at all times; they shall clearly specify the communication channels and make them known to constituency and cooperative partners; (b) the CSIRTs’ premises and the supporting information systems shall be located at secure sites; (c) the CSIRTs shall be equipped with an appropriate system for managing and routing requests, in particular to facilitate effective and efficient handovers; (d) the CSIRTs shall ensure the confidentiality and trustworthiness of their operations; (e) the CSIRTs shall be adequately staffed to ensure availability of their services at all times and they shall ensure that their staff is trained appropriately; (f) the CSIRTs shall be equipped with redundant systems and backup working space to ensure continuity of their services.
(a) monitoring and analysing cyber threats, vulnerabilities and incidents at national level and, upon request, providing assistance to essential and important entities concerned regarding real-time or near real-time monitoring of their network and information systems; (b) providing early warnings, alerts, announcements and dissemination of information to essential and important entities concerned as well as to the competent authorities and other relevant stakeholders on cyber threats, vulnerabilities and incidents, if possible in near real-time; (c) responding to incidents and providing assistance to the essential and important entities concerned, where applicable; (d) collecting and analysing forensic data and providing dynamic risk and incident analysis and situational awareness regarding cybersecurity; (e) providing, upon the request of an essential or important entity, a proactive scanning of the network and information systems of the entity concerned to detect vulnerabilities with a potential significant impact; (f) participating in the CSIRTs network and providing mutual assistance in accordance with their capacities and competencies to other members of the CSIRTs network upon their request; (g) where applicable, acting as a coordinator for the purposes of the coordinated vulnerability disclosure under Article 12(1); (h) contributing to the deployment of secure information-sharing tools pursuant to Article 10(3).
(a) incident-handling procedures; (b) crisis management; and (c) coordinated vulnerability disclosure under Article 12(1).
(a) identifying and contacting the entities concerned; (b) assisting the natural or legal persons reporting a vulnerability; and (c) negotiating disclosure timelines and managing vulnerabilities that affect multiple entities.
(a) information describing the vulnerability; (b) the affected ICT products or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited; (c) the availability of related patches and, in the absence of available patches, guidance provided by the competent authorities or the CSIRTs addressed to users of vulnerable ICT products and ICT services as to how the risks resulting from disclosed vulnerabilities can be mitigated.
(a) to provide guidance to the competent authorities in relation to the transposition and implementation of this Directive; (b) to provide guidance to the competent authorities in relation to the development and implementation of policies on coordinated vulnerability disclosure, as referred to in Article 7(2), point (c); (c) to exchange best practices and information in relation to the implementation of this Directive, including in relation to cyber threats, incidents, vulnerabilities, near misses, awareness-raising initiatives, training, exercises and skills, capacity building, standards and technical specifications as well as the identification of essential and important entities pursuant to Article 2(2), points (b) to (e); (d) to exchange advice and cooperate with the Commission on emerging cybersecurity policy initiatives and the overall consistency of sector-specific cybersecurity requirements; (e) to exchange advice and cooperate with the Commission on draft delegated or implementing acts adopted pursuant to this Directive; (f) to exchange best practices and information with relevant Union institutions, bodies, offices and agencies; (g) to exchange views on the implementation of sector-specific Union legal acts that contain provisions on cybersecurity; (h) where relevant, to discuss reports on the peer review referred to in Article 19(9) and draw up conclusions and recommendations; (i) to carry out coordinated security risk assessments of critical supply chains in accordance with Article 22(1); (j) to discuss cases of mutual assistance, including experiences and results from cross-border joint supervisory actions as referred to in Article 37; (k) upon the request of one or more Member States concerned, to discuss specific requests for mutual assistance as referred to in Article 37; (l) to provide strategic guidance to the CSIRTs network and EU-CyCLONe on specific emerging issues; (m) to exchange views on the policy on follow-up actions following large-scale cybersecurity incidents and crises on the basis of lessons learned of the CSIRTs network and EU-CyCLONe; (n) to contribute to cybersecurity capabilities across the Union by facilitating the exchange of national officials through a capacity building programme involving staff from the competent authorities or the CSIRTs; (o) to organise regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Cooperation Group and gather input on emerging policy challenges; (p) to discuss the work undertaken in relation to cybersecurity exercises, including the work done by ENISA; (q) to establish the methodology and organisational aspects of the peer reviews referred to in Article 19(1), as well as to lay down the self-assessment methodology for Member States in accordance with Article 19(5), with the assistance of the Commission and ENISA, and, in cooperation with the Commission and ENISA, to develop codes of conduct underpinning the working methods of designated cybersecurity experts in accordance with Article 19(6); (r) to prepare reports for the purpose of the review referred to in Article 40 on the experience gained at a strategic level and from peer reviews; (s) to discuss and carry out on a regular basis an assessment of the state of play of cyber threats or incidents, such as ransomware.
(a) to exchange information about the CSIRTs’ capabilities; (b) to facilitate the sharing, transfer and exchange of technology and relevant measures, policies, tools, processes, best practices and frameworks among the CSIRTs; (c) to exchange relevant information about incidents, near misses, cyber threats, risks and vulnerabilities; (d) to exchange information with regard to cybersecurity publications and recommendations; (e) to ensure interoperability with regard to information-sharing specifications and protocols; (f) at the request of a member of the CSIRTs network potentially affected by an incident, to exchange and discuss information in relation to that incident and associated cyber threats, risks and vulnerabilities; (g) at the request of a member of the CSIRTs network, to discuss and, where possible, implement a coordinated response to an incident that has been identified within the jurisdiction of that Member State; (h) to provide Member States with assistance in addressing cross-border incidents pursuant to this Directive; (i) to cooperate, exchange best practices and provide assistance to the CSIRTs designated as coordinators pursuant to Article 12(1) with regard to the management of the coordinated disclosure of vulnerabilities which could have a significant impact on entities in more than one Member State; (j) to discuss and identify further forms of operational cooperation, including in relation to: (i) categories of cyber threats and incidents; (ii) early warnings; (iii) mutual assistance; (iv) principles and arrangements for coordination in response to cross-border risks and incidents; (v) contribution to the national large-scale cybersecurity incident and crisis response plan referred to in Article 9(4) at the request of a Member State;
(k) to inform the Cooperation Group of its activities and of the further forms of operational cooperation discussed pursuant to point (j), and, where necessary, request guidance in that regard; (l) to take stock of cybersecurity exercises, including those organised by ENISA; (m) at the request of an individual CSIRT, to discuss the capabilities and preparedness of that CSIRT; (n) to cooperate and exchange information with regional and Union-level Security Operations Centres (SOCs) in order to improve common situational awareness on incidents and cyber threats across the Union; (o) where relevant, to discuss the peer-review reports referred to in Article 19(9); (p) to provide guidelines in order to facilitate the convergence of operational practices with regard to the application of the provisions of this Article concerning operational cooperation.
(a) to increase the level of preparedness of the management of large-scale cybersecurity incidents and crises; (b) to develop a shared situational awareness for large-scale cybersecurity incidents and crises; (c) to assess the consequences and impact of relevant large-scale cybersecurity incidents and crises and propose possible mitigation measures; (d) to coordinate the management of large-scale cybersecurity incidents and crises and support decision-making at political level in relation to such incidents and crises; (e) to discuss, upon the request of a Member State concerned, national large-scale cybersecurity incident and crisis response plans referred to in Article 9(4).
(a) a Union-level cybersecurity risk assessment, taking account of the cyber threat landscape; (b) an assessment of the development of cybersecurity capabilities in the public and private sectors across the Union; (c) an assessment of the general level of cybersecurity awareness and cyber hygiene among citizens and entities, including small and medium-sized enterprises; (d) an aggregated assessment of the outcome of the peer reviews referred to in Article 19; (e) an aggregated assessment of the level of maturity of cybersecurity capabilities and resources across the Union, including those at sector level, as well as of the extent to which the Member States’ national cybersecurity strategies are aligned.
(a) the level of implementation of the cybersecurity risk-management measures and reporting obligations laid down in Articles 21 and 23; (b) the level of capabilities, including the available financial, technical and human resources, and the effectiveness of the exercise of the tasks of the competent authorities; (c) the operational capabilities of the CSIRTs; (d) the level of implementation of mutual assistance referred to in Article 37; (e) the level of implementation of the cybersecurity information-sharing arrangements referred to in Article 29; (f) specific issues of cross-border or cross-sector nature.
(a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; (f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures; (g) basic cyber hygiene practices and cybersecurity training; (h) policies and procedures regarding the use of cryptography and, where appropriate, encryption; (i) human resources security, access control policies and asset management; (j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
(a) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
(a) without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact; (b) without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise; (c) upon the request of a CSIRT or, where applicable, the competent authority, an intermediate report on relevant status updates; (d) a final report not later than one month after the submission of the incident notification under point (b), including the following: (i) a detailed description of the incident, including its severity and impact; (ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border impact of the incident;
(e) in the event of an ongoing incident at the time of the submission of the final report referred to in point (d), Member States shall ensure that entities concerned provide a progress report at that time and a final report within one month of their handling of the incident.
(a) providers of public electronic communications networks or providers of publicly available electronic communications services, which shall be considered to fall under the jurisdiction of the Member State in which they provide their services; (b) DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms, which shall be considered to fall under the jurisdiction of the Member State in which they have their main establishment in the Union under paragraph 2; (c) public administration entities, which shall be considered to fall under the jurisdiction of the Member State which established them.
(a) the name of the entity; (b) the relevant sector, subsector and type of entity referred to in Annex I or II, where applicable; (c) the address of the entity’s main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated pursuant to Article 26(3); (d) up-to-date contact details, including email addresses and telephone numbers of the entity and, where applicable, its representative designated pursuant to Article 26(3); (e) the Member States where the entity provides services; and (f) the entity’s IP ranges.
(a) the domain name; (b) the date of registration; (c) the registrant’s name, contact email address and telephone number; (d) the contact email address and telephone number of the point of contact administering the domain name in the event that they are different from those of the registrant.
(a) aims to prevent, detect, respond to or recover from incidents or to mitigate their impact; (b) enhances the level of cybersecurity, in particular through raising awareness in relation to cyber threats, limiting or impeding the ability of such threats to spread, supporting a range of defensive capabilities, vulnerability remediation and disclosure, threat detection, containment and prevention techniques, mitigation strategies, or response and recovery stages or promoting collaborative cyber threat research between public and private entities.
(a) essential and important entities with regard to incidents, cyber threats and near misses; (b) entities other than those referred to in point (a), regardless of whether they fall within the scope of this Directive, with regard to significant incidents, cyber threats and near misses.
(a) on-site inspections and off-site supervision, including random checks conducted by trained professionals; (b) regular and targeted security audits carried out by an independent body or a competent authority; (c) ad hoc audits, including where justified on the ground of a significant incident or an infringement of this Directive by the essential entity; (d) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria, where necessary with the cooperation of the entity concerned; (e) requests for information necessary to assess the cybersecurity risk-management measures adopted by the entity concerned, including documented cybersecurity policies, as well as compliance with the obligation to submit information to the competent authorities pursuant to Article 27; (f) requests to access data, documents and information necessary to carry out their supervisory tasks; (g) requests for evidence of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence.
(a) issue warnings about infringements of this Directive by the entities concerned; (b) adopt binding instructions, including with regard to measures necessary to prevent or remedy an incident, as well as time-limits for the implementation of such measures and for reporting on their implementation, or an order requiring the entities concerned to remedy the deficiencies identified or the infringements of this Directive; (c) order the entities concerned to cease conduct that infringes this Directive and desist from repeating that conduct; (d) order the entities concerned to ensure that their cybersecurity risk-management measures comply with Article 21 or to fulfil the reporting obligations laid down in Article 23, in a specified manner and within a specified period; (e) order the entities concerned to inform the natural or legal persons with regard to which they provide services or carry out activities which are potentially affected by a significant cyber threat of the nature of the threat, as well as of any possible protective or remedial measures which can be taken by those natural or legal persons in response to that threat; (f) order the entities concerned to implement the recommendations provided as a result of a security audit within a reasonable deadline; (g) designate a monitoring officer with well-defined tasks for a determined period of time to oversee the compliance of the entities concerned with Articles 21 and 23; (h) order the entities concerned to make public aspects of infringements of this Directive in a specified manner; (i) impose, or request the imposition by the relevant bodies, courts or tribunals, in accordance with national law, of an administrative fine pursuant to Article 34 in addition to any of the measures referred to in points (a) to (h) of this paragraph.
(a) suspend temporarily, or request a certification or authorisation body, or a court or tribunal, in accordance with national law, to suspend temporarily a certification or authorisation concerning part or all of the relevant services provided or activities carried out by the essential entity; (b) request that the relevant bodies, courts or tribunals, in accordance with national law, prohibit temporarily any natural person who is responsible for discharging managerial responsibilities at chief executive officer or legal representative level in the essential entity from exercising managerial functions in that entity.
(a) the seriousness of the infringement and the importance of the provisions breached, the following, inter alia, constituting serious infringement in any event: (i) repeated violations; (ii) a failure to notify or remedy significant incidents; (iii) a failure to remedy deficiencies following binding instructions from competent authorities; (iv) the obstruction of audits or monitoring activities ordered by the competent authority following the finding of an infringement; (v) providing false or grossly inaccurate information in relation to cybersecurity risk-management measures or reporting obligations laid down in Articles 21 and 23;
(b) the duration of the infringement; (c) any relevant previous infringements by the entity concerned; (d) any material or non-material damage caused, including any financial or economic loss, effects on other services and the number of users affected; (e) any intent or negligence on the part of the perpetrator of the infringement; (f) any measures taken by the entity to prevent or mitigate the material or non-material damage; (g) any adherence to approved codes of conduct or approved certification mechanisms; (h) the level of cooperation of the natural or legal persons held responsible with the competent authorities.
(a) on-site inspections and off-site ex post supervision conducted by trained professionals;(b) targeted security audits carried out by an independent body or a competent authority; (c) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria, where necessary with the cooperation of the entity concerned; (d) requests for information necessary to assess, ex post , the cybersecurity risk-management measures adopted by the entity concerned, including documented cybersecurity policies, as well as compliance with the obligation to submit information to the competent authorities pursuant to Article 27;(e) requests to access data, documents and information necessary to carry out their supervisory tasks; (f) requests for evidence of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence.
(a) issue warnings about infringements of this Directive by the entities concerned; (b) adopt binding instructions or an order requiring the entities concerned to remedy the deficiencies identified or the infringement of this Directive; (c) order the entities concerned to cease conduct that infringes this Directive and desist from repeating that conduct; (d) order the entities concerned to ensure that their cybersecurity risk-management measures comply with Article 21 or to fulfil the reporting obligations laid down in Article 23, in a specified manner and within a specified period; (e) order the entities concerned to inform the natural or legal persons with regard to which they provide services or carry out activities which are potentially affected by a significant cyber threat of the nature of the threat, as well as of any possible protective or remedial measures which can be taken by those natural or legal persons in response to that threat; (f) order the entities concerned to implement the recommendations provided as a result of a security audit within a reasonable deadline; (g) order the entities concerned to make public aspects of infringements of this Directive in a specified manner; (h) impose, or request the imposition by the relevant bodies, courts or tribunals, in accordance with national law, of an administrative fine pursuant to Article 34 in addition to any of the measures referred to in points (a) to (g) of this paragraph.
(a) the competent authorities applying supervisory or enforcement measures in a Member State shall, via the single point of contact, inform and consult the competent authorities in the other Member States concerned on the supervisory and enforcement measures taken; (b) a competent authority may request another competent authority to take supervisory or enforcement measures; (c) a competent authority shall, upon receipt of a substantiated request from another competent authority, provide the other competent authority with mutual assistance proportionate to its own resources so that the supervisory or enforcement measures can be implemented in an effective, efficient and consistent manner.
| Sector | Subsector | Type of entity |
|---|---|---|
|
| |
| ||
| ||
| ||
| ||
|
| |
|
| |
| ||
| ||
|
| |
| ||
| ||
| ||
| ||
| ||
| ||
|
| |
|
| |
| ||
| ||
|
| |
| ||
|
| |
| ||
| ||
|
| |
| ||
| Credit institutions as defined in Article 4, point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council | ||
| ||
| ||
| ||
| ||
| ||
| Suppliers and distributors of water intended for human consumption as defined in Article 2, point (1)(a), of Directive (EU) 2020/2184 of the European Parliament and of the Council | ||
| Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water as defined in Article 2, points (1), (2) and (3), of Council Directive 91/271/EEC | ||
| ||
| ||
| ||
| ||
| ||
| ||
| ||
| ||
| ||
| ||
| ||
| ||
| Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks |
| Sector | Subsector | Type of entity |
|---|---|---|
| Postal service providers as defined in Article 2, point (1a), of Directive 97/67/EC, including providers of courier services | ||
| Undertakings carrying out waste management as defined in Article 3, point (9), of Directive 2008/98/EC of the European Parliament and of the Council | ||
| Undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, as referred to in Article 3, points (9) and (14), of Regulation (EC) No 1907/2006 of the European Parliament and of the Council | ||
| Food businesses as defined in Article 3, point (2), of Regulation (EC) No 178/2002 of the European Parliament and of the Council | ||
| Entities manufacturing medical devices as defined in Article 2, point (1), of Regulation (EU) 2017/745 of the European Parliament and of the Council | |
| Undertakings carrying out any of the economic activities referred to in section C division 26 of NACE Rev. 2 | |
| Undertakings carrying out any of the economic activities referred to in section C division 27 of NACE Rev. 2 | |
| Undertakings carrying out any of the economic activities referred to in section C division 28 of NACE Rev. 2 | |
| Undertakings carrying out any of the economic activities referred to in section C division 29 of NACE Rev. 2 | |
| Undertakings carrying out any of the economic activities referred to in section C division 30 of NACE Rev. 2 | |
| ||
| ||
| ||
| Research organisations |
| Directive (EU) 2016/1148 | This Directive |
|---|---|
| Article 1(1) | Article 1(1) |
| Article 1(2) | Article 1(2) |
| Article 1(3) | - |
| Article 1(4) | Article 2(12) |
| Article 1(5) | Article 2(13) |
| Article 1(6) | Article 2(6) and (11) |
| Article 1(7) | Article 4 |
| Article 2 | Article 2(14) |
| Article 3 | Article 5 |
| Article 4 | Article 6 |
| Article 5 | – |
| Article 6 | – |
| Article 7(1) | Article 7(1) and (2) |
| Article 7(2) | Article 7(4) |
| Article 7(3) | Article 7(3) |
| Article 8(1) to (5) | Article 8(1) to (5) |
| Article 8(6) | Article 13(4) |
| Article 8(7) | Article 8(6) |
| Article 9(1), (2) and (3) | Article 10(1), (2) and (3) |
| Article 9(4) | Article 10(9) |
| Article 9(5) | Article 10(10) |
| Article 10(1), (2) and (3), first subparagraph | Article 13(1), (2) and (3) |
| Article 10(3), second subparagraph | Article 23(9) |
| Article 11(1) | Article 14(1) and (2) |
| Article 11(2) | Article 14(3) |
| Article 11(3) | Article 14(4), first subparagraph, points (a) to (q) and (s), and paragraph (7) |
| Article 11(4) | Article 14(4), first subparagraph, point (r), and second subparagraph |
| Article 11(5) | Article 14(8) |
| Article 12(1) to (5) | Article 15(1) to (5) |
| Article 13 | Article 17 |
| Article 14(1) and (2) | Article 21(1) to (4) |
| Article 14(3) | Article 23(1) |
| Article 14(4) | Article 23(3) |
| Article 14(5) | Article 23(5), (6) and (8) |
| Article 14(6) | Article 23(7) |
| Article 14(7) | Article 23(11) |
| Article 15(1) | Article 31(1) |
| Article 15(2), first subparagraph, point (a) | Article 32(2), point (e) |
| Article 15(2), first subparagraph, point (b) | Article 32(2), point (g) |
| Article 15(2), second subparagraph | Article 32(3) |
| Article 15(3) | Article 32(4), point (b) |
| Article 15(4) | Article 31(3) |
| Article 16(1) and (2) | Article 21(1) to (4) |
| Article 16(3) | Article 23(1) |
| Article 16(4) | Article 23(3) |
| Article 16(5) | – |
| Article 16(6) | Article 23(6) |
| Article 16(7) | Article 23(7) |
| Article 16(8) and (9) | Article 21(5) and Article 23(11) |
| Article 16(10) | – |
| Article 16(11) | Article 2(1), (2) and (3) |
| Article 17(1) | Article 33(1) |
| Article 17(2), point (a) | Article 32(2), point (e) |
| Article 17(2), point (b) | Article 32(4), point (b) |
| Article 17(3) | Article 37(1), points (a) and (b) |
| Article 18(1) | Article 26(1), point (b), and paragraph (2) |
| Article 18(2) | Article 26(3) |
| Article 18(3) | Article 26(4) |
| Article 19 | Article 25 |
| Article 20 | Article 30 |
| Article 21 | Article 36 |
| Article 22 | Article 39 |
| Article 23 | Article 40 |
| Article 24 | – |
| Article 25 | Article 41 |
| Article 26 | Article 45 |
| Article 27 | Article 46 |
| Annex I, point (1) | Article 11(1) |
| Annex I, points (2)(a)(i) to (iv) | Article 11(2), points (a) to (d) |
| Annex I, point (2)(a)(v) | Article 11(2), point (f) |
| Annex I, point (2)(b) | Article 11(4) |
| Annex I, points (2)(c)(i) and (ii) | Article 11(5), point (a) |
| Annex II | Annex I |
| Annex III, points (1) and (2) | Annex II, point (6) |
| Annex III, point (3) | Annex I, point (8) |