keyboard_tab NIS2 2022/2555 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- Art. 1 Subject matter
- Art. 2 Scope
- Art. 3 Essential and important entities
- Art. 4 Sector-specific Union legal acts
- Art. 5 Minimum harmonisation
- Art. 6 Definitions
- Art. 7 National cybersecurity strategy
- Art. 8 Competent authorities and single points of contact
- Art. 9 National cyber crisis management frameworks
- Art. 10 Computer security incident response teams (CSIRTs)
- Art. 11 Requirements, technical capabilities and tasks of CSIRTs
- Art. 12 Coordinated vulnerability disclosure and a European vulnerability database
- Art. 13 Cooperation at national level
- Art. 14 Cooperation Group
- Art. 15 CSIRTs network
- Art. 16 European cyber crisis liaison organisation network (EU-CyCLONe)
- Art. 17 International cooperation
- Art. 18 Report on the state of cybersecurity in the Union
- Art. 19 Peer reviews
- Art. 20 Governance
- Art. 21 Cybersecurity risk-management measures
- Art. 22 Union level coordinated security risk assessments of critical supply chains
- Art. 23 Reporting obligations
- Art. 24 Use of European cybersecurity certification schemes
- Art. 25 Standardisation
- Art. 26 Jurisdiction and territoriality
- Art. 27 Registry of entities
- Art. 28 Database of domain name registration data
- Art. 29 Cybersecurity information-sharing arrangements
- Art. 30 Voluntary notification of relevant information
- Art. 31 General aspects concerning supervision and enforcement
- Art. 32 Supervisory and enforcement measures in relation to essential entities
- Art. 33 Supervisory and enforcement measures in relation to important entities
- Art. 34 General conditions for imposing administrative fines on essential and important entities
- Art. 35 Infringements entailing a personal data breach
- Art. 36 Penalties
- Art. 37 Mutual assistance
- Art. 38 Exercise of the delegation
- Art. 39 Committee procedure
- Art. 40 Review
- Art. 41 Transposition
- Art. 42 Amendment of Regulation (EU) No 910/2014
- Art. 43 Amendment of Directive (EU) 2018/1972
- Art. 44 Repeal
- Art. 45 Entry into force
- Article 46 Addressees
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
COORDINATED CYBERSECURITY FRAMEWORKS
CHAPTER III
COOPERATION AT UNION AND INTERNATIONAL LEVEL
CHAPTER IV
CYBERSECURITY RISK-MANAGEMENT MEASURES AND REPORTING OBLIGATIONS
CHAPTER V
JURISDICTION AND REGISTRATION
CHAPTER VI
INFORMATION SHARING
CHAPTER VII
SUPERVISION AND ENFORCEMENT
CHAPTER VIII
DELEGATED AND IMPLEMENTING ACTS
CHAPTER IX
FINAL PROVISIONS
- broad remote access
- network and information system
- security of network and information systems
- cybersecurity
- national cybersecurity strategy
- near miss
- incident
- large-scale cybersecurity incident
- incident handling
- risk
- cyber threat
- significant cyber threat
- ICT product
- ICT service
- ICT process
- vulnerability
- standard
- technical specification
- internet exchange point
- domain name system
- DNS service provider
- top-level domain name registry
- entity providing domain name registration services
- digital service
- trust service
- trust service provider
- qualified trust service
- qualified trust service provider
- online marketplace
- online search engine
- cloud computing service
- data centre service
- content delivery network
- social networking services platform
- representative
- public administration entity
- public electronic communications network
- electronic communications service
- entity
- managed service provider
- managed security service provider
- research organisation
- means 40
- article 18
- defined 17
- point 17
- which 14
- services 13
- entity 10
- regulation 8
- name 8
- provider 7
- directive 6
- such 6
- data 6
- network_and_information_systems 6
- trust_service 6
- cybersecurity 6
- internet 6
- operation 5
- no / 5
- member 5
- under 5
- incident 5
- legal 5
- state 5
- including 4
- servers 4
- european 4
- parliament 4
- behalf 4
- enables 4
- resources 4
- availability 4
- council 4
- service 4
- processed 4
- network 4
- autonomous 4
- stored 4
- have 4
- transmitted 4
- domain 3
- accessible 3
- cyber_threat 3
- purposes 3
- across 3
- established 3
- management 3
- regulation eu / 3
- provides 3
- traffic 3
Article 6
Definitions
For the purposes of this Directive, the following definitions apply:
| (1) | ‘ network_and_information_system’ means:
|
| (2) | ‘security of network_and_information_systems’ means the ability of network_and_information_systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network_and_information_systems; |
| (3) | ‘ cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; |
| (4) | ‘national cybersecurity strategy ’ means a coherent framework of a Member State providing strategic objectives and priorities in the area of cybersecurity and the governance to achieve them in that Member State; |
| (5) | ‘ near_miss’ means an event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network_and_information_systems, but that was successfully prevented from materialising or that did not materialise; |
| (6) | ‘ incident’ means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network_and_information_systems; |
| (7) | ‘large-scale cybersecurity incident’ means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States; |
| (8) | ‘ incident handling’ means any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident; |
| (9) | ‘ risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; |
| (10) | ‘ cyber_threat’ means a cyber_threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; |
| (11) | ‘significant cyber_threat’ means a cyber_threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network_and_information_systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; |
| (12) | ‘ ICT_product’ means an ICT_product as defined in Article 2, point (12), of Regulation (EU) 2019/881; |
| (13) | ‘ ICT_service’ means an ICT_service as defined in Article 2, point (13), of Regulation (EU) 2019/881; |
| (14) | ‘ ICT_process’ means an ICT_process as defined in Article 2, point (14), of Regulation (EU) 2019/881; |
| (15) | ‘ vulnerability’ means a weakness, susceptibility or flaw of ICT_products or ICT_services that can be exploited by a cyber_threat; |
| (16) | ‘ standard’ means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (29); |
| (17) | ‘ technical_specification’ means a technical_specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012; |
| (18) | ‘ internet_exchange_point’ means a network facility which enables the interconnection of more than two independent networks (autonomous systems), primarily for the purpose of facilitating the exchange of internet traffic, which provides interconnection only for autonomous systems and which neither requires the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomous system nor alters or otherwise interferes with such traffic; |
| (19) | ‘ domain_name_system’ or ‘DNS’ means a hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources; |
| (20) | ‘ DNS_service_provider’ means an entity that provides:
|
| (21) | ‘ top-level_domain_name_registry’ or ‘TLD name registry’ means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are carried out by the entity itself or are outsourced, but excluding situations where TLD names are used by a registry only for its own use; |
| (22) | ‘ entity_providing_domain_name_registration_services’ means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller; |
| (23) | ‘ digital_service’ means a service as defined in Article 1(1), point (b), of Directive (EU) 2015/1535 of the European Parliament and of the Council (30); |
| (24) | ‘ trust_service’ means a trust_service as defined in Article 3, point (16), of Regulation (EU) No 910/2014; |
| (25) | ‘ trust_service provider’ means a trust_service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014; |
| (26) | ‘qualified trust_service’ means a qualified trust_service as defined in Article 3, point (17), of Regulation (EU) No 910/2014; |
| (27) | ‘qualified trust_service provider’ means a qualified trust_service provider as defined in Article 3, point (20), of Regulation (EU) No 910/2014; |
| (28) | ‘ online_marketplace’ means an online_marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (31); |
| (29) | ‘ online_search_engine’ means an online_search_engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council (32); |
| (30) | ‘ cloud_computing_service’ means a digital_service that enables on-demand administration and broad_remote_access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; |
| (31) | ‘ data_centre_service’ means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; |
| (32) | ‘ content_delivery_network’ means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; |
| (33) | ‘ social_networking_services_platform’ means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations; |
| (34) | ‘ representative’ means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS_service_provider, a TLD name registry, an entity_providing_domain_name_registration_services, a cloud_computing_service provider, a data_centre_service provider, a content_delivery_network provider, a managed_service_provider, a managed_security_service_provider, or a provider of an online_marketplace, of an online_search_engine or of a social_networking_services_platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; |
| (35) | ‘ public_administration_ entity’ means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria:
|
| (36) | ‘ public_electronic_communications_network’ means a public_electronic_communications_network as defined in Article 2, point (8), of Directive (EU) 2018/1972; |
| (37) | ‘ electronic_communications_service’ means an electronic_communications_service as defined in Article 2, point (4), of Directive (EU) 2018/1972; |
| (38) | ‘ entity’ means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; |
| (39) | ‘ managed_service_provider’ means an entity that provides services related to the installation, management, operation or maintenance of ICT_products, networks, infrastructure, applications or any other network_and_information_systems, via assistance or active administration carried out either on customers’ premises or remotely; |
| (40) | ‘ managed_security_service_provider’ means a managed_service_provider that carries out or provides assistance for activities relating to cybersecurity risk management; |
| (41) | ‘ research_organisation’ means an entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions. |
CHAPTER II
COORDINATED CYBERSECURITY FRAMEWORKS
whereas