The NIS2 Directive

This article will help you understand the entire directive with all of its intricate details, as long as you want to use it as a non-governmental entity.

What is a Directive?

It binds the member states to the objectives that must be achieved, while allowing them to decide how to achieve that.

NIS2 Objective

This Directive aims to establish a high level of cybersecurity across the EU, enhancing the internal market’s efficiency.

NIS2 Key Provisions

• National Cybersecurity Strategies: Member States must develop strategies and appoint competent authorities, cyber crisis management authorities, single points of contact, and CSIRTs.
• Cybersecurity Measures and Reporting: Entities listed in Annex I or II, and those identified as critical under Directive (EU) 2022/2557, have specific risk management and reporting responsibilities.
• Information Sharing: Establishes rules and obligations for sharing cybersecurity information.
• Supervisory and Enforcement Duties: Member States are responsible for overseeing and enforcing these cybersecurity obligations.

NIS2 Scope

• Directive Applicability: Applies to medium-sized or larger entities listed in Annex I or II, providing services or operating within the EU.
• Scope Extension: Includes smaller entities in critical sectors or with significant societal impact, plus public administration entities at central or regional levels.
• Critical Entities Coverage: Encompasses entities recognized as critical under Directive (EU) 2022/2557.
• Domain Name Services Inclusion: Applicable to all entities offering domain name registration services.
• Potential Expanded Application: Member States may extend the Directive’s scope to include local public administration and educational institutions involved in critical research.
• National Security Exemption: Maintains Member States’ responsibility for national security without being constrained by this Directive.
• Exclusion of Certain Public Administration Entities: Excludes entities involved in national security, public security, defense, or law enforcement from the Directive.
• Specific Exemptions: Allows Member States to exempt entities involved in defense, law enforcement, or providing exclusive services to exempted public administration entities from certain obligations.
• Trust Service Providers: Paragraphs 7 and 8 do not apply to entities acting as trust service providers.
• Non-Applicability to Exempted Entities: Excludes entities exempted by Member States under Regulation (EU) 2022/2554.
• Confidential Information Protection: Obligations do not require disclosure of information contrary to national security interests.
• Compliance with Other Regulations: Directive applies without prejudice to several EU regulations, ensuring no conflict with existing legal frameworks.
• Confidential Information Exchange: Exchange of confidential information is limited and must be relevant and necessary for the Directive’s application.
• Personal Data Processing: Entities must process personal data as necessary for this Directive, in accordance with EU data protection regulations.

NIS2 Essential and Important Entities

• Essential Entity Criteria: Includes entities exceeding medium-sized enterprise ceilings in Annex I, qualified trust service providers, DNS providers, certain public electronic communications networks/services, specified public administration entities, and those identified as essential by Member States.
• Important Entities Definition: Entities not qualifying as essential under the previous criteria are considered important, as per Annex I or II.
• Member State Entity List Requirement: By 17 April 2025, Member States must compile and regularly update a list of essential and important entities, including domain name registration service providers.
• Entity Information Submission: Entities must provide their name, contact details, sector/subsector information, and service provision locations to competent authorities.
• Notification to Commission and Cooperation Group: Competent authorities are required to inform the Commission and Cooperation Group about the number and details of essential and important entities every two years.
• Interim Reporting Provision: Until 17 April 2025, Member States may, on the Commission’s request, report the names of essential and important entities.

NIS2 Sectors of High Criticality

Energy

• Electricity – Undertakings, Distribution, Transmission, Producers, Nominated operators, Demand and aggregation providers, Recharge point operators
• District heating/cooling operators
• Oil – transmission, production, refinement, storage
• Gas – supply, distribution, transmission, storage
• Hydrogen – production, storage, transmission

Transport

• Air – carriers, airport managing bodies, air traffic controllers
• Rail – infrastructure managers, undertakers
• Water – transport, port managing bodies, vessel traffic service operators
• Road – road authorities

Banking

Credit institutions

Financial market infrstructures

• Operators of trading venues
• Central counterparties (CPPs)

Health

• Healthcare providers
• Laboratories
• R&D
• Manufacturing devices and pharma products

Drinking Water

Suppliers and distributors

Waste water

Collecting, disposing, treating

Digital infrastructure

• Internet exchange point providers
• DNS providers
• Cloud computing providers
• TLD name registers
• Data center service providers
• Content delivery network providers
• Trust service providers
• Public electronic communication network and serice providers

B2B service management

• Managed service providers
• Managed security service providers

Public administration

Central government entities

Space

Space-based service providers (Excluding public electronic communication providers)

Postal and courier services

Waste Management

Chemicals

manufacturing, production and distribution

Food

Production, processing and distribution

Manufacturing

• Medical devices
• Cumputer, electronic or optical
• Electrical equipment
• Machinery and equipment
• Motor-vehicles, trailers, semi-trailers
• Other Transport equipment

Digital providers

Marketplaces, search engines,social networking services

Research

Research organizations

NIS2 Jurisdiction and Territoriality

• Jurisdiction for Entities Under the Directive: Entities within the Directive’s scope fall under the jurisdiction of the Member State where they’re established. Exceptions include providers of public electronic communications networks or services (jurisdiction based on service location), DNS and other specific service providers (jurisdiction based on main establishment in the Union), and public administration entities (jurisdiction based on establishing Member State).
• Determining Main Establishment: For specific entities (e.g., DNS service providers), the main establishment in the Union is where cybersecurity decisions are made. If undetermined, the focus shifts to where cybersecurity operations occur or where the most employees are in the Union.
• Non-EU Entities Offering Services: Entities not established in the EU but offering services within it must designate a Union representative, falling under the jurisdiction of the Member State where this representative is established. Without a representative, any Member State where services are offered can take legal action.
• Legal Actions Against Entities: Designating a representative does not preclude legal actions against the entity itself for Directive infringements.
• Mutual Assistance and Enforcement Measures: Member States receiving mutual assistance requests can take appropriate supervisory and enforcement actions against entities within their territory, in line with the request’s limits.

NIS2 Supervisory and enforcement – Essential Entities

• Effective Measures for Essential Entities: Member States must ensure supervisory or enforcement measures for essential entities are effective, proportionate, and dissuasive, considering each case’s specifics.
• Supervisory Powers: Competent authorities have powers for supervisory tasks, including on-site inspections, security audits, ad hoc audits, security scans, information requests, and evidence of policy implementation.
• Purpose of Requests: Competent authorities must clarify the purpose and specify the information requested when exercising certain powers.
• Enforcement Powers: Authorities can issue warnings, binding instructions, cessation orders, compliance orders, inform affected parties about cyber threats, implement audit recommendations, designate monitoring officers, publicize infringements, and impose administrative fines.
• Actions Against Ineffective Measures: If initial enforcement measures fail, authorities can suspend certifications or authorizations temporarily or prohibit managerial functions temporarily.
• Responsibility of Representatives: Natural persons in managerial roles must ensure the entity’s compliance with the Directive, with potential liability for non-compliance.
• Consideration in Enforcement: Authorities must consider the infringement’s seriousness, duration, past infringements, damage caused, intent, mitigating actions, adherence to codes, and cooperation level.
• Reasoning and Notification: Authorities must provide detailed reasoning for their measures and notify entities of preliminary findings, allowing time for observations.
• Communication with Other Authorities: Authorities must inform other relevant authorities under Directive (EU) 2022/2557 when supervising or enforcing compliance with entities identified as critical under the same directive.
• Cooperation with Regulation (EU) 2022/2554 Authorities: Authorities must cooperate with relevant authorities under Regulation (EU) 2022/2554, particularly regarding compliance of essential entities designated as critical ICT third-party service providers.

NIS2 Supervisory and enforcement – Important Entities

1. Ex Post Supervision for Non-Compliance: Member States must ensure competent authorities take ex post supervisory action against important entities not complying with this Directive, especially Articles 21 and 23, based on evidence or indications.
2. Supervisory Powers for Important Entities: Competent authorities can conduct on-site inspections, targeted security audits, security scans, and request information or evidence of cybersecurity policy implementation from important entities.
3. Specificity in Requests: When requesting information for supervisory tasks, authorities must clarify the purpose and specify the required information.
4. Enforcement Powers: Authorities have the power to issue warnings, give binding instructions, order cessation of non-compliant conduct, ensure compliance with cybersecurity measures, inform affected persons of cyber threats, and implement security audit recommendations. They can also make public aspects of infringements and impose administrative fines.
5. Application of General Enforcement Principles: The principles in Article 32(6), (7), and (8) regarding supervisory and enforcement measures also apply to important entities.
6. Cooperation with Other Regulations: Competent authorities must cooperate with relevant authorities under Regulation (EU) 2022/2554, especially when supervising important entities designated as critical ICT third-party service providers.

NIS2 Fines

• Effective and Proportionate Fines: Member States must ensure that administrative fines for breaches of this Directive are effective, proportionate, and dissuasive, considering each case’s specifics.
• Fines in Addition to Measures: Administrative fines are imposed in addition to other measures outlined in Articles 32(4), 32(5), and 33(4).
• Criteria for Fines: When imposing fines, Member States must consider factors listed in Article 32(7), such as seriousness, duration, and damage caused by the infringement.
• Maximum Fines for Essential Entities: For infringements by essential entities, fines can reach up to EUR 10 million or 2% of the entity’s total worldwide annual turnover, whichever is higher.
• Maximum Fines for Important Entities: For infringements by important entities, fines can reach up to EUR 7 million or 1.4% of the entity’s total worldwide annual turnover, whichever is higher.
• Periodic Penalty Payments: Member States may impose periodic penalty payments to compel compliance with the Directive.
• Fines on Public Administration Entities: Rules on imposing administrative fines on public administration entities are determined by each Member State.
• Alternative Systems for Fines: In Member States without administrative fines, fines must be imposed by courts or tribunals to ensure they are effective, proportionate, and dissuasive. Member States must notify the Commission of relevant laws by 17 October 2024.

NIS2 Sector-specific Union legal acts

• Applicability of Sector-Specific Legal Acts: If sector-specific Union legal acts mandate cybersecurity risk management or incident notification equivalent to this Directive, the provisions of this Directive, including Chapter VII, do not apply. If these legal acts don’t cover all entities in a sector within this Directive’s scope, the Directive’s provisions remain applicable to uncovered entities.
• Equivalency Criteria for Sector-Specific Acts: Requirements in sector-specific acts are deemed equivalent if cybersecurity measures match Article 21(1) and (2) of this Directive, or if the act ensures immediate, possibly automatic access to incident notifications similar to Article 23(1)-(6).
• Guidelines from the Commission: The Commission will provide guidelines by 17 July 2023 to clarify the application of these criteria and will review them regularly, considering input from the Cooperation Group and ENISA.

NIS2 Preamble

This section represents the reasons, background information, and references relevant to the directive.

1. Cybersecurity Enhancement Directive: Directive (EU) 2016/1148 aimed to enhance cybersecurity and ensure service continuity across key sectors.
2. Progress Since Directive (EU) 2016/1148: Significant cyber resilience improvements and national cybersecurity strategies were developed since the Directive’s introduction.
3. Rising Cyber Threats: Increased cyber threats due to digital transformation require coordinated responses to protect economic activities and societal confidence.
4. Cybersecurity Requirement Disparities: Directive (EU) 2016/1148 exposed disparities in cybersecurity requirements among Member States, impacting cross-border activities.
5. Addressing Market Fragmentation: The Directive aims to eliminate market fragmentation by standardizing cybersecurity obligations and enhancing cooperation among Member States.
6. Extended Directive Scope: Post-repeal, the Directive’s scope expands to include more sectors, addressing essential service operators and digital service providers.
7. Uniform Criteria for Entities: A size-cap rule establishes uniform criteria for entities to qualify under the Directive, ensuring legal certainty.
8. Exclusion of Certain Public Entities: Public administration entities involved in national security or law enforcement are excluded from the Directive, with specific exceptions.
9. Member States’ Discretion in National Security: Member States can exempt entities involved in national security or law enforcement from certain Directive obligations.
10. National Security in Nuclear Power: Member States have discretion over national security matters related to nuclear power production activities.
11. Inclusion of Trust Service Providers: Trust service providers under Regulation (EU) No 910/2014 are included in the Directive, ensuring consistent security requirements.
12. Postal Services under the Directive: Postal and courier services involved in the delivery chain are subject to this Directive based on their system reliance.
13. Cybersecurity for Excluded Entities: Entities outside this Directive’s scope should still achieve high cybersecurity levels, with Member States supporting equivalent risk management measures.
14. Data Protection Compliance: Union data protection and privacy laws apply to personal data processing under this Directive, aligning with existing regulations.
15. Classification of Entities: Entities are classified as either essential or important based on sectoral impact, size, and risk assessments, with distinct supervisory regimes.
16. Independence Consideration for Classification: Member States can consider an entity’s independence from partners or linked enterprises in determining classification under this Directive.
17. Essential Entity Designation: Member States may designate entities identified as operators of essential services or digital services as essential entities under this Directive.
18. Inclusion of Trust Service Providers: Entities involved in national security or law enforcement providing trust services under Regulation (EU) No 910/2014 are included in this Directive.
19. Listing Entities Under the Directive: Member States must list essential and important entities, including domain name registrars, providing comprehensive information for clarity.
20. Member States’ Reporting Responsibility: Member States are responsible for reporting the number of essential and important entities to the Commission, including sector-specific details.
21. Guidelines for Microenterprises: The Commission will provide implementation guidelines for microenterprises and small enterprises, assessing their inclusion under the Directive.
22. Provision Guidance for Complex Entities: The Commission may assist Member States in applying the Directive’s scope and evaluating measures for entities with complex business models.
23. Baseline Cybersecurity Measures: The Directive establishes baseline cybersecurity measures and reporting obligations, with the possibility of additional sector-specific legal acts.
24. Sector-Specific Legal Act Compliance: Essential or important entities must comply with sector-specific legal acts’ cybersecurity requirements, ensuring consistency and effectiveness.
25. Cooperation in Supervisory Activities: Sector-specific legal acts may allow competent authorities to collaborate in supervisory and enforcement activities, enhancing cybersecurity management.
26. Sharing Cyber Threat Information: Member States should encourage sharing significant cyber threats with cybersecurity bodies to enhance awareness and effective response.
27. Future Legal Acts’ Considerations: Future sector-specific Union legal acts should align with the Directive’s definitions and supervisory framework.
28. Regulation (EU) 2022/2554 Application: Financial entities under Regulation (EU) 2022/2554 are subject to its provisions rather than the Directive’s, emphasizing collaboration.
29. Cybersecurity in Aviation Sector: Cybersecurity measures in the aviation sector must be coordinated between national and Directive authorities, ensuring compliance with both.
30. Linking Cybersecurity and Physical Security: The Directive ensures coherence with Directive (EU) 2022/2557 on physical security, emphasizing harmonization and information sharing between authorities.
31. Digital Infrastructure Sector Obligations: Digital infrastructure entities must address physical security as part of their cybersecurity obligations, as covered by this Directive.
32. DNS Service Providers’ Inclusion: The Directive applies to top-level-domain (TLD) name registries and DNS service providers, crucial for internet integrity.
33. Cloud Computing Service Definitions: Cloud computing services, including various models, enable broad remote access to scalable and elastic computing resources.
34. Emergence of New Cloud Models: New cloud computing models, like edge computing, are expected to emerge, responding to evolving customer needs.
35. Data Centre Services Coverage: The Directive covers data centre services not classified as cloud computing services, ensuring comprehensive cybersecurity risk management.
36. Research Organizations’ Role in Cybersecurity: Research organizations play a crucial role in cybersecurity due to their involvement in developing new products and processes.
37. Addressing Interdependencies and Risks: The Directive recognizes the cross-border interdependencies in key sectors, emphasizing the need for robust cybersecurity amidst heightened risks.
38. Designation of Cybersecurity Authorities: Member States can designate multiple authorities responsible for cybersecurity and supervisory tasks under the Directive, reflecting national governance structures.
39. Designation of Single Contact Point: Member States must designate a single point of contact for coordinating network and information system security and cross-border cooperation.
40. Role of Contact Points: Single points of contact should ensure efficient cross-border cooperation and forward significant incident notifications to other Member States.
41. Establishment of CSIRTs: Member States should establish or designate Computer Security Incident Response Teams (CSIRTs) with adequate resources and technical capabilities.
42. CSIRTs’ Incident Handling: CSIRTs handle incident processing, requiring infrastructure for confidential information sharing and well-equipped staff.
43. CSIRTs and Personal Data: CSIRTs can proactively scan network and information systems for vulnerabilities, ensuring equal technical capabilities across sectors.
44. CSIRTs’ Monitoring Abilities: CSIRTs can monitor entities’ internet-facing assets to identify and manage organizational risks, including supply chain compromises.
45. International CSIRT Cooperation: CSIRTs should participate in international networks and exchange information, including personal data, under data protection law.
46. Resource Allocation for Cybersecurity: Member States can introduce financing mechanisms to cover the costs of public entities responsible for cybersecurity.
47. CSIRTs Network Collaboration: The CSIRTs network should strengthen cooperation among Member States and consider involving relevant EU bodies in its activities.
48. National Cybersecurity Strategies: Member States should develop coherent frameworks for cybersecurity strategies, consisting of both legislative and non-legislative instruments.
49. Cyber Hygiene Policies: Cyber hygiene policies are essential for network and information system security, with ENISA analyzing Member States’ policies.
50. Cybersecurity Awareness and Hygiene: Enhancing cybersecurity awareness and cyber hygiene is crucial, especially with the rise of connected devices used in cyberattacks.
51. Promotion of Innovative Technology: Member States should encourage the use of technologies like AI for better cyberattack detection and prevention.
52. Use of Open-Source Cybersecurity Tools: Member States should promote open-source software and standards, aiding small and medium-sized enterprises in cybersecurity implementation.
53. Cybersecurity in Digitalized Utilities: Policies for digitalized utilities in smart cities are needed to address their vulnerability to cyberattacks.
54. Strategies Against Ransomware: National cybersecurity strategies should include policies to address the rising threat of ransomware attacks.
55. Public-Private Cybersecurity Partnerships: Member States should promote public-private partnerships in cybersecurity for knowledge exchange and best practices.
56. Cybersecurity for SMEs: National strategies should address the unique cybersecurity challenges faced by small and medium-sized enterprises, including supply chain attacks.
57. Active Cyber Protection Policies: Member States should adopt active cyber protection strategies, offering proactive services and tools for network security.
58. Handling of Vulnerabilities: Entities should establish procedures to handle vulnerabilities, coordinating with manufacturers for timely remediation and disclosure.
59. Alignment with International Standards: The Commission, ENISA, and Member States should align with international standards and best practices in cybersecurity risk management.
60. Facilitating Vulnerability Disclosure: Member States, in cooperation with ENISA, should establish policies for coordinated vulnerability disclosure, addressing legal challenges for researchers.
61. CSIRT as Vulnerability Coordinator: Designated CSIRTs should act as coordinators, facilitating vulnerability disclosures and managing multi-party vulnerabilities.
62. European Vulnerability Database: ENISA should establish a European database for disclosing and registering known vulnerabilities to enhance cybersecurity risk management.
63. Collaboration with Global Registries: ENISA should seek cooperation with global vulnerability registries to enhance transparency and avoid duplicating efforts.
64. Strategic Cooperation Group’s Role: The Cooperation Group should facilitate strategic cooperation among Member States and develop a biennial work program.
65. National Solutions Mapping: The Cooperation Group should map and assess national cybersecurity solutions to align the Directive’s implementation among Member States.
66. Adaptive Policy Forum: The Cooperation Group should remain flexible, engaging with private stakeholders and assessing cyber threats to inform policy changes.
67. International Exchange Schemes: Competent authorities and CSIRTs should participate in exchange programs with other Member States to strengthen trust and cooperation.
68. EU Cybersecurity Crisis Framework: Member States should support the EU Cybersecurity Crisis Response Framework, contributing through existing networks like EU-CyCLONe.
69. Managing Large-Scale Cyber Incidents: Member States should cooperate at various levels to coordinate responses to large-scale cybersecurity incidents affecting multiple countries.
70. Coordinated Crisis Response: Large-scale cybersecurity incidents require a coordinated Union-level response due to the interdependence of sectors and Member States.
71. EU-CyCLONe’s Intermediary Role: EU-CyCLONe should act between technical and political levels during large-scale cybersecurity incidents to enhance operational cooperation.
72. Commission’s Crisis Management Role: The Commission plays a pivotal role in general preparedness, situational awareness, and crisis response coordination within the EU.
73. International Cooperation Agreements: The Union may form agreements with third countries for participation in cybersecurity activities, protecting data and Union interests.
74. Cybersecurity Collaboration with Third Countries: Member States can engage in cybersecurity activities with third countries, including threat information exchange and crisis management training.
75. Introduction of Peer Reviews: Peer reviews among Member States should enhance mutual trust and cybersecurity maturity, avoiding duplication with existing mechanisms.
76. Self-Assessment Methodology for Member States: The Cooperation Group should develop a methodology for Member States to self-assess their cybersecurity capabilities and strategies.
77. Risk Management Responsibility: Essential and important entities bear significant responsibility for network and information system security, requiring effective risk management culture.
78. Cybersecurity Risk Management Measures: Entities should consider their reliance on network and information systems and incorporate systemic analysis, including human factors.
79. Comprehensive Cybersecurity Measures: Cybersecurity measures should encompass protection against various threats, including physical security and environmental factors, following international standards.
80. Use of Standards for Compliance: In the absence of specific European cybersecurity certification schemes, Member States should encourage the use of relevant standards for compliance.
81. Proportionate Cybersecurity Measures: Cybersecurity measures should be tailored to risk levels and cost, considering state-of-the-art technology and relevant standards.
82. Risk-Based Cybersecurity: Measures should match the entity’s risk exposure and potential societal and economic impact of incidents.
83. Security of Network Systems: Essential and important entities must secure their network systems, whether maintained internally or outsourced.
84. Harmonization for Digital Service Providers: High harmonization levels are required for DNS service providers, cloud computing, data centers, and other digital services.
85. Supply Chain Risk Management: Entities should assess and manage cybersecurity risks from suppliers and service providers, incorporating measures in contractual arrangements.
86. Selecting Security Service Providers: Entities should exercise diligence in choosing managed security service providers due to their integral role and potential attack risks.
87. Support from Cybersecurity Services: Competent authorities may benefit from cybersecurity services like audits and penetration testing for supervisory tasks.
88. Ecosystem Interaction Risks: Entities must address risks from interactions with stakeholders, including academic institutions and third-party data services.
89. Adopting Cyber Hygiene Practices: Entities should implement basic cyber hygiene practices, staff training, and advanced cybersecurity technologies like AI.
90. Coordinated Supply Chain Risk Assessments: The Cooperation Group should assess critical supply chains to identify ICT risks and mitigation strategies.
91. Criteria for Supply Chain Assessments: Coordinated assessments should consider technical and non-technical factors, including reliance on ICT services and potential third-country influences.
92. Scope Inclusion of Communication Services: Providers of public electronic communications networks and trust services fall under this Directive, benefiting from its legal framework.
93. Complementary Cybersecurity for Trust Services: Trust service providers must manage risks and report incidents, considering physical protection and existing Regulation (EU) No 910/2014 requirements.
94. Cooperation with Supervisory Bodies: Competent authorities should cooperate with supervisory bodies for trust services, exchanging incident-related information.
95. Transitioning Security Measures for Providers: Existing national guidelines and ENISA’s guidance should assist the transition of security measures for public electronic communications providers.
96. Security for Interpersonal Communications Services: Providers of number-independent interpersonal communications services must ensure appropriate security levels due to their expanding attack surface.
97. Securing Public Electronic Communications Networks: The security of these networks is crucial for internet-based services, with special attention to undersea communications cables in cybersecurity strategies.
98. Promotion of Encryption Technologies: Encryption, especially end-to-end, should be promoted for public electronic communications, balancing with Member States’ security and law enforcement needs.
99. Secure Routing Standards: The adoption of secure routing standards is encouraged to protect the integrity of public electronic communications networks and services.

100. DNS Resolution Diversification Strategy: Stakeholders should adopt diversification strategies for DNS resolution, and Member States should promote a secure European DNS resolver service.
101. Multiple-Stage Incident Reporting: This Directive introduces a multi-stage approach for reporting significant incidents, balancing swift initial reporting with in-depth follow-up.
102. Early Warning System: Entities must submit an early warning within 24 hours and a detailed report within 72 hours of identifying a significant incident.
103. Communicating Cyber Threats to Recipients: Entities must promptly inform service recipients about significant cyber threats and offer mitigation measures.
104. Security Measures for Communication Providers: Providers of public electronic communications networks or services should implement security by design and inform recipients about significant cyber threats.
105. Proactive Approach to Cyber Threats: Entities are encouraged to voluntarily report cyber threats as part of proactive cybersecurity management.
106. Simplifying Reporting Procedures: Member States should provide technical means like a single entry point for entities to report incidents, reducing administrative burden.
107. Reporting Criminal Incidents: Entities are encouraged to report incidents suspected of serious criminal activities to relevant law enforcement authorities.
108. Cooperation on Data Breaches: Competent authorities should cooperate and exchange information with data protection authorities when personal data are compromised.
109. Maintaining WHOIS Data: TLD name registries and domain name registration services must process essential data for DNS security, complying with data protection laws.
110. Lawful Access to Domain Name Data: These entities should enable lawful access to necessary domain name registration data for legitimate access seekers.
111. Ensuring Accurate Domain Name Data: Policies should be established to collect and maintain accurate domain name registration data, including verification processes.
112. Public Availability of Domain Data: Publicly available domain name registration data for legal persons should be maintained, facilitating lawful access for natural persons.
113. Jurisdiction of Entities: Entities are subject to the jurisdiction of the Member State where they are established, with provisions for cross-border services.
114. Determining Main Establishment: Jurisdiction over certain digital service providers is based on where their main establishment or significant operations are located in the EU.
115. Jurisdiction for Recursive DNS Services: Providers of public electronic communications networks are under the jurisdiction of Member States where services are provided.
116. Designating EU Representatives for Non-EU Entities: Non-EU entities offering services in the EU must designate a representative within the Union.
117. ENISA’s Registry of Digital Service Providers: ENISA should maintain a registry of digital service providers offering services across the EU.
118. Handling Classified Information: ENISA and Member States must apply rules for handling classified information exchanged under this Directive.
119. Importance of Threat Intelligence Sharing: Sharing threat and vulnerability intelligence is crucial for detecting and preventing cyber threats.
120. Cybersecurity Information-Sharing Arrangements: Member States should encourage entities to participate in voluntary cybersecurity information-sharing arrangements, following competition and data protection laws.
121. Lawful Processing of Personal Data: Processing personal data for network and information system security by essential and important entities is considered lawful.
122. Different Supervisory Regimes: Essential entities face comprehensive supervision, while important entities have a lighter, ex post supervisory regime.
123. Minimizing Business Impact during Supervision: Supervisory tasks should not unduly hamper the business activities of entities being inspected or audited.
124. Risk-Based Supervisory Approach: Competent authorities should prioritize supervision measures using a risk-based approach, affecting the frequency and types of inspections.
125. Professional Supervision: Competent authorities must ensure supervision by trained professionals, minimizing the impact on business activities.
126. Immediate Enforcement in Critical Situations: Competent authorities can take immediate enforcement decisions to prevent or respond to significant cyber threats.
127. Enforcement Powers for Compliance: A minimum list of enforcement powers for breaches, including fines, ensuring proportionality and adherence to fundamental rights.
128. No Requirement for Criminal/Civil Liability: This Directive doesn’t mandate Member States to impose criminal or civil liability for third-party damage due to infringements.
129. Power to Impose Administrative Fines: Competent authorities should have the power to impose or request the imposition of administrative fines for non-compliance.
130. Considerations for Administrative Fines: When imposing fines, authorities should consider the entity’s income, economic situation, and whether it’s a public authority.
131. Criminal Penalties for Infringements: Member States can set criminal penalties for breaches of national transposition laws, respecting the principle of ne bis in idem.
132. Effective, Proportionate Penalties: Member States should implement systems for effective, proportionate, and dissuasive penalties, either criminal or administrative.
133. Suspensions for Severe Infringements: Competent authorities can temporarily suspend certifications or managerial functions in cases of severe infringement, with adequate procedural safeguards.
134. Cross-border Supervision and Assistance: Member States should cooperate on supervisory and enforcement measures, especially for entities operating in multiple Member States.
135. Cooperation in Cross-Border Supervision: When assisting other Member States, competent authorities should take appropriate measures within their national law limits.
136. Cooperation with Data Protection Authorities: Competent authorities must collaborate with data protection authorities to address personal data-related infringements.
137. Management Oversight of Cybersecurity: The management bodies of essential and important entities must approve and oversee cybersecurity risk-management measures.
138. Delegated Acts for Cybersecurity Standards: The Commission can specify categories of entities required to use certain certified ICT products, services, and processes.
139. Implementing Powers for Uniform Conditions: The Commission should establish procedural arrangements for the Cooperation Group and specify technical requirements for incident notifications.
140. Periodic Review by the Commission: The Commission should review this Directive to assess its relevance and propose amendments based on societal, political, or technological changes.
141. ENISA’s Enhanced Role and Resources: ENISA’s tasks are expanded, requiring increased financial and human resources and greater internal flexibility for resource allocation.
142. Directive’s Alignment with EU Principles: The Directive aims for a high cybersecurity level across the EU, aligning with the principles of subsidiarity and proportionality.
143. Fundamental Rights and Principles Compliance: The Directive upholds fundamental rights and principles, including privacy, data protection, business freedom, property rights, and fair trial.
144. Consultation with European Data Protection Supervisor: The European Data Protection Supervisor was consulted, providing an opinion on the Directive’s alignment with data protection regulations.