Article 8 Critical entities in the banking, financial market infrastructure and digital infrastructure sectors

Directive (EU) 2022/2555 requires entities belonging to the digital infrastructure sector, which might be identified as critical entities under this Directive, to take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems and to notify significant incidents and cyber threats. Since threats to the security of network and information systems can have different origins, Directive (EU) 2022/2555 applies an all-hazards approach that includes the resilience of network and information systems, as well as the physical components and environment of those systems.

Given that the requirements laid down in Directive (EU) 2022/2555 in that regard are at least equivalent to the corresponding obligations laid down in this Directive, the obligations laid down in Article 11 and Chapters III, IV and VI of this Directive should not apply to entities belonging to the digital infrastructure sector in order to avoid duplication and unnecessary administrative burden. However, considering the importance of the services provided by entities belonging to the digital infrastructure sector to critical entities belonging to all other sectors, Member States should identify, based on the criteria and using the procedure provided for in this Directive, entities belonging to the digital infrastructure sector as critical entities. Consequently, the strategies, the Member State risk assessments and the support measures set out in Chapter II of this Directive should apply. Member States should be able to adopt or maintain provisions of national law to achieve a higher level of resilience for those critical entities, provided that those provisions are consistent with applicable Union law.

Union financial services law establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks, and to ensure business continuity. Such law includes Regulations (EU) No 648/2012(⁸), (EU) No 575/2013(⁹) and (EU) No 600/2014(¹⁰) of the European Parliament and of the Council and Directives 2013/36/EU(¹¹) and 2014/65/EU(¹²) of the European Parliament and of the Council. That legal framework is complemented by Regulation (EU) 2022/2554 of the European Parliament and of the Council(¹³), which lays down requirements applicable to financial entities to manage Information and Communication Technology (ICT) risks, including concerning the protection of physical ICT infrastructure. Since the resilience of those entities is therefore comprehensively covered, Article 11 and Chapters III, IV and VI of this Directive should not apply to those entities in order to avoid duplication and unnecessary administrative burden.

However, considering the importance of the services provided by entities in the financial sector to critical entities belonging to all other sectors, Member States should identify, based on the criteria and using the procedure provided for in this Directive, entities in the financial sector as critical entities. Consequently, the strategies, the Member State risk assessments and the support measures set out in Chapter II of this Directive should apply. Member States should be able to adopt or maintain provisions of national law to achieve a higher level of resilience for those critical entities provided that those provisions are consistent with applicable Union law.