Source: OJ L, 2024/2690, 18.10.2024Current language: EN
- High common level of cybersecurity for entities
Implementing acts
- Cybersecurity measures and significant incidents for relevant entities
Article 1 Subject matter
Summary What does Article 1 of the Cybersecurity measures and significant incidents for relevant entities say?
This is the foundational scoping article of the Regulation.
It identifies the specific categories of digital and ICT service providers that fall within its scope, collectively referred to as "relevant entities", and sets out the Regulation's two core purposes: establishing technical and methodological requirements for cybersecurity risk-management measures, and defining when an incident must be considered significant.
Both purposes directly implement obligations under NIS2 (Directive (EU) 2022/2555), meaning this Regulation acts as a technical implementing act that gives concrete shape to the broader requirements laid down in that Directive.
Important points:
- Understand whether your organisation falls within one of the listed categories of relevant entities, as this determines whether the Regulation applies to you.
- The Regulation serves two distinct functions: specifying cybersecurity risk-management requirements and defining the threshold for a significant incident.
- Both functions derive their legal basis from NIS2, specifically Articles 21(2) and 23(3) of Directive (EU) 2022/2555.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
This Regulation, with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers (the relevant entities) lays down the technical and the methodological requirements of the measures referred to in Article 21(2) of Directive (EU) 2022/2555 and further specifies the cases in which an incident shall be considered to be significant as referred to in Article 23(3) of Directive (EU) 2022/2555.
Relevant recitals
Recital 1 Relevant entities and purpose of regulation
With regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers as covered by Article 3 of Directive (EU) 2022/2555 (the relevant entities), this Regulation aims to lay down the technical and the methodological requirements of the measures referred to in Article 21(2) of Directive (EU) 2022/2555 and to further specify the cases in which an incident should be considered to be significant as referred to in Article 23(3) of Directive (EU) 2022/2555.
Recital 2 Trust service providers
Taking account of the cross-border nature of their activities and in order to ensure a coherent framework for trust service providers, this Regulation should, with respect to trust service providers, further specify the cases in which an incident shall be considered to be significant, in addition to laying down the technical and the methodological requirements of the cybersecurity risk-management measures.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
risk
Definition
social networking services platform
Definition
online search engine
Definition
ICT product
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
managed security service provider
Definition
content delivery network
Definition
TLD name registry
Definition
managed service provider
Definition
trust service provider
Definition
DNS service provider
- publicly available recursive domain name resolution services for internet end-users; or
- authoritative domain name resolution services for third-party use, with the exception of root name servers;
Definition
data centre service
Definition
entity
Definition
trust service
Definition
cybersecurity
Definition
digital service
Definition
cloud computing service