Source: OJ L, 2024/2690, 18.10.2024Current language: EN
- High common level of cybersecurity for entities
Implementing acts
- Cybersecurity measures and significant incidents for relevant entities
Article 4 Recurring incidents
Incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; that individually are not considered a significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; within the meaning of Article 3, shall be considered collectively as one significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; where they meet all of the following criteria:
they have occurred at least twice within 6 months;
they have the same apparent root cause;
they collectively meet the criteria set out in Article 3(1)(a).
Relevant recitals
Recital 40 Recurring incidents
Recurring incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; that are linked through the same apparent root cause, which individually do not meet the criteria of a significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, should collectively be considered to be a significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, provided that they collectively meet the criterion for financial loss, and that they have occurred at least twice within six months. Such recurring incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; can indicate significant deficiencies and weaknesses in the relevant entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management procedures and their level of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; maturity. Moreover, such recurring incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; are capable of causing significant financial loss for the relevant entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.