Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 1 Subject matter
Summary What does Article 1 of the NIS2 Directive say?
This is the foundational article of the Directive, setting out its overarching purpose and providing a structured overview of what it contains.
The core objective is to achieve a high common level of cybersecurity across the EU in order to improve the functioning of the internal market.
It then maps out the four main pillars through which this is pursued: governance obligations on Member States, risk management and reporting obligations on in-scope entities, information sharing rules, and supervisory and enforcement requirements.
Important points:
- Member States are required to adopt national cybersecurity strategies and establish the necessary authorities and response teams to operationalise them.
- Entities listed in Annex I or II, as well as critical entities under Directive (EU) 2022/2557, must comply with cybersecurity risk-management measures and reporting obligations.
- Member States carry supervisory and enforcement obligations to ensure compliance with the Directive.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
This Directive lays down measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market.
To that end, this Directive lays down:
obligations that require Member States to adopt national cybersecurity strategies and to designate or establish competent authorities, cyber crisis management authorities, single points of contact on cybersecurity (single points of contact) and computer security incident response teams (CSIRTs);
rules and obligations on cybersecurity information sharing;
supervisory and enforcement obligations on Member States.
Relevant recitals
Recital 3 Cybersecurity is important
Network and information systems have developed into a central feature of everyday life with the speedy digital transformation and interconnectedness of society, including in cross-border exchanges. That development has led to an expansion of the cyber threat landscape, bringing about new challenges, which require adapted, coordinated and innovative responses in all Member States. The number, magnitude, sophistication, frequency and impact of incidents are increasing, and present a major threat to the functioning of network and information systems. As a result, incidents can impede the pursuit of economic activities in the internal market, generate financial loss, undermine user confidence and cause major damage to the Union’s economy and society. Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market. Moreover, cybersecurity is a key enabler for many critical sectors to successfully embrace the digital transformation and to fully grasp the economic, social and sustainable benefits of digitalisation.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
cyber threat
Definition
entity
Definition
cybersecurity
Definition
national cybersecurity strategy