Article 14 Cooperation Group

1. In order to support and facilitate strategic cooperation and the exchange of information among Member States, as well as to strengthen trust and confidence, a Cooperation Group is established.
1. The Cooperation Group shall carry out its tasks on the basis of biennial work programmes referred to in paragraph 7.
1. The Cooperation Group shall be composed of representativesmeans a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; of Member States, the Commission and ENISA. The European External Action Service shall participate in the activities of the Cooperation Group as an observer. The European Supervisory Authorities (ESAs) and the competent authorities under Regulation (EU) 2022/2554 may participate in the activities of the Cooperation Group in accordance with Article 47(1) of that Regulation.
2. Where appropriate, the Cooperation Group may invite the European Parliament and representativesmeans a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; of relevant stakeholders to participate in its work.
3. The Commission shall provide the secretariat.
1. The Cooperation Group shall have the following tasks:
  1. to provide guidance to the competent authorities in relation to the transposition and implementation of this Directive;
  2. to provide guidance to the competent authorities in relation to the development and implementation of policies on coordinated vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; disclosure, as referred to in Article 7(2), point (c);
  3. to exchange best practices and information in relation to the implementation of this Directive, including in relation to cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat;, near misses, awareness-raising initiatives, training, exercises and skills, capacity building, standardsmeans a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(29) Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).; and technical specificationsmeans a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012; as well as the identification of essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; pursuant to Article 2(2), points (b) to (e);
  4. to exchange advice and cooperate with the Commission on emerging cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policy initiatives and the overall consistency of sector-specific cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; requirements;
  5. to exchange advice and cooperate with the Commission on draft delegated or implementing acts adopted pursuant to this Directive;
  6. to exchange best practices and information with relevant Union institutions, bodies, offices and agencies;
  7. to exchange views on the implementation of sector-specific Union legal acts that contain provisions on cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;;
  8. where relevant, to discuss reports on the peer review referred to in Article 19(9) and draw up conclusions and recommendations;
  9. to carry out coordinated security riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments of critical supply chains in accordance with Article 22(1);
  10. to discuss cases of mutual assistance, including experiences and results from cross-border joint supervisory actions as referred to in Article 37;
  11. upon the request of one or more Member States concerned, to discuss specific requests for mutual assistance as referred to in Article 37;
  12. to provide strategic guidance to the CSIRTs network and EU-CyCLONe on specific emerging issues;
  13. to exchange views on the policy on follow-up actions following large-scale cybersecurity incidentsmeans an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States; and crises on the basis of lessons learned of the CSIRTs network and EU-CyCLONe;
  14. to contribute to cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; capabilities across the Union by facilitating the exchange of national officials through a capacity building programme involving staff from the competent authorities or the CSIRTs;
  15. to organise regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Cooperation Group and gather input on emerging policy challenges;
  16. to discuss the work undertaken in relation to cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; exercises, including the work done by ENISA;
  17. to establish the methodology and organisational aspects of the peer reviews referred to in Article 19(1), as well as to lay down the self-assessment methodology for Member States in accordance with Article 19(5), with the assistance of the Commission and ENISA, and, in cooperation with the Commission and ENISA, to develop codes of conduct underpinning the working methods of designated cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; experts in accordance with Article 19(6);
  18. to prepare reports for the purpose of the review referred to in Article 40 on the experience gained at a strategic level and from peer reviews;
  19. to discuss and carry out on a regular basis an assessment of the state of play of cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; or incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, such as ransomware.
2. The Cooperation Group shall submit the reports referred to in the first subparagraph, point (r), to the Commission, to the European Parliament and to the Council.
1. Member States shall ensure effective, efficient and secure cooperation of their representativesmeans a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; in the Cooperation Group.
1. The Cooperation Group may request from the CSIRTs network a technical report on selected topics.
1. By 1 February 2024 and every two years thereafter, the Cooperation Group shall establish a work programme in respect of actions to be undertaken to implement its objectives and tasks.
1. The Commission may adopt implementing acts laying down procedural arrangements necessary for the functioning of the Cooperation Group.
2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).
3. The Commission shall exchange advice and cooperate with the Cooperation Group on the draft implementing acts referred to in the first subparagraph of this paragraph in accordance with paragraph (4), point (e).
1. The Cooperation Group shall meet on a regular basis and in any event at least once a year with the Critical Entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; Resilience Group established under Directive (EU) 2022/2557 to promote and facilitate strategic cooperation and the exchange of information.

Relevant recitals

Recital 64 The Cooperation Group

The Cooperation Group should support and facilitate strategic cooperation and the exchange of information, as well as strengthen trust and confidence among Member States. The Cooperation Group should establish a work programme every two years. The work programme should include the actions to be undertaken by the Cooperation Group to implement its objectives and tasks. The timeframe for the establishment of the first work programme under this Directive should be aligned with the timeframe of the last work programme established under Directive (EU) 2016/1148 in order to avoid potential disruptions in the work of the Cooperation Group.

Recital 65 Guidance from the Cooperation Group

When developing guidance documents, the Cooperation Group should consistently map national solutions and experiences, assess the impact of Cooperation Group deliverables on national approaches, discuss implementation challenges and formulate specific recommendations, in particular as regards facilitating an alignment of the transposition of this Directive among Member States, to be addressed through a better implementation of existing rules. The Cooperation Group could also map the national solutions in order to promote compatibility of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; solutions applied to each specific sector across the Union. This is particularly relevant to sectors that have an international or cross-border nature.

Recital 66 Ways of working for the Cooperation Group

The Cooperation Group should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It could organise regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Cooperation Group and gather data and input on emerging policy challenges. Additionally, the Cooperation Group should carry out a regular assessment of the state of play of cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; or incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, such as ransomware. In order to enhance cooperation at Union level, the Cooperation Group should consider inviting relevant Union institutions, bodies, offices and agencies involved in cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policy, such as the European Parliament, Europol, the European Data Protection Board, the European Union Aviation Safety Agency, established by Regulation (EU) 2018/1139, and the European Union Agency for Space Programme, established by Regulation (EU) 2021/696 of the European Parliament and the Council(¹⁴)Regulation (EU) 2021/696 of the European Parliament and of the Council of 28 April 2021 establishing the Union Space Programme and the European Union Agency for the Space Programme and repealing Regulations (EU) No 912/2010, (EU) No 1285/2013 and (EU) No 377/2014 and Decision No 541/2014/EU (OJ L 170, 12.5.2021, p. 69)., to participate in its work.

Recital 134 Cooperation and assistance via the Cooperation Group

For the purpose of ensuring entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ compliance with their obligations laid down in this Directive, Member States should cooperate with and assist each other with regard to supervisory and enforcement measures, in particular where an entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; provides services in more than one Member State or where its network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; are located in a Member State other than that where it provides services. When providing assistance, the requested competent authority should take supervisory or enforcement measures in accordance with national law. In order to ensure the smooth functioning of mutual assistance under this Directive, the competent authorities should use the Cooperation Group as a forum to discuss cases and particular requests for assistance.

Recital 139 Implementing acts on the Cooperation Group, measures and reporting

In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission to lay down the procedural arrangements necessary for the functioning of the Cooperation Group and the technical and methodological as well as sectoral requirements concerning the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures, and to further specify the type of information, the format and the procedure of incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, cyber threatmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and near missmeans an event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise; notifications and of significant cyber threatmeans a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; communications, as well as cases in which an incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; is to be considered to be significant. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(²³)Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13)..

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.