Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 18 Report on the state of cybersecurity in the Union
Summary What does Article 18 of the NIS 2 directive say?
This article assigns ENISA the task of producing a biennial Union-wide cybersecurity report, prepared in cooperation with the Commission and the Cooperation Group, and presented to the European Parliament.
The report serves as a broad health check of cybersecurity across the Union, covering everything from risk assessments and capability development to public awareness levels and how well Member States' national strategies align with one another.
Notably, it also draws in the outcomes of the peer review process established under Article 19, making it a consolidating article that brings together findings from several other mechanisms in the directive.
Important points:
- ENISA is required to produce and present a biennial cybersecurity state-of-the-Union report to the European Parliament, made available in machine-readable format.
- The report must include policy recommendations to address shortcomings, as well as a summary of findings from ENISA's EU Cybersecurity Technical Situation Reports.
- ENISA, together with the Commission, the Cooperation Group, and the CSIRTs network, must develop the methodology for the maturity and strategy alignment assessment included in the report.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
ENISA shall adopt, in cooperation with the Commission and the Cooperation Group, a biennial report on the state of cybersecurity in the Union and shall submit and present that report to the European Parliament. The report shall, inter alia, be made available in machine-readable data and include the following:
a Union-level cybersecurity risk assessment, taking account of the cyber threat landscape;
an assessment of the development of cybersecurity capabilities in the public and private sectors across the Union;
an assessment of the general level of cybersecurity awareness and cyber hygiene among citizens and entities, including small and medium-sized enterprises;
an aggregated assessment of the outcome of the peer reviews referred to in Article 19;
an aggregated assessment of the level of maturity of cybersecurity capabilities and resources across the Union, including those at sector level, as well as of the extent to which the Member States’ national cybersecurity strategies are aligned.
The report shall include particular policy recommendations, with a view to addressing shortcomings and increasing the level of cybersecurity across the Union, and a summary of the findings for the particular period from the EU Cybersecurity Technical Situation Reports on incidents and cyber threats prepared by ENISA in accordance with Article 7(6) of Regulation (EU) 2019/881.
ENISA, in cooperation with the Commission, the Cooperation Group and the CSIRTs network, shall develop the methodology, including the relevant variables, such as quantitative and qualitative indicators, of the aggregated assessment referred to in paragraph 1, point (e).
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
risk
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
cyber threat
Definition
entity
Definition
cybersecurity
Definition
national cybersecurity strategy