Beta

Source: OJ L 333, 27.12.2022, p. 80–152

EN

Article 21 Cybersecurity risk-management measures

    1. Member States shall ensure that essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; take appropriate and proportionate technical, operational and organisational measures to manage the risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed to the security of network and information systemsmeans the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; which those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; use for their operations or for the provision of their services, and to prevent or minimise the impact of incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; on recipients of their services and on other services.

    2. Taking into account the state-of-the-art and, where applicable, relevant European and international standardsmeans a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(^29^);Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)., as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systemsmeans the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; appropriate to the risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s exposure to risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s size and the likelihood of occurrence of incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and their severity, including their societal and economic impact.

    1. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; and the physical environment of those systems from incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, and shall include at least the following:

      1. policies on riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; analysis and information system security;

      2. incident handlingmeans any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident;;

      3. business continuity, such as backup management and disaster recovery, and crisis management;

      4. supply chain security, including security-related aspects concerning the relationships between each entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and its direct suppliers or service providers;

      5. security in network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; acquisition, development and maintenance, including vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; handling and disclosure;

      6. policies and procedures to assess the effectiveness of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures;

      7. basic cyber hygiene practices and cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; training;

      8. policies and procedures regarding the use of cryptography and, where appropriate, encryption;

      9. human resources security, access control policies and asset management;

      10. the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, where appropriate.

    1. Member States shall ensure that, when considering which measures referred to in paragraph 2, point (d), of this Article are appropriate, entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; take into account the vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; specific to each direct supplier and service provider and the overall quality of products and cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; practices of their suppliers and service providers, including their secure development procedures. Member States shall also ensure that, when considering which measures referred to in that point are appropriate, entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are required to take into account the results of the coordinated security riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments of critical supply chains carried out in accordance with Article 22(1).

    1. Member States shall ensure that an entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropriate and proportionate corrective measures.

    1. By 17 October 2024, the Commission shall adopt implementing acts laying down the technical and the methodological requirements of the measures referred to in paragraph 2 with regard to DNS service providersmeans an entity that provides:publicly available recursive domain name resolution services for internet end-users; orauthoritative domain name resolution services for third-party use, with the exception of root name servers;, TLD name registries, cloud computing servicemeans a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers, data centre servicemeans a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; providers, content delivery networkmeans a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; providers, managed service providersmeans an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;, managed security service providersmeans a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;, providers of online market places, of online search enginesmeans an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council(^32^);Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). and of social networking services platformsmeans a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations;, and trust service providersmeans a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014;.

    2. The Commission may adopt implementing acts laying down the technical and the methodological requirements, as well as sectoral requirements, as necessary, of the measures referred to in paragraph 2 with regard to essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; other than those referred to in the first subparagraph of this paragraph.

    3. When preparing the implementing acts referred to in the first and second subparagraphs of this paragraph, the Commission shall, to the extent possible, follow European and international standardsmeans a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(^29^);Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)., as well as relevant technical specificationsmeans a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012;. The Commission shall exchange advice and cooperate with the Cooperation Group and ENISA on the draft implementing acts in accordance with Article 14(4), point (e).

    4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod