Article 21 Cybersecurity risk-management measures

Cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should take into account the degree of dependence of the essential or important entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; on network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; and include measures to identify any risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, to prevent, detect, respond to and recover from incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and to mitigate their impact. The security of network and information systemsmeans the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; should include the security of stored, transmitted and processed data. Cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should provide for systemic analysis, taking into account the human factor, in order to have a complete picture of the security of the network and information systemmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;.

As threats to the security of network and information systemsmeans the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; can have different origins, cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should be based on an all-hazards approach, which aims to protect network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; and the physical environment of those systems from events such as theft, fire, flood, telecommunication or power failures, or unauthorised physical access and damage to, and interference with, an essential or important entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s information and information processing facilities, which could compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;. The cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should therefore also address the physical and environmental security of network and information systemsmeans the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; by including measures to protect such systems from system failures, human error, malicious acts or natural phenomena, in line with European and international standardsmeans a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(29) Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).;, such as those included in the ISO/IEC 27000 series. In that regard, essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should, as part of their cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures, also address human resources security and have in place appropriate access control policies. Those measures should be consistent with Directive (EU) 2022/2557.

In order to avoid imposing a disproportionate financial and administrative burden on essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should be proportionate to the risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed to the network and information systemmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; concerned, taking into account the state-of-the-art of such measures, and, where applicable, relevant European and international standardsmeans a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(29) Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).;, as well as the cost for their implementation.

Cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures should be proportionate to the degree of the essential or important entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s exposure to risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and to the societal and economic impact that an incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; would have. When establishing cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures adapted to essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, due account should be taken of the divergent riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; exposure of essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, such as the criticality of the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, the risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, including societal risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, to which it is exposed, the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s size and the likelihood of occurrence of incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and their severity, including their societal and economic impact.

Essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should ensure the security of the network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; which they use in their activities. Those systems are primarily private network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; managed by the essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ internal IT staff or the security of which has been outsourced. The cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations laid down in this Directive should apply to the relevant essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; regardless of whether those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; maintain their network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; internally or outsource the maintenance thereof.

Taking account of their cross-border nature, DNS service providersmeans an entity that provides:publicly available recursive domain name resolution services for internet end-users; orauthoritative domain name resolution services for third-party use, with the exception of root name servers;, TLD name registries, cloud computing servicemeans a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers, data centre servicemeans a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; providers, content delivery networkmeans a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; providers, managed service providersmeans an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;, managed security service providersmeans a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;, providers of online marketplacesmeans an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council(31) Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ L 149, 11.6.2005, p. 22).;, of online search enginesmeans an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council(32) Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57).; and of social networking services platformsmeans a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations;, and trust service providersmeans a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014; should be subject to a high degree of harmonisation at Union level. The implementation of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures with regard to those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should therefore be facilitated by an implementing act.

Addressing risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from an entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s supply chain and its relationship with its suppliers, such as providers of data storage and processing services or managed security service providersmeans a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management; and software editors, is particularly important given the prevalence of incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; where entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; have been the victim of cyberattacks and where malicious perpetrators were able to compromise the security of an entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; by exploiting vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; affecting third-party products and services. Essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should therefore assess and take into account the overall quality and resilience of products and services, the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures embedded in them, and the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; practices of their suppliers and service providers, including their secure development procedures. Essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should in particular be encouraged to incorporate cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures into contractual arrangements with their direct suppliers and service providers. Those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; could consider risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from other levels of suppliers and service providers.

Among service providers, managed security service providersmeans a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management; in areas such as incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; response, penetration testing, security audits and consultancy play a particularly important role in assisting entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; in their efforts to prevent, detect, respond to or recover from incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;. Managed security service providersmeans a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management; have however also themselves been the target of cyberattacks and, because of their close integration in the operations of entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; pose a particular riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should therefore exercise increased diligence in selecting a managed security service providermeans a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;.

Essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should also address risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from their interactions and relationships with other stakeholders within a broader ecosystem, including with regard to countering industrial espionage and protecting trade secrets. In particular, those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should take appropriate measures to ensure that their cooperation with academic and research institutions takes place in line with their cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policies and follows good practices as regards secure access and dissemination of information in general and the protection of intellectual property in particular. Similarly, given the importance and value of data for the activities of essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, when relying on data transformation and data analytics services from third parties, those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should take all appropriate cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures.

Essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should adopt a wide range of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness, organise training for their staff and raise awareness concerning cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, phishing or social engineering techniques. Furthermore, those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should evaluate their own cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; capabilities and, where appropriate, pursue the integration of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; enhancing technologies, such as artificial intelligence or machine-learning systems to enhance their capabilities and the security of network and information systemsmeans the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems;.

This Directive should aim to ensure a high level of responsibility for the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations at the level of the essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Therefore, the management bodies of the essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should approve the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and oversee their implementation.

In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission to lay down the procedural arrangements necessary for the functioning of the Cooperation Group and the technical and methodological as well as sectoral requirements concerning the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures, and to further specify the type of information, the format and the procedure of incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, cyber threatmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and near missmeans an event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise; notifications and of significant cyber threatmeans a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; communications, as well as cases in which an incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; is to be considered to be significant. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(²³)Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13)..