Article 22 Union level coordinated security risk assessments of critical supply chains

Addressing risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from an entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s supply chain and its relationship with its suppliers, such as providers of data storage and processing services or managed security service providersmeans a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management; and software editors, is particularly important given the prevalence of incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; where entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; have been the victim of cyberattacks and where malicious perpetrators were able to compromise the security of an entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; by exploiting vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; affecting third-party products and services. Essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should therefore assess and take into account the overall quality and resilience of products and services, the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures embedded in them, and the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; practices of their suppliers and service providers, including their secure development procedures. Essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should in particular be encouraged to incorporate cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures into contractual arrangements with their direct suppliers and service providers. Those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; could consider risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from other levels of suppliers and service providers.

To further address key supply chain risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and assist essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; operating in sectors covered by this Directive to appropriately manage supply chain and supplier related risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, the Cooperation Group, in cooperation with the Commission and ENISA, and where appropriate after consulting relevant stakeholders including from the industry, should carry out coordinated security riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments of critical supply chains, as carried out for 5G networks following Commission Recommendation (EU) 2019/534(¹⁹)Commission Recommendation (EU) 2019/534 of 26 March 2019 – Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42)., with the aim of identifying, per sector, the critical ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881;, ICT systems or ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;, relevant threats and vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat;. Such coordinated security riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments should identify measures, mitigation plans and best practices to counter critical dependencies, potential single points of failure, threats, vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; and other risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; associated with the supply chain and should explore ways to further encourage their wider adoption by essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Potential non-technical riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; factors, such as undue influence by a third country on suppliers and service providers, in particular in the case of alternative models of governance, include concealed vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; or backdoors and potential systemic supply disruptions, in particular in the case of technological lock-in or provider dependency.

The coordinated security riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments of critical supply chains, in light of the features of the sector concerned, should take into account both technical and, where relevant, non-technical factors including those defined in Recommendation (EU) 2019/534, in the EU coordinated riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment of the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of 5G networks and in the EU Toolbox on 5G cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated security riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment, the following criteria should be taken into account: (i) the extent to which essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; use and rely on specific critical ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881;, ICT systems or ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;; (ii) the relevance of specific critical ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881;, ICT systems or ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881;, ICT systems or ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;; (iv) the resilience of the overall supply chain of ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881;, ICT systems or ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; throughout their lifecycle against disruptive events; and (v) for emerging ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881;, ICT systems or ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;, their potential future significance for the entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ activities. Furthermore, particular emphasis should be placed on ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881;, ICT systems or ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; that are subject to specific requirements stemming from third countries.