Article 23 Reporting obligations

1. Each Member State shall ensure that essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; notify, without undue delay, its CSIRT or, where applicable, its competent authority in accordance with paragraph 4 of any incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; that has a significant impact on the provision of their services as referred to in paragraph 3 (significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;). Where appropriate, entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned shall notify, without undue delay, the recipients of their services of significant incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; that are likely to adversely affect the provision of those services. Each Member State shall ensure that those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; report, inter alia, any information enabling the CSIRT or, where applicable, the competent authority to determine any cross-border impact of the incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;. The mere act of notification shall not subject the notifying entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to increased liability.
2. Where the entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned notify the competent authority of a significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; under the first subparagraph, the Member State shall ensure that that competent authority forwards the notification to the CSIRT upon receipt.
3. In the case of a cross-border or cross-sectoral significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, Member States shall ensure that their single points of contact are provided in due time with relevant information notified in accordance with paragraph 4.
1. Where applicable, Member States shall ensure that essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; communicate, without undue delay, to the recipients of their services that are potentially affected by a significant cyber threatmeans a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; any measures or remedies that those recipients are able to take in response to that threat. Where appropriate, the entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall also inform those recipients of the significant cyber threatmeans a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; itself.
1. An incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; shall be considered to be significant if:
  1. it has caused or is capable of causing severe operational disruption of the services or financial loss for the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned;
  2. it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
1. Member States shall ensure that, for the purpose of notification under paragraph 1, the entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned submit to the CSIRT or, where applicable, the competent authority:
  1. without undue delay and in any event within 24 hours of becoming aware of the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, an early warning, which, where applicable, shall indicate whether the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;
  2. without undue delay and in any event within 72 hours of becoming aware of the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, an incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, including its severity and impact, as well as, where available, the indicators of compromise;
  3. upon the request of a CSIRT or, where applicable, the competent authority, an intermediate report on relevant status updates;
  4. a final report not later than one month after the submission of the incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; notification under point (b), including the following:
    a detailed description of the incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, including its severity and impact;
    the type of threat or root cause that is likely to have triggered the incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;;
    applied and ongoing mitigation measures;
    where applicable, the cross-border impact of the incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;;
  5. in the event of an ongoing incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; at the time of the submission of the final report referred to in point (d), Member States shall ensure that entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned provide a progress report at that time and a final report within one month of their handling of the incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;.
2. By way of derogation from the first subparagraph, point (b), a trust service providermeans a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014; shall, with regard to significant incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; that have an impact on the provision of its trust servicesmeans a trust service as defined in Article 3, point (16), of Regulation (EU) No 910/2014;, notify the CSIRT or, where applicable, the competent authority, without undue delay and in any event within 24 hours of becoming aware of the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;.
1. The CSIRT or the competent authority shall provide, without undue delay and where possible within 24 hours of receiving the early warning referred to in paragraph 4, point (a), a response to the notifying entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, including initial feedback on the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and, upon request of the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, guidance or operational advice on the implementation of possible mitigation measures. Where the CSIRT is not the initial recipient of the notification referred to in paragraph 1, the guidance shall be provided by the competent authority in cooperation with the CSIRT. The CSIRT shall provide additional technical support if the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned so requests. Where the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; is suspected to be of criminal nature, the CSIRT or the competent authority shall also provide guidance on reporting the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; to law enforcement authorities.
1. Where appropriate, and in particular where the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; concerns two or more Member States, the CSIRT, the competent authority or the single point of contact shall inform, without undue delay, the other affected Member States and ENISA of the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;. Such information shall include the type of information received in accordance with paragraph 4. In so doing, the CSIRT, the competent authority or the single point of contact shall, in accordance with Union or national law, preserve the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s security and commercial interests as well as the confidentiality of the information provided.
1. Where public awareness is necessary to prevent a significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; or to deal with an ongoing significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, or where disclosure of the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; is otherwise in the public interest, a Member State’s CSIRT or, where applicable, its competent authority, and, where appropriate, the CSIRTs or the competent authorities of other Member States concerned, may, after consulting the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned, inform the public about the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; or require the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to do so.
1. At the request of the CSIRT or the competent authority, the single point of contact shall forward notifications received pursuant to paragraph 1 to the single points of contact of other affected Member States.
1. The single point of contact shall submit to ENISA every three months a summary report, including anonymised and aggregated data on significant incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and near misses notified in accordance with paragraph 1 of this Article and with Article 30. In order to contribute to the provision of comparable information, ENISA may adopt technical guidance on the parameters of the information to be included in the summary report. ENISA shall inform the Cooperation Group and the CSIRTs network about its findings on notifications received every six months.
1. The CSIRTs or, where applicable, the competent authorities shall provide to the competent authorities under Directive (EU) 2022/2557 information about significant incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and near misses notified in accordance with paragraph 1 of this Article and with Article 30 by entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; identified as critical entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; under Directive (EU) 2022/2557.
1. The Commission may adopt implementing acts further specifying the type of information, the format and the procedure of a notification submitted pursuant to paragraph 1 of this Article and to Article 30 and of a communication submitted pursuant to paragraph 2 of this Article.
2. By 17 October 2024, the Commission shall, with regard to DNS service providersmeans an entity that provides:publicly available recursive domain name resolution services for internet end-users; orauthoritative domain name resolution services for third-party use, with the exception of root name servers;, TLD name registries, cloud computing servicemeans a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers, data centre servicemeans a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; providers, content delivery networkmeans a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; providers, managed service providersmeans an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;, managed security service providersmeans a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;, as well as providers of online marketplacesmeans an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council(31) Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ L 149, 11.6.2005, p. 22).;, of online search enginesmeans an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council(32) Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57).; and of social networking services platformsmeans a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations;, adopt implementing acts further specifying the cases in which an incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; shall be considered to be significant as referred to in paragraph 3. The Commission may adopt such implementing acts with regard to other essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.
3. The Commission shall exchange advice and cooperate with the Cooperation Group on the draft implementing acts referred to in the first and second subparagraphs of this paragraph in accordance with Article 14(4), point (e).
4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Relevant recitals

Recital 83 Responsibility regardless of outsourcing

Essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should ensure the security of the network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; which they use in their activities. Those systems are primarily private network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; managed by the essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’ internal IT staff or the security of which has been outsourced. The cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations laid down in this Directive should apply to the relevant essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; regardless of whether those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; maintain their network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; internally or outsource the maintenance thereof.

Recital 101 Multi-stage incident reporting approach

This Directive lays down a multiple-stage approach to the reporting of significant incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of significant incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and allows essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to seek assistance, and, on the other, in-depth reporting that draws valuable lessons from individual incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and improves over time the cyber resilience of individual entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and entire sectors. In that regard, this Directive should include the reporting of incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; that, based on an initial assessment carried out by the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned, could cause severe operational disruption of the services or financial loss for that entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or affect other natural or legal persons by causing considerable material or non-material damage. Such initial assessment should take into account, inter alia, the affected network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;, in particular their importance in the provision of the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s services, the severity and technical characteristics of a cyber threatmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and any underlying vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; that are being exploited as well as the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s experience with similar incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;. Indicators such as the extent to which the functioning of the service is affected, the duration of an incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; or the number of affected recipients of services could play an important role in identifying whether the operational disruption of the service is severe.

Recital 102 Early warning, incident notification and final report

Where essential or important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; become aware of a significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, they should be required to submit an early warning without undue delay and in any event within 24 hours. That early warning should be followed by an incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; notification. The entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned should submit an incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; notification without undue delay and in any event within 72 hours of becoming aware of the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, with the aim, in particular, of updating information submitted through the early warning and indicating an initial assessment of the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, including its severity and impact, as well as indicators of compromise, where available. A final report should be submitted not later than one month after the incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; notification. The early warning should only include the information necessary to make the CSIRT, or where applicable the competent authority, aware of the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and allow the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to seek assistance, if required. Such early warning, where applicable, should indicate whether the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; is suspected of being caused by unlawful or malicious acts, and whether it is likely to have a cross-border impact. Member States should ensure that the obligation to submit that early warning, or the subsequent incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; notification, does not divert the notifying entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s resources from activities related to incident handlingmeans any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident; that should be prioritised, in order to prevent incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; reporting obligations from either diverting resources from significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; response handling or otherwise compromising the entitymeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s efforts in that respect. In the event of an ongoing incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; at the time of the submission of the final report, Member States should ensure that entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned provide a progress report at that time, and a final report within one month of their handling of the significant incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;.

Recital 103 Communication of significant cyber threats

Where applicable, essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should communicate, without undue delay, to their service recipients any measures or remedies that they can take to mitigate the resulting risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; from a significant cyber threatmeans a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage;. Those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should, where appropriate and in particular where the significant cyber threatmeans a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; is likely to materialise, also inform their service recipients of the threat itself. The requirement to inform those recipients of significant cyber threatsmeans a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; should be met on a best efforts basis but should not discharge those entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; from the obligation to take, at their own expense, appropriate and immediate measures to prevent or remedy any such threats and restore the normal security level of the service. The provision of such information about significant cyber threatsmeans a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; to the service recipients should be free of charge and drafted in easily comprehensible language.

Recital 105 Voluntary reporting of cyber threats

A proactive approach to cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; is a vital component of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management that should enable the competent authorities to effectively prevent cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; from materialising into incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; that may cause considerable material or non-material damage. For that purpose, the notification of cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; is of key importance. To that end, entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are encouraged to report on a voluntary basis cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;.

Recital 106 Technical means for simplify reporting

In order to simplify the reporting of information required under this Directive as well as to decrease the administrative burden for entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, Member States should provide technical means such as a single entry point, automated systems, online forms, user-friendly interfaces, templates, dedicated platforms for the use of entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, regardless of whether they fall within the scope of this Directive, for the submission of the relevant information to be reported. Union funding supporting the implementation of this Directive, in particular within the Digital Europe programme, established by Regulation (EU) 2021/694 of the European Parliament and of the Council(²¹)Regulation (EU) 2021/694 of the European Parliament and of the Council of 29 April 2021 establishing the Digital Europe Programme and repealing Decision (EU) 2015/2240 (OJ L 166, 11.5.2021, p. 1)., could include support for single entry points. Furthermore, entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are often in a situation where a particular incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, because of its features, needs to be reported to various authorities as a result of notification obligations included in various legal instruments. Such cases create additional administrative burden and could also lead to uncertainties with regard to the format and procedures of such notifications. Where a single entry point is established, Member States are encouraged also to use that single entry point for notifications of security incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; required under other Union law, such as Regulation (EU) 2016/679 and Directive 2002/58/EC. The use of such single entry point for reporting of security incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; under Regulation (EU) 2016/679 and Directive 2002/58/EC should not affect the application of the provisions of Regulation (EU) 2016/679 and Directive 2002/58/EC, in particular those relating to the independence of the authorities referred to therein. ENISA, in cooperation with the Cooperation Group, should develop common notification templates by means of guidelines to simplify and streamline the information to be reported under Union law and decrease the administrative burden on notifying entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

Recital 107 Reporting incidents to law enforcement

Where it is suspected that an incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; is related to serious criminal activities under Union or national law, Member States should encourage essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, on the basis of applicable criminal proceedings rules in accordance with Union law, to report incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; of a suspected serious criminal nature to the relevant law enforcement authorities. Where appropriate, and without prejudice to the personal data protection rules applying to Europol, it is desirable that coordination between the competent authorities and the law enforcement authorities of different Member States be facilitated by the European Cybercrime Centre (EC3) and ENISA.

Recital 139 Implementing acts on the Cooperation Group, measures and reporting

In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission to lay down the procedural arrangements necessary for the functioning of the Cooperation Group and the technical and methodological as well as sectoral requirements concerning the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures, and to further specify the type of information, the format and the procedure of incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, cyber threatmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and near missmeans an event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise; notifications and of significant cyber threatmeans a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; communications, as well as cases in which an incidentmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; is to be considered to be significant. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(²³)Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13)..

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.