Art. 29 Cybersecurity information-sharing arrangements | NIS 2 directive | NIS 2

1. Member States shall ensure that entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; falling within the scope of this Directive and, where relevant, other entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; not falling within the scope of this Directive are able to exchange on a voluntary basis relevant cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information among themselves, including information relating to cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, near misses, vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat;, techniques and procedures, indicators of compromise, adversarial tactics, threat-actor-specific information, cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; alerts and recommendations regarding configuration of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; tools to detect cyberattacks, where such information sharing:
  1. aims to prevent, detect, respond to or recover from incidentsmeans an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; or to mitigate their impact;
  2. enhances the level of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;, in particular through raising awareness in relation to cyber threatsmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, limiting or impeding the ability of such threats to spread, supporting a range of defensive capabilities, vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; remediation and disclosure, threat detection, containment and prevention techniques, mitigation strategies, or response and recovery stages or promoting collaborative cyber threatmeans a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; research between public and private entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.
1. Member States shall ensure that the exchange of information takes place within communities of essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, and where relevant, their suppliers or service providers. Such exchange shall be implemented through cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information-sharing arrangements in respect of the potentially sensitive nature of the information shared.
1. Member States shall facilitate the establishment of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information-sharing arrangements referred to in paragraph 2 of this Article. Such arrangements may specify operational elements, including the use of dedicated ICT platforms and automation tools, content and conditions of the information-sharing arrangements. In laying down the details of the involvement of public authorities in such arrangements, Member States may impose conditions on the information made available by the competent authorities or the CSIRTs. Member States shall offer assistance for the application of such arrangements in accordance with their policies referred to in Article 7(2), point (h).
1. Member States shall ensure that essential and important entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; notify the competent authorities of their participation in the cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information-sharing arrangements referred to in paragraph 2, upon entering into such arrangements, or, as applicable, of their withdrawal from such arrangements, once the withdrawal takes effect.
1. ENISA shall provide assistance for the establishment of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information-sharing arrangements referred to in paragraph 2 by exchanging best practices and providing guidance.