Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 30 Voluntary notification of relevant information
Summary What does Article 30 of the NIS 2 directive say?
This article sits alongside the mandatory reporting framework established under Article 23, creating a parallel voluntary notification channel.
It opens up the ability for both in-scope and out-of-scope entities to report incidents, cyber threats, and near misses to CSIRTs or competent authorities on a voluntary basis.
Importantly, the article includes a protection for those who choose to report voluntarily, ensuring they do not take on any additional obligations simply by virtue of having reported.
Important points:
- Essential and important entities, as well as any other entities regardless of whether they fall within the scope of this Directive, can voluntarily notify CSIRTs or competent authorities of incidents, cyber threats, and near misses.
- Member States may prioritise the processing of mandatory notifications over voluntary ones.
- Voluntary reporting shall not result in any additional obligations being imposed on the notifying entity that would not have applied had it not submitted the notification.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Member States shall ensure that, in addition to the notification obligation provided for in Article 23, notifications can be submitted to the CSIRTs or, where applicable, the competent authorities, on a voluntary basis, by:
essential and important entities with regard to incidents, cyber threats and near misses;
entities other than those referred to in point (a), regardless of whether they fall within the scope of this Directive, with regard to significant incidents, cyber threats and near misses.
Member States shall process the notifications referred to in paragraph 1 of this Article in accordance with the procedure laid down in Article 23. Member States may prioritise the processing of mandatory notifications over voluntary notifications.
Where necessary, the CSIRTs and, where applicable, the competent authorities shall provide the single points of contact with the information about notifications received pursuant to this Article, while ensuring the confidentiality and appropriate protection of the information provided by the notifying entity. Without prejudice to the prevention, investigation, detection and prosecution of criminal offences, voluntary reporting shall not result in the imposition of any additional obligations upon the notifying entity to which it would not have been subject had it not submitted the notification.
Relevant recitals
Recital 105 Voluntary reporting of cyber threats
A proactive approach to cyber threats is a vital component of cybersecurity risk management that should enable the competent authorities to effectively prevent cyber threats from materialising into incidents that may cause considerable material or non-material damage. For that purpose, the notification of cyber threats is of key importance. To that end, entities are encouraged to report on a voluntary basis cyber threats.
Recital 119 Obstacles to information sharing
With cyber threats becoming more complex and sophisticated, good detection of such threats and their prevention measures depend to a large extent on regular threat and vulnerability intelligence sharing between entities. Information sharing contributes to an increased awareness of cyber threats, which, in turn, enhances entities’ capacity to prevent such threats from materialising into incidents and enables entities to better contain the effects of incidents and recover more efficiently. In the absence of guidance at Union level, various factors seem to have inhibited such intelligence sharing, in particular uncertainty over the compatibility with competition and liability rules.
Recital 120 Encouragement of information sharing
Entities should be encouraged and assisted by Member States to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhancing their capabilities to adequately prevent, detect, respond to or recover from incidents or to mitigate their impact. It is thus necessary to enable the emergence at Union level of voluntary cybersecurity information-sharing arrangements. To that end, Member States should actively assist and encourage entities, such as those providing cybersecurity services and research, as well as relevant entities not falling within the scope of this Directive, to participate in such cybersecurity information-sharing arrangements. Those arrangements should be established in accordance with the Union competition rules and Union data protection law.
Recital 139 Implementing acts on the Cooperation Group, measures and reporting
In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission to lay down the procedural arrangements necessary for the functioning of the Cooperation Group and the technical and methodological as well as sectoral requirements concerning the cybersecurity risk-management measures, and to further specify the type of information, the format and the procedure of incident, cyber threat and near miss notifications and of significant cyber threat communications, as well as cases in which an incident is to be considered to be significant. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(23).
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
significant cyber threat
Definition
incident
Definition
risk
Definition
ICT product
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
ICT service
Definition
cyber threat
Definition
entity
Definition
cybersecurity
Definition
vulnerability
Definition
near miss
Footnote 23