Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 4 Sector-specific Union legal acts
Summary What does Article 4 of the NIS 2 directive say?
This article establishes a "lex specialis" carve-out, meaning that where other sector-specific EU legislation already imposes cybersecurity risk-management and incident reporting requirements on essential or important entities that are at least equivalent in effect to those in this Directive, this Directive's obligations — including its supervision and enforcement provisions — will not apply to those entities.
It effectively prevents double regulation.
The article also sets out the threshold for what counts as "equivalent," tying it directly to the core obligations on risk management and incident notification found elsewhere in the Directive, and tasks the Commission with issuing clarifying guidelines.
Important points:
- If your sector is already governed by equivalent EU cybersecurity rules, this Directive's obligations do not apply to you — but only to the extent that coverage is complete.
- Equivalence is measured against the cybersecurity risk-management and significant incident notification standards set out in Articles 21 and 23 of this Directive.
- The Commission is required to publish guidelines clarifying how this equivalence test applies, taking into account input from the Cooperation Group and ENISA.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Where sector-specific Union legal acts require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provisions on supervision and enforcement laid down in Chapter VII, shall not apply to such entities. Where sector-specific Union legal acts do not cover all entities in a specific sector falling within the scope of this Directive, the relevant provisions of this Directive shall continue to apply to the entities not covered by those sector-specific Union legal acts.
The requirements referred to in paragraph 1 of this Article shall be considered to be equivalent in effect to the obligations laid down in this Directive where:
cybersecurity risk-management measures are at least equivalent in effect to those laid down in Article 21(1) and (2); or
the sector-specific Union legal act provides for immediate access, where appropriate automatic and direct, to the incident notifications by the CSIRTs, the competent authorities or the single points of contact under this Directive and where requirements to notify significant incidents are at least equivalent in effect to those laid down in Article 23(1) to (6) of this Directive.
The Commission shall, by 17 July 2023, provide guidelines clarifying the application of paragraphs 1 and 2. The Commission shall review those guidelines on a regular basis. When preparing those guidelines, the Commission shall take into account any observations of the Cooperation Group and ENISA.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
entity
Definition
cybersecurity