Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 40 Review
Summary What does Article 40 of the NIS 2 directive say?
This is a review clause that places an obligation on the Commission to periodically assess how the Directive is functioning in practice.
The focus of the review is notably specific: rather than a general health-check, it targets whether the scoping criteria — entity size, sectors, subsectors, and types of entity — remain appropriate for the economy and society from a cybersecurity perspective.
To inform this assessment, the Commission must draw on the outputs of the Cooperation Group and the CSIRTs network, connecting this article directly to those cooperative bodies established elsewhere in the Directive.
Important points:
- The Commission is required to conduct a review by 17 October 2027 and every 36 months after that, reporting to the European Parliament and the Council.
- The review must specifically assess whether the size thresholds and sectoral scope set out in Annexes I and II remain fit for purpose in relation to cybersecurity.
- The report may be accompanied by a legislative proposal, meaning the Directive's scope could be revised as a result of the review.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the relevance of the size of the entities concerned, and the sectors, subsectors and types of entity referred to in Annexes I and II for the functioning of the economy and society in relation to cybersecurity. To that end and with a view to further advancing the strategic and operational cooperation, the Commission shall take into account the reports of the Cooperation Group and the CSIRTs network on the experience gained at a strategic and operational level. The report shall be accompanied, where necessary, by a legislative proposal.
Relevant recitals
Recital 140 Periodic review of this Directive
The Commission should periodically review this Directive, after consulting stakeholders, in particular with a view to determining whether it is appropriate to propose amendments in light of changes to societal, political, technological or market conditions. As part of those reviews, the Commission should assess the relevance of the size of the entities concerned, and the sectors, subsectors and types of entity referred to in the annexes to this Directive for the functioning of the economy and society in relation to cybersecurity. The Commission should assess, inter alia, whether providers, falling within the scope of this Directive, that are designated as very large online platforms within the meaning of Article 33 of Regulation (EU) 2022/2065 of the European Parliament and of the Council(24) could be identified as essential entities under this Directive.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
entity
Definition
cybersecurity
Footnote 24