Article 43 Amendment of Directive (EU) 2018/1972

Summary What does Article 43 of the NIS 2 directive say?

This is a brief housekeeping article that amends an existing piece of EU legislation.

It removes two specific articles from Directive (EU) 2018/1972, the European Electronic Communications Code, as a direct consequence of this Directive coming into force.

The logic is straightforward: those deleted articles previously governed cybersecurity obligations for electronic communications providers, which are now brought within the scope of this Directive instead.

Important points:

Articles 40 and 41 of Directive (EU) 2018/1972 are deleted with effect from 18 October 2024.
This deletion reflects that cybersecurity obligations for electronic communications providers are now governed by this Directive.
The change takes effect on the same date Member States are required to apply the measures of this Directive.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

In Directive (EU) 2018/1972, Articles 40 and 41 are deleted with effect from 18 October 2024.

Relevant recitals

Recital 95 Relation to the electronic communication code (ECC) directive

Where appropriate and in order to avoid unnecessary disruption, existing national guidelines adopted for the transposition of the rules related to security measures laid down in Articles 40 and 41 of Directive (EU) 2018/1972 should be taken into account in the transposition of this Directive, thereby building on the knowledge and skills already acquired under Directive (EU) 2018/1972 concerning security measures and incident notifications. ENISA can also develop guidance on security requirements and on reporting obligations for providers of public electronic communications networks or of publicly available electronic communications services to facilitate harmonisation and transition and to minimise disruption. Member States can assign the role of the competent authorities for electronic communications to the national regulatory authorities under Directive (EU) 2018/1972 in order to ensure the continuation of current practices and to build on the knowledge and experience gained as a result of the implementation of that Directive.

Recital 96 Security of number-independent interpersonal communications

Given the growing importance of number-independent interpersonal communications services as defined in Directive (EU) 2018/1972, it is necessary to ensure that such services are also subject to appropriate security requirements in view of their specific nature and economic importance. As the attack surface continues to expand, number-independent interpersonal communications services, such as messaging services, are becoming widespread attack vectors. Malicious perpetrators use platforms to communicate and attract victims to open compromised web pages, therefore increasing the likelihood of incidents involving the exploitation of personal data, and, by extension, the security of network and information systems. Providers of number-independent interpersonal communications services should ensure a level of security of network and information systems appropriate to the risks posed. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risks posed to such services can be considered in some respects to be lower than for traditional electronic communications services. The same applies to interpersonal communications services as defined in Directive (EU) 2018/1972 which make use of numbers and which do not exercise actual control over signal transmission.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.