Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 8 Competent authorities and single points of contact
Summary What does Article 8 of the NIS 2 directive say?
This is a key structural article establishing the national governance architecture required under the Directive.
Each Member State must designate or establish competent authorities responsible for cybersecurity and supervision, as well as a single point of contact.
The single point of contact serves a coordination role, bridging cross-border cooperation with other Member States, the Commission, and ENISA, as well as cross-sectoral cooperation domestically.
The article connects directly to Chapter VII of the Directive, which governs the supervisory and enforcement powers that these competent authorities are required to exercise.
Important points:
- Member States are required to designate or establish one or more competent authorities for cybersecurity and a single point of contact, which can be the same body.
- Single points of contact act as liaison functions for cross-border and cross-sectoral cooperation, including with the Commission and ENISA.
- Member States must notify the Commission of the identity of their competent authority and single point of contact, and the Commission is required to make the list of single points of contact publicly available.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Each Member State shall designate or establish one or more competent authorities responsible for cybersecurity and for the supervisory tasks referred to in Chapter VII (competent authorities).
The competent authorities referred to in paragraph 1 shall monitor the implementation of this Directive at national level.
Each Member State shall designate or establish a single point of contact. Where a Member State designates or establishes only one competent authority pursuant to paragraph 1, that competent authority shall also be the single point of contact for that Member State.
Each single point of contact shall exercise a liaison function to ensure cross-border cooperation of its Member State’s authorities with the relevant authorities of other Member States, and, where appropriate, with the Commission and ENISA, as well as to ensure cross-sectoral cooperation with other competent authorities within its Member State.
Member States shall ensure that their competent authorities and single points of contact have adequate resources to carry out, in an effective and efficient manner, the tasks assigned to them and thereby to fulfil the objectives of this Directive.
Each Member State shall notify the Commission without undue delay of the identity of the competent authority referred to in paragraph 1 and of the single point of contact referred to in paragraph 3, of the tasks of those authorities, and of any subsequent changes thereto. Each Member State shall make public the identity of its competent authority. The Commission shall make a list of the single points of contact publicly available.
Relevant recitals
Recital 38 One or more competent authorities
In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, Member States should be able to designate or establish one or more competent authorities responsible for cybersecurity and for the supervisory tasks under this Directive.
Recital 39 National single point of contact
In order to facilitate cross-border cooperation and communication among authorities and to enable this Directive to be implemented effectively, it is necessary for each Member State to designate a single point of contact responsible for coordinating issues related to the security of network and information systems and cross-border cooperation at Union level.
Recital 40 Tasks of the single point of contact
The single points of contact should ensure effective cross-border cooperation with relevant authorities of other Member States and, where appropriate, with the Commission and ENISA. The single points of contact should therefore be tasked with forwarding notifications of significant incidents with cross-border impact to the single points of contact of other affected Member States upon the request of the CSIRT or the competent authority. At national level, the single points of contact should enable smooth cross-sectoral cooperation with other competent authorities. The single points of contact could also be the addressees of relevant information about incidents concerning financial entities from the competent authorities under Regulation (EU) 2022/2554 which they should be able to forward, as appropriate, to the CSIRTs or the competent authorities under this Directive.
Recital 87 Security of competent authorities
The competent authorities, in the context of their supervisory tasks, may also benefit from cybersecurity services such as security audits, penetration testing or incident responses.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
security of network and information systems
Definition
incident
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
entity
Definition
cybersecurity