Art. 10 Significant incidents with regard to managed service providers and managed security service providers | Cybersecurity measures and significant incidents for relevant entities | NIS 2

With regard to managed service providers means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely; and managed security service providers means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;, an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; shall be considered significant under Article 3(1)(g) where it fulfils one or more of the following criteria:

a managed service or managed security service is completely unavailable for more than 30 minutes;
the availability of a managed service or managed security service is limited for more than 5 % of the service’s users in the Union, or for more than 1 million of the service’s users in the Union, whichever number is smaller, for a duration of more than one hour;
the integrity, confidentiality or authenticity of stored, transmitted or processed data related to the provision of a managed service or managed security service is compromised as a result of a suspectedly malicious action;
the integrity, confidentiality or authenticity of stored, transmitted or processed data related to the provision of a managed service or a managed security service, is compromised with an impact on more than 5 % of that managed service’s or that managed security service’s users in the Union, or on more than 1 million of the service users in the Union, whichever number is smaller.