Beta

Source: OJ L 333, 27.12.2022, p. 80–152

EN

Article 19 Peer reviews

    1. The Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; shall, on 17 January 2025, establish, with the assistance of the Commission and ENISA, and, where relevant, the CSIRTscomputer security incident response teams network, the methodology and organisational aspects of peer reviews with a view to learning from shared experiences, strengthening mutual trust, achieving a high common level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;, as well as enhancing Member States’ cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; capabilities and policies necessary to implement this Directive. Participation in peer reviews is voluntary. The peer reviews shall be carried out by cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; experts. The cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; experts shall be designated by at least two Member States, different from the Member State being reviewed.

    2. The peer reviews shall cover at least one of the following:

      1. the level of implementation of the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures and reporting obligations laid down in Articles 21 and 23;

      2. the level of capabilities, including the available financial, technical and human resources, and the effectiveness of the exercise of the tasks of the competent authoritiesas defined in Article 46;

      3. the operational capabilities of the CSIRTscomputer security incident response teams;

      4. the level of implementation of mutual assistance referred to in Article 37;

      5. the level of implementation of the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information-sharing arrangements referred to in Article 29;

      6. specific issues of cross-border or cross-sector nature.

    1. The methodology referred to in paragraph 1 shall include objective, non-discriminatory, fair and transparent criteria on the basis of which the Member States designate cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; experts eligible to carry out the peer reviews. The Commission and ENISA shall participate as observers in the peer reviews.

    1. Member States may identify specific issues as referred to in paragraph 1, point (f), for the purposes of a peer review.

    1. Before commencing a peer review as referred to in paragraph 1, Member States shall notify the participating Member States of its scope, including the specific issues identified pursuant to paragraph 3.

    1. Prior to the commencement of the peer review, Member States may carry out a self-assessment of the reviewed aspects and provide that self-assessment to the designated cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; experts. The Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; shall, with the assistance of the Commission and ENISA, lay down the methodology for the Member States’ self-assessment.

    1. Peer reviews shall entail physical or virtual on-site visits and off-site exchanges of information. In line with the principle of good cooperation, the Member State subject to the peer review shall provide the designated cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; experts with the information necessary for the assessment, without prejudice to Union or national law concerning the protection of confidential or classified information and to the safeguarding of essential State functions, such as national security. The Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, in cooperation with the Commission and ENISA, shall develop appropriate codes of conduct underpinning the working methods of designated cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; experts. Any information obtained through the peer review shall be used solely for that purpose. The cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; experts participating in the peer review shall not disclose any sensitive or confidential information obtained in the course of that peer review to any third parties.

    1. Once subject to a peer review, the same aspects reviewed in a Member State shall not be subject to a further peer review in that Member State for two years following the conclusion of the peer review, unless otherwise requested by the Member State or agreed upon after a proposal of the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;.

    1. Member States shall ensure that any risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of conflict of interest concerning the designated cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; experts is revealed to the other Member States, the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU;, the Commission and ENISA, before the commencement of the peer review. The Member State subject to the peer review may object to the designation of particular cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; experts on duly substantiated grounds communicated to the designating Member State.

    1. Cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; experts participating in peer reviews shall draft reports on the findings and conclusions of the peer reviews. Member States subject to a peer review may provide comments on the draft reports concerning them and such comments shall be attached to the reports. The reports shall include recommendations to enable improvement on the aspects covered by the peer review. The reports shall be submitted to the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and the CSIRTscomputer security incident response teams network where relevant. A Member State subject to the peer review may decide to make its report, or a redacted version of it, publicly available.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod