Beta

Source: OJ L 333, 27.12.2022, p. 80–152

EN

Article 2 Scope

    1. This Directive applies to public or private entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; of a type referred to in Annex I or II which qualify as medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million; provided for in paragraph 1 of that Article, and which provide their services or carry out their activities within the Union.

    2. Article 3(4) of the Annex to that Recommendation shall not apply for the purposes of this Directive.

    1. Regardless of their size, this Directive also applies to entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; of a type referred to in Annex I or II, where:

      1. services are provided by:

        1. providers of public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; or of publicly available electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972;;

        2. trust service providers means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014;;

        3. top-level domain name registries or ‘TLD name registry’ means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are carried out by the entity itself or are outsourced, but excluding situations where TLD names are used by a registry only for its own use; and domain name system or ‘DNS’ means a hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources; service providers;

      2. the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities;

      3. disruption of the service provided by the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; could have a significant impact on public safety, public security or public health;

      4. disruption of the service provided by the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; could induce a significant systemic risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, in particular for sectors where such disruption could have a cross-border impact;

      5. the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State;

      6. the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is a public administration entity means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria::

        1. of central government as defined by a Member State in accordance with national law; or

        2. at regional level as defined by a Member State in accordance with national law that, following a risk-based assessment, provides services the disruption of which could have a significant impact on critical societal or economic activities.

    1. Regardless of their size, this Directive applies to entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; identified as critical entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; under Directive (EU) 2022/2557.

    1. Regardless of their size, this Directive applies to entities providing domain name registration services means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller;.

    1. Member States may provide for this Directive to apply to:

      1. public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: at local level;

      2. education institutions, in particular where they carry out critical research activities.

    1. This Directive is without prejudice to the Member States’ responsibility for safeguarding national security and their power to safeguard other essential State functions, including ensuring the territorial integrity of the State and maintaining law and order.

    1. This Directive does not apply to public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: that carry out their activities in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.

    1. Member States may exempt specific entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; which carry out activities in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences, or which provide services exclusively to the public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: referred to in paragraph 7 of this Article, from the obligations laid down in Article 21 or 23 with regard to those activities or services. In such cases, the supervisory and enforcement measures referred to in Chapter VII shall not apply in relation to those specific activities or services. Where the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; carry out activities or provide services exclusively of the type referred to in this paragraph, Member States may decide also to exempt those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; from the obligations laid down in Articles 3 and 27.

    1. Paragraphs 7 and 8 shall not apply where an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; acts as a trust service provider means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014;.

    1. This Directive does not apply to entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; which Member States have exempted from the scope of Regulation (EU) 2022/2554 in accordance with Article 2(4) of that Regulation.

    1. The obligations laid down in this Directive shall not entail the supply of information the disclosure of which would be contrary to the essential interests of Member States’ national security, public security or defence.

    1. This Directive applies without prejudice to Regulation (EU) 2016/679, Directive 2002/58/EC, Directives 2011/93/EU (27)Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, p. 1). and 2013/40/EU (28)Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8). of the European Parliament and of the Council and Directive (EU) 2022/2557.

    1. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union or national rules, such as rules on business confidentiality, shall be exchanged with the Commission and other relevant authorities in accordance with this Directive only where that exchange is necessary for the application of this Directive. The information exchanged shall be limited to that which is relevant and proportionate to the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned.

    1. Entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, the competent authoritiesas defined in Article 46, the single points of contact and the CSIRTscomputer security incident response teams shall process personal data to the extent necessary for the purposes of this Directive and in accordance with Regulation (EU) 2016/679, in particular such processing shall rely on Article 6 thereof.

    2. The processing of personal data pursuant to this Directive by providers of public electronic communications networks means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972; or providers of publicly available electronic communications services means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972; shall be carried out in accordance with Union data protection law and Union privacy law, in particular Directive 2002/58/EC.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod