Beta

Source: OJ L 333, 27.12.2022, p. 80–152

EN

Article 21 Cybersecurity risk-management measures

    1. Member States shall ensure that essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; take appropriate and proportionate technical, operational and organisational measures to manage the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed to the security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; which those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; on recipients of their services and on other services.

    2. Taking into account the state-of-the-art and, where applicable, relevant European and international standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)., as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; appropriate to the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s exposure to risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s size and the likelihood of occurrence of incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and their severity, including their societal and economic impact.

    1. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems means: any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; and the physical environment of those systems from incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, and shall include at least the following:

      1. policies on risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; analysis and information system security;

      2. incident handling means any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident;;

      3. business continuity, such as backup management and disaster recovery, and crisis management;

      4. supply chain security, including security-related aspects concerning the relationships between each entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and its direct suppliers or service providers;

      5. security in network and information systems means: any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; acquisition, development and maintenance, including vulnerability means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; handling and disclosure;

      6. policies and procedures to assess the effectiveness of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures;

      7. basic cyber hygiene practices and cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; training;

      8. policies and procedures regarding the use of cryptography and, where appropriate, encryption;

      9. human resources security, access control policies and asset management;

      10. the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, where appropriate.

    1. Member States shall ensure that, when considering which measures referred to in paragraph 2, point (d), of this Article are appropriate, entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; take into account the vulnerabilities means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; specific to each direct supplier and service provider and the overall quality of products and cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; practices of their suppliers and service providers, including their secure development procedures. Member States shall also ensure that, when considering which measures referred to in that point are appropriate, entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; are required to take into account the results of the coordinated security risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments of critical supply chains carried out in accordance with Article 22(1).

    1. Member States shall ensure that an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropriate and proportionate corrective measures.

    1. By 17 October 2024, the Commission shall adopt implementing acts laying down the technical and the methodological requirements of the measures referred to in paragraph 2 with regard to DNS service providers means an entity that provides:, TLD name registries, cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers, data centre service means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; publicly available recursive domain name resolution services for internet end-users; or authoritative domain name resolution services for third-party use, with the exception of root name servers; providers, content delivery network means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; providers, managed service providers means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;, managed security service providers means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;, providers of online market places, of online search engines means an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council (^32^); Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). and of social networking services platforms means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations;, and trust service providers means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014;.

    2. The Commission may adopt implementing acts laying down the technical and the methodological requirements, as well as sectoral requirements, as necessary, of the measures referred to in paragraph 2 with regard to essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; other than those referred to in the first subparagraph of this paragraph.

    3. When preparing the implementing acts referred to in the first and second subparagraphs of this paragraph, the Commission shall, to the extent possible, follow European and international standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)., as well as relevant technical specifications means a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012;. The Commission shall exchange advice and cooperate with the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and ENISA on the draft implementing acts in accordance with Article 14(4), point (e).

    4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod