Beta

Source: OJ L 333, 27.12.2022, p. 80–152

EN

Article 23 Reporting obligations

    1. Each Member State shall ensure that essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; notify, without undue delay, its CSIRT or, where applicable, its competent authorityas defined in Article 46 in accordance with paragraph 4 of any incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; that has a significant impact on the provision of their services as referred to in paragraph 3 (significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;). Where appropriate, entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned shall notify, without undue delay, the recipients of their services of significant incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; that are likely to adversely affect the provision of those services. Each Member State shall ensure that those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; report, inter alia, any information enabling the CSIRT or, where applicable, the competent authorityas defined in Article 46 to determine any cross-border impact of the incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;. The mere act of notification shall not subject the notifying entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to increased liability.

    2. Where the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned notify the competent authorityas defined in Article 46 of a significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; under the first subparagraph, the Member State shall ensure that that competent authorityas defined in Article 46 forwards the notification to the CSIRT upon receipt.

    3. In the case of a cross-border or cross-sectoral significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, Member States shall ensure that their single points of contact are provided in due time with relevant information notified in accordance with paragraph 4.

    1. Where applicable, Member States shall ensure that essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; communicate, without undue delay, to the recipients of their services that are potentially affected by a significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; any measures or remedies that those recipients are able to take in response to that threat. Where appropriate, the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; shall also inform those recipients of the significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; itself.

    1. An incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; shall be considered to be significant if:

      1. it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned;

      2. it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

    1. Member States shall ensure that, for the purpose of notification under paragraph 1, the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned submit to the CSIRT or, where applicable, the competent authorityas defined in Article 46:

      1. without undue delay and in any event within 24 hours of becoming aware of the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, an early warning, which, where applicable, shall indicate whether the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;

      2. without undue delay and in any event within 72 hours of becoming aware of the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, an incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, including its severity and impact, as well as, where available, the indicators of compromise;

      3. upon the request of a CSIRT or, where applicable, the competent authorityas defined in Article 46, an intermediate report on relevant status updates;

      4. a final report not later than one month after the submission of the incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; notification under point (b), including the following:

        1. a detailed description of the incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, including its severity and impact;

        2. the type of threat or root cause that is likely to have triggered the incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;;

        3. applied and ongoing mitigation measures;

        4. where applicable, the cross-border impact of the incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;;

      5. in the event of an ongoing incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; at the time of the submission of the final report referred to in point (d), Member States shall ensure that entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned provide a progress report at that time and a final report within one month of their handling of the incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;.

    2. By way of derogation from the first subparagraph, point (b), a trust service provider means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014; shall, with regard to significant incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; that have an impact on the provision of its trust services means a trust service as defined in Article 3, point (16), of Regulation (EU) No 910/2014;, notify the CSIRT or, where applicable, the competent authorityas defined in Article 46, without undue delay and in any event within 24 hours of becoming aware of the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;.

    1. The CSIRT or the competent authorityas defined in Article 46 shall provide, without undue delay and where possible within 24 hours of receiving the early warning referred to in paragraph 4, point (a), a response to the notifying entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, including initial feedback on the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and, upon request of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, guidance or operational advice on the implementation of possible mitigation measures. Where the CSIRT is not the initial recipient of the notification referred to in paragraph 1, the guidance shall be provided by the competent authorityas defined in Article 46 in cooperation with the CSIRT. The CSIRT shall provide additional technical support if the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned so requests. Where the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; is suspected to be of criminal nature, the CSIRT or the competent authorityas defined in Article 46 shall also provide guidance on reporting the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; to law enforcement authorities.

    1. Where appropriate, and in particular where the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; concerns two or more Member States, the CSIRT, the competent authorityas defined in Article 46 or the single point of contact shall inform, without undue delay, the other affected Member States and ENISA of the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;. Such information shall include the type of information received in accordance with paragraph 4. In so doing, the CSIRT, the competent authorityas defined in Article 46 or the single point of contact shall, in accordance with Union or national law, preserve the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s security and commercial interests as well as the confidentiality of the information provided.

    1. Where public awareness is necessary to prevent a significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; or to deal with an ongoing significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, or where disclosure of the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; is otherwise in the public interest, a Member State’s CSIRT or, where applicable, its competent authorityas defined in Article 46, and, where appropriate, the CSIRTscomputer security incident response teams or the competent authoritiesas defined in Article 46 of other Member States concerned, may, after consulting the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned, inform the public about the significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; or require the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to do so.

    1. At the request of the CSIRT or the competent authorityas defined in Article 46, the single point of contact shall forward notifications received pursuant to paragraph 1 to the single points of contact of other affected Member States.

    1. The single point of contact shall submit to ENISA every three months a summary report, including anonymised and aggregated data on significant incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and near misses notified in accordance with paragraph 1 of this Article and with Article 30. In order to contribute to the provision of comparable information, ENISA may adopt technical guidance on the parameters of the information to be included in the summary report. ENISA shall inform the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and the CSIRTscomputer security incident response teams network about its findings on notifications received every six months.

    1. The CSIRTscomputer security incident response teams or, where applicable, the competent authoritiesas defined in Article 46 shall provide to the competent authoritiesas defined in Article 46 under Directive (EU) 2022/2557 information about significant incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; and near misses notified in accordance with paragraph 1 of this Article and with Article 30 by entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; identified as critical entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; under Directive (EU) 2022/2557.

    1. The Commission may adopt implementing acts further specifying the type of information, the format and the procedure of a notification submitted pursuant to paragraph 1 of this Article and to Article 30 and of a communication submitted pursuant to paragraph 2 of this Article.

    2. By 17 October 2024, the Commission shall, with regard to DNS service providers means an entity that provides:, TLD name registries, cloud computing service means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations; providers, data centre service means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control; publicly available recursive domain name resolution services for internet end-users; or authoritative domain name resolution services for third-party use, with the exception of root name servers; providers, content delivery network means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers; providers, managed service providers means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;, managed security service providers means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;, as well as providers of online marketplaces means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (^31^); Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (Unfair Commercial Practices Directive) (OJ L 149, 11.6.2005, p. 22)., of online search engines means an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council (^32^); Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). and of social networking services platforms means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations;, adopt implementing acts further specifying the cases in which an incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; shall be considered to be significant as referred to in paragraph 3. The Commission may adopt such implementing acts with regard to other essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

    3. The Commission shall exchange advice and cooperate with the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; on the draft implementing acts referred to in the first and second subparagraphs of this paragraph in accordance with Article 14(4), point (e).

    4. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod