Beta

Source: OJ L 333, 27.12.2022, p. 80–152

EN

Article 32 Supervisory and enforcement measures in relation to essential entities

    1. Member States shall ensure that the supervisory or enforcement measures imposed on essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; in respect of the obligations laid down in this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case.

    1. Member States shall ensure that the competent authoritiesas defined in Article 46, when exercising their supervisory tasks in relation to essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, have the power to subject those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; at least to:

      1. on-site inspections and off-site supervision, including random checks conducted by trained professionals;

      2. regular and targeted security audits carried out by an independent body or a competent authorityas defined in Article 46;

      3. ad hoc audits, including where justified on the ground of a significant incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; or an infringement of this Directive by the essential entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

      4. security scans based on objective, non-discriminatory, fair and transparent risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment criteria, where necessary with the cooperation of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned;

      5. requests for information necessary to assess the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures adopted by the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned, including documented cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policies, as well as compliance with the obligation to submit information to the competent authoritiesas defined in Article 46 pursuant to Article 27;

      6. requests to access data, documents and information necessary to carry out their supervisory tasks;

      7. requests for evidence of implementation of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence.

    2. The targeted security audits referred to in the first subparagraph, point (b), shall be based on risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments conducted by the competent authorityas defined in Article 46 or the audited entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, or on other risk-related available information.

    3. The results of any targeted security audit shall be made available to the competent authorityas defined in Article 46. The costs of such targeted security audit carried out by an independent body shall be paid by the audited entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, except in duly substantiated cases when the competent authorityas defined in Article 46 decides otherwise.

    1. When exercising their powers under paragraph 2, point (e), (f) or (g), the competent authoritiesas defined in Article 46 shall state the purpose of the request and specify the information requested.

    1. Member States shall ensure that their competent authoritiesas defined in Article 46, when exercising their enforcement powers in relation to essential entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, have the power at least to:

      1. issue warnings about infringements of this Directive by the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned;

      2. adopt binding instructions, including with regard to measures necessary to prevent or remedy an incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, as well as time-limits for the implementation of such measures and for reporting on their implementation, or an order requiring the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to remedy the deficiencies identified or the infringements of this Directive;

      3. order the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to cease conduct that infringes this Directive and desist from repeating that conduct;

      4. order the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to ensure that their cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures comply with Article 21 or to fulfil the reporting obligations laid down in Article 23, in a specified manner and within a specified period;

      5. order the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to inform the natural or legal persons with regard to which they provide services or carry out activities which are potentially affected by a significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; of the nature of the threat, as well as of any possible protective or remedial measures which can be taken by those natural or legal persons in response to that threat;

      6. order the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to implement the recommendations provided as a result of a security audit within a reasonable deadline;

      7. designate a monitoring officer with well-defined tasks for a determined period of time to oversee the compliance of the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned with Articles 21 and 23;

      8. order the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to make public aspects of infringements of this Directive in a specified manner;

      9. impose, or request the imposition by the relevant bodies, courts or tribunals, in accordance with national law, of an administrative fine pursuant to Article 34 in addition to any of the measures referred to in points (a) to (h) of this paragraph.

    1. Where enforcement measures adopted pursuant to paragraph 4, points (a) to (d) and (f), are ineffective, Member States shall ensure that their competent authoritiesas defined in Article 46 have the power to establish a deadline by which the essential entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is requested to take the necessary action to remedy the deficiencies or to comply with the requirements of those authorities. If the requested action is not taken within the deadline set, Member States shall ensure that their competent authoritiesas defined in Article 46 have the power to:

      1. suspend temporarily, or request a certification or authorisation body, or a court or tribunal, in accordance with national law, to suspend temporarily a certification or authorisation concerning part or all of the relevant services provided or activities carried out by the essential entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

      2. request that the relevant bodies, courts or tribunals, in accordance with national law, prohibit temporarily any natural person who is responsible for discharging managerial responsibilities at chief executive officer or legal representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; level in the essential entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; from exercising managerial functions in that entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.

    2. Temporary suspensions or prohibitions imposed pursuant to this paragraph shall be applied only until the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authorityas defined in Article 46 for which such enforcement measures were applied. The imposition of such temporary suspensions or prohibitions shall be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including the right to an effective remedy and to a fair trial, the presumption of innocence and the rights of the defence.

    3. The enforcement measures provided for in this paragraph shall not be applicable to public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: that are subject to this Directive.

    1. Member States shall ensure that any natural person responsible for or acting as a legal representative means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital; it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; of an essential entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the power to ensure its compliance with this Directive. Member States shall ensure that it is possible to hold such natural persons liable for breach of their duties to ensure compliance with this Directive.

    2. As regards public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria:, this paragraph shall be without prejudice to national law as regards the liability of public servants and elected or appointed officials.

    1. When taking any of the enforcement measures referred to in paragraph 4 or 5, the competent authoritiesas defined in Article 46 shall comply with the rights of the defence and take account of the circumstances of each individual case and, as a minimum, take due account of:

      1. the seriousness of the infringement and the importance of the provisions breached, the following, inter alia, constituting serious infringement in any event:

        1. repeated violations;

        2. a failure to notify or remedy significant incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;;

        3. a failure to remedy deficiencies following binding instructions from competent authoritiesas defined in Article 46;

        4. the obstruction of audits or monitoring activities ordered by the competent authorityas defined in Article 46 following the finding of an infringement;

        5. providing false or grossly inaccurate information in relation to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures or reporting obligations laid down in Articles 21 and 23;

      2. the duration of the infringement;

      3. any relevant previous infringements by the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned;

      4. any material or non-material damage caused, including any financial or economic loss, effects on other services and the number of users affected;

      5. any intent or negligence on the part of the perpetrator of the infringement;

      6. any measures taken by the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to prevent or mitigate the material or non-material damage;

      7. any adherence to approved codes of conduct or approved certification mechanisms;

      8. the level of cooperation of the natural or legal persons held responsible with the competent authoritiesas defined in Article 46.

    1. The competent authoritiesas defined in Article 46 shall set out a detailed reasoning for their enforcement measures. Before adopting such measures, the competent authoritiesas defined in Article 46 shall notify the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned of their preliminary findings. They shall also allow a reasonable time for those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; to submit observations, except in duly substantiated cases where immediate action to prevent or respond to incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; would otherwise be impeded.

    1. Member States shall ensure that their competent authoritiesas defined in Article 46 under this Directive inform the relevant competent authoritiesas defined in Article 46 within the same Member State under Directive (EU) 2022/2557 when exercising their supervisory and enforcement powers aiming to ensure compliance of an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; identified as a critical entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; under Directive (EU) 2022/2557 with this Directive. Where appropriate, the competent authoritiesas defined in Article 46 under Directive (EU) 2022/2557 may request the competent authoritiesas defined in Article 46 under this Directive to exercise their supervisory and enforcement powers in relation to an entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that is identified as a critical entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; under Directive (EU) 2022/2557.

    1. Member States shall ensure that their competent authoritiesas defined in Article 46 under this Directive cooperate with the relevant competent authoritiesas defined in Article 46 of the Member State concerned under Regulation (EU) 2022/2554. In particular, Member States shall ensure that their competent authoritiesas defined in Article 46 under this Directive inform the Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors established pursuant to Article 32(1) of Regulation (EU) 2022/2554 when exercising their supervisory and enforcement powers aimed at ensuring compliance of an essential entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that is designated as a critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; pursuant to Article 31 of Regulation (EU) 2022/2554. with this Directive.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod