Art. 33 Supervisory and enforcement measures in relation to important entities | NIS 2 directive |

1. When provided with evidence, indication or information that an important entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; allegedly does not comply with this Directive, in particular Articles 21 and 23 thereof, Member States shall ensure that the competent authoritiesas defined in Article 46 take action, where necessary, through ex post supervisory measures. Member States shall ensure that those measures are effective, proportionate and dissuasive, taking into account the circumstances of each individual case.
1. Member States shall ensure that the competent authoritiesas defined in Article 46, when exercising their supervisory tasks in relation to important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, have the power to subject those entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; at least to:
  1. on-site inspections and off-site ex post supervision conducted by trained professionals;
  2. targeted security audits carried out by an independent body or a competent authorityas defined in Article 46;
  3. security scans based on objective, non-discriminatory, fair and transparent risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment criteria, where necessary with the cooperation of the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned;
  4. requests for information necessary to assess, ex post, the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures adopted by the entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned, including documented cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policies, as well as compliance with the obligation to submit information to the competent authoritiesas defined in Article 46 pursuant to Article 27;
  5. requests to access data, documents and information necessary to carry out their supervisory tasks;
  6. requests for evidence of implementation of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence.
2. The targeted security audits referred to in the first subparagraph, point (b), shall be based on risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessments conducted by the competent authorityas defined in Article 46 or the audited entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, or on other risk-related available information.
3. The results of any targeted security audit shall be made available to the competent authorityas defined in Article 46. The costs of such targeted security audit carried out by an independent body shall be paid by the audited entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, except in duly substantiated cases when the competent authorityas defined in Article 46 decides otherwise.
1. When exercising their powers under paragraph 2, point (d), (e) or (f), the competent authoritiesas defined in Article 46 shall state the purpose of the request and specify the information requested.
1. Member States shall ensure that the competent authoritiesas defined in Article 46, when exercising their enforcement powers in relation to important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, have the power at least to:
  1. issue warnings about infringements of this Directive by the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned;
  2. adopt binding instructions or an order requiring the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to remedy the deficiencies identified or the infringement of this Directive;
  3. order the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to cease conduct that infringes this Directive and desist from repeating that conduct;
  4. order the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to ensure that their cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures comply with Article 21 or to fulfil the reporting obligations laid down in Article 23, in a specified manner and within a specified period;
  5. order the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to inform the natural or legal persons with regard to which they provide services or carry out activities which are potentially affected by a significant cyber threat means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage; of the nature of the threat, as well as of any possible protective or remedial measures which can be taken by those natural or legal persons in response to that threat;
  6. order the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to implement the recommendations provided as a result of a security audit within a reasonable deadline;
  7. order the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; concerned to make public aspects of infringements of this Directive in a specified manner;
  8. impose, or request the imposition by the relevant bodies, courts or tribunals, in accordance with national law, of an administrative fine pursuant to Article 34 in addition to any of the measures referred to in points (a) to (g) of this paragraph.
1. Article 32(6), (7) and (8) shall apply mutatis mutandis to the supervisory and enforcement measures provided for in this Article for important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;.
1. Member States shall ensure that their competent authoritiesas defined in Article 46 under this Directive cooperate with the relevant competent authoritiesas defined in Article 46 of the Member State concerned under Regulation (EU) 2022/2554. In particular, Member States shall ensure that their competent authoritiesas defined in Article 46 under this Directive inform the Oversight Foruma sub-committee of the Joint Committee for the purposes of supporting the work of the Joint Committee and of the Lead Overseer in the area of ICT third-party risk across financial sectors established pursuant to Article 32(1) of Regulation (EU) 2022/2554 when exercising their supervisory and enforcement powers aimed at ensuring compliance of an important entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that is designated as a critical ICT third-party service provider means an ICT third-party service provider designated as critical in accordance with Article 31; pursuant to Article 31 of Regulation (EU) 2022/2554. with this Directive.