Art. 4 Sector-specific Union legal acts | NIS 2 directive |

1. Where sector-specific Union legal acts require essential or important entitiesas defined in Article 3 of Directive (EU) 2022/2555 to adopt cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures or to notify significant incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provisions on supervision and enforcement laid down in Chapter VII, shall not apply to such entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Where sector-specific Union legal acts do not cover all entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; in a specific sector falling within the scope of this Directive, the relevant provisions of this Directive shall continue to apply to the entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; not covered by those sector-specific Union legal acts.
1. The requirements referred to in paragraph 1 of this Article shall be considered to be equivalent in effect to the obligations laid down in this Directive where:
  1. cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures are at least equivalent in effect to those laid down in Article 21(1) and (2); or
  2. the sector-specific Union legal act provides for immediate access, where appropriate automatic and direct, to the incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; notifications by the CSIRTscomputer security incident response teams, the competent authoritiesas defined in Article 46 or the single points of contact under this Directive and where requirements to notify significant incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; are at least equivalent in effect to those laid down in Article 23(1) to (6) of this Directive.
1. The Commission shall, by 17 July 2023, provide guidelines clarifying the application of paragraphs 1 and 2. The Commission shall review those guidelines on a regular basis. When preparing those guidelines, the Commission shall take into account any observations of the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; and ENISA.