Beta

Source: OJ L 333, 27.12.2022, p. 80–152

EN

Article 7 National cybersecurity strategy

    1. Each Member State shall adopt a national cybersecurity strategy means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;that provides for the strategic objectives, the resources required to achieve those objectives, and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;. The national cybersecurity strategy means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;shall include:

      1. objectives and priorities of the Member State’s cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategy covering in particular the sectors referred to in Annexes I and II;

      2. a governance framework to achieve the objectives and priorities referred to in point (a) of this paragraph, including the policies referred to in paragraph 2;

      3. a governance framework clarifying the roles and responsibilities of relevant stakeholders at national level, underpinning the cooperation and coordination at the national level between the competent authoritiesas defined in Article 46, the single points of contact, and the CSIRTscomputer security incident response teams under this Directive, as well as coordination and cooperation between those bodies and competent authoritiesas defined in Article 46 under sector-specific Union legal acts;

      4. a mechanism to identify relevant assets and an assessment of the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; in that Member State;

      5. an identification of the measures ensuring preparedness for, responsiveness to and recovery from incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;, including cooperation between the public and private sectors;

      6. a list of the various authorities and stakeholders involved in the implementation of the national cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategy;

      7. a policy framework for enhanced coordination between the competent authoritiesas defined in Article 46 under this Directive and the competent authoritiesas defined in Article 46 under Directive (EU) 2022/2557 for the purpose of information sharing on risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, and incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; as well as on non-cyber risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, threats and incidents means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems; and the exercise of supervisory tasks, as appropriate;

      8. a plan, including necessary measures, to enhance the general level of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; awareness among citizens.

    1. As part of the national cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; strategy, Member States shall in particular adopt policies:

      1. addressing cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; in the supply chain for ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; and ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; used by entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; for the provision of their services;

      2. on the inclusion and specification of cybersecurity-related requirements for ICT products means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; and ICT services means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services; in public procurement, including in relation to cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; certification, encryption and the use of open-source cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; products;

      3. managing vulnerabilities means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat;, encompassing the promotion and facilitation of coordinated vulnerability means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; disclosure under Article 12(1);

      4. related to sustaining the general availability, integrity and confidentiality of the public core of the open internet, including, where relevant, the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of undersea communications cables;

      5. promoting the development and integration of relevant advanced technologies aiming to implement state-of-the-art cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures;

      6. promoting and developing education and training on cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;, cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; skills, awareness raising and research and development initiatives, as well as guidance on good cyber hygiene practices and controls, aimed at citizens, stakeholders and entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

      7. supporting academic and research institutions to develop, enhance and promote the deployment of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; tools and secure network infrastructure;

      8. including relevant procedures and appropriate information-sharing tools to support voluntary cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; information sharing between entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; in accordance with Union law;

      9. strengthening the cyber resilience and the cyber hygiene baseline of small and medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;, in particular those excluded from the scope of this Directive, by providing easily accessible guidance and assistance for their specific needs;

      10. promoting active cyber protection.

    1. Member States shall notify their national cybersecurity strategies means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;to the Commission within three months of their adoption. Member States may exclude information which relates to their national security from such notifications.

    1. Member States shall assess their national cybersecurity strategies means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;on a regular basis and at least every five years on the basis of key performance indicators and, where necessary, update them. ENISA shall assist Member States, upon their request, in the development or the update of a national cybersecurity strategy means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;and of key performance indicators for the assessment of that strategy, in order to align it with the requirements and obligations laid down in this Directive.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod