NIS2 Richtlijn
DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
from December 14, 2022
on measures for a high common level of cybersecurity in the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Gezien het Verdrag betreffende de werking van de Europese Unie, en met name artikel 114,
Gezien het voorstel van de Europese Commissie,
After transmission of the draft legislative act to national parliaments,
Having regard to the opinion of the European Central Bank (1),
Gezien het advies van het Europees Economisch en Sociaal Comité (2),
After consulting the Committee of the Regions,
Acting in accordance with the ordinary legislative procedure (3),
Considering what follows:
(1)
Directive (EU) 2016/1148 of the European Parliament and of the Council (4) aims to build cybersecurity capabilities across the Union, addressing threats to network and information systems used to provide essential services in key sectors to provide, limit and ensure the continuity of such services when confronted with incidents, thus contributing to the security of the Union and to the effective functioning of its economy and society.
(2)
Sinds de inwerkingtreding van Richtlijn (EU) 2016/1148 is er aanzienlijke vooruitgang geboekt bij het vergroten van het niveau van digitale weerbaarheid van de Unie. Uit de evaluatie van die richtlijn is gebleken dat zij heeft gediend als katalysator voor de institutionele en regelgevende aanpak van cyberbeveiliging in de Unie, waardoor de weg is vrijgemaakt voor een significante verandering in de manier waarop deze wordt benaderd. Die richtlijn heeft gezorgd voor de voltooiing van nationale kaders voor de beveiliging van netwerk- en informatiesystemen door te voorzien in nationale strategieën voor de beveiliging van netwerk- en informatiesystemen en nationale capaciteiten vast te stellen en door regelgevende maatregelen uit te voeren die betrekking hebben op essentiële infrastructuur en entiteiten die door elke lidstaat zijn geïdentificeerd. Richtlijn (EU) 2016/1148 heeft ook bijgedragen aan de samenwerking op Unieniveau door de oprichting van de samenwerkingsgroep en het netwerk van nationale computer security incident response teams (CSIRT’s). Niettegenstaande die resultaten heeft de evaluatie van Richtlijn (EU) 2016/1148 inherente tekortkomingen aan het licht gebracht die verhinderen dat de huidige en opkomende uitdagingen op het gebied van cyberbeveiliging effectief worden aangepakt met die richtlijn.
(3)
Network and information systems have developed into a central feature of everyday life due to the rapid digital transformation and the interconnectedness of society, including in cross-border exchanges. This development has led to an expansion of the cyber threat landscape, bringing new challenges that require an adapted, coordinated and innovative response in all Member States. The number, size, complexity, frequency and impact of incidents are increasing and pose a major threat to the functioning of network and information systems. As a result, incidents can hinder the pursuit of economic activities in the internal market, cause financial loss, undermine user confidence and cause major damage to the Union's economy and society. Cybersecurity preparedness and effectiveness are therefore now more essential than ever for the proper functioning of the internal market. Furthermore, cybersecurity is essential for many critical sectors to successfully implement digital transformation and fully realize the economic, social and sustainable benefits of digitalization.
(4)
The legal basis for Directive (EU) 2016/1148 was Article 114 of the Treaty on the Functioning of the European Union (TFEU), the aim of which is to establish and function the internal market through measures for the approximation of strengthen national rules. Cybersecurity requirements imposed on entities providing services or economically important activities vary significantly from Member State to Member State in terms of the type of requirements, the level of detail and the means of supervision. These differences entail additional costs and pose problems for entities offering goods or services across borders. Requirements imposed by one Member State that differ from or even conflict with those imposed by another Member State can have a significant impact on these cross-border activities. Furthermore, the possibility of inadequate design or implementation of cybersecurity requirements in one Member State is likely to have an impact on the level of cybersecurity in other Member States, especially given the intensity of cross-border exchanges. The evaluation of Directive (EU) 2016/1148 has shown that Member States implement the Directive in very different ways, including with regard to its scope, the definition of which is largely left to the discretion of the Member States. Directive (EU) 2016/1148 also gave Member States very wide discretion in implementing the security and incident reporting obligations set out therein. These obligations have therefore been implemented in significantly different ways at national level. There are similar differences in the implementation of the supervision and enforcement provisions of Directive (EU) 2016/1148.
(5)
All these differences lead to fragmentation of the internal market and may have an adverse effect on its functioning, in particular affecting cross-border services and the level of digital resilience resulting from the application of various measures. Ultimately, those differences could make some Member States more vulnerable to cyber threats, with potential spillover effects across the Union. This Directive aims to eliminate such major disparities between Member States, in particular by establishing minimum requirements for the operation of a coordinated regulatory framework, by establishing mechanisms for effective cooperation between the responsible authorities in each Member State, by of sectors and activities subject to cybersecurity obligations and by providing effective facilities and enforcement measures essential for the effective enforcement of these obligations. Therefore, Directive (EU) 2016/1148 should be repealed and replaced by this Directive.
(6)
With the repeal of Directive (EU) 2016/1148, the sectoral scope should be extended to a wider part of the economy in order to fully cover the sectors and services that are vital for important social and economic activities in the internal market. More specifically, this Directive aims to remedy the shortcomings of the distinction between providers of essential services and digital service providers, which has proven to be outdated as it does not reflect the importance of the sectors or services for social and economic activities in the internal market.
(7)
Op grond van Richtlijn (EU) 2016/1148 waren de lidstaten verantwoordelijk voor het identificeren van de entiteiten die voldeden aan de criteria om als aanbieders van essentiële diensten te worden aangemerkt. Om de grote verschillen tussen de lidstaten in dat opzicht weg te werken en rechtszekerheid te bieden met betrekking tot de maatregelen voor het beheer van cyberbeveiligingsrisico’s en de rapportageverplichtingen voor alle relevante entiteiten, moet er een uniform criterium worden vastgesteld dat bepaalt welke entiteiten binnen het toepassingsgebied van deze richtlijn vallen. Dit criterium moet bestaan uit de toepassing van een “size-cap”-regel, waarbij alle entiteiten die worden aangemerkt als middelgrote ondernemingen uit hoofde van artikel 2, lid 1, van de bijlage bij Aanbeveling 2003/361/EG van de Commissie (5), of die de plafonds voor middelgrote ondernemingen als bepaald in lid 1 van dat artikel overschrijden, en die actief zijn in de sectoren en de soorten diensten of de onder deze richtlijn vallende activiteiten verrichten, binnen het toepassingsgebied van deze richtlijn vallen. De lidstaten moeten er ook voor zorgen dat bepaalde kleine ondernemingen en micro-ondernemingen, als gedefinieerd in artikel 2, leden 2 en 3, van die bijlage, die voldoen aan specifieke criteria welke wijzen op een sleutelrol voor de samenleving, de economie of bepaalde sectoren of soorten diensten, binnen het toepassingsgebied van deze richtlijn vallen.
(8)
Overheidsinstanties moeten worden uitgesloten van het toepassingsgebied van deze richtlijn indien de activiteiten van die entiteiten hoofdzakelijk worden uitgevoerd op het gebied van nationale veiligheid, openbare veiligheid, defensie of rechtshandhaving, met inbegrip van het voorkomen, onderzoeken, opsporen en vervolgen van strafbare feiten. Overheidsinstanties waarvan de activiteiten slechts zijdelings verband houden met die gebieden mogen echter niet worden uitgesloten van het toepassingsgebied van deze richtlijn. Voor de toepassing van deze richtlijn worden entiteiten met regelgevende bevoegdheden niet geacht activiteiten op het gebied van rechtshandhaving uit te voeren en zij worden dan ook op die grond niet uitgesloten van het toepassingsgebied van deze richtlijn. Overheidsinstanties die gezamenlijk met een derde land zijn opgericht bij een internationale overeenkomst, worden uitgesloten van het toepassingsgebied van deze richtlijn. Deze richtlijn is niet van toepassing op diplomatieke en consulaire missies van de lidstaten in derde landen of op hun netwerk- en informatiesystemen, voor zover deze systemen zich in de lokalen van de missie bevinden of voor gebruikers in een derde land worden gebruikt.
(9)
Member States should be able to take the necessary measures to protect the essential interests of national security, to safeguard public order and public security and to enable the prevention, investigation, detection and prosecution of criminal offences. To that end, Member States should be able to exempt specific entities engaged in national security, public safety, defense or law enforcement activities, including the prevention, investigation, detection and prosecution of criminal offences, from certain obligations laid down in this Directive in relation to those activities. Where an entity provides services exclusively to a public authority excluded from the scope of this Directive, Member States should be able to exempt that entity from certain obligations laid down in this Directive in relation to those services. Furthermore, no Member State should be obliged to provide information the disclosure of which would be contrary to the essential interests of its national security, public safety or defense. In that context, Union or national rules for the protection of classified information, non-disclosure agreements and informal non-disclosure agreements, such as the Traffic Light Protocol, should be taken into account. The traffic light protocol should be understood as a means of providing information on any restrictions regarding the further dissemination of information. It is used in almost all CSIRTs and in some information exchange and analysis centers.
(10)
Although this Directive applies to entities carrying out activities in the field of electricity production from nuclear power stations, some of these activities may be related to national security. If that is the case, a Member State should be able, in accordance with the Treaties, to exercise its responsibility for ensuring national security in relation to those activities, including activities in the nuclear value chain.
(11)
Some entities carry out national security, public safety, defense or law enforcement activities, including the prevention, investigation, detection and prosecution of criminal offences, and also provide trust services. Trust service providers falling within the scope of Regulation (EU) No 910/2014 of the European Parliament and of the Council (6) should fall within the scope of this Directive in order to ensure the same level of security requirements and oversight as that provided was established in that Regulation with regard to trust service providers. In accordance with the exclusion of certain specific services from Regulation (EU) No 910/2014, this Directive should not apply to the provision of trust services used exclusively within systems closed as a result of national law or agreements between a certain group of participants .
(12)
Postal service providers as defined in Directive 97/67/EC of the European Parliament and of the Council (7), including courier service providers, should be covered by this Directive if they provide at least one of the steps in the postal delivery chain, in particular the collection, sorting, transport and delivery of postal items, including collection services, taking into account the extent to which they are dependent on network and information systems. Transport services that are not undertaken in connection with any of those steps should not be considered postal services.
(13)
Aangezien de cyberdreigingen steeds intenser en geavanceerder worden, moeten de lidstaten trachten te waarborgen dat entiteiten die zijn uitgesloten van het toepassingsgebied van deze richtlijn, een hoog cyberbeveiligingsniveau bereiken en moeten zij de uitvoering ondersteunen van gelijkwaardige maatregelen voor het beheer van cyberbeveiligingsrisico’s die het gevoelige karakter van die entiteiten weerspiegelen.
(14)
Union data protection law and Union privacy law apply to any processing of personal data under this Directive. In particular, this Directive is without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council (8) and Directive 2002/58/EC of the European Parliament and of the Council (9). This Directive should therefore be without prejudice, inter alia, to the tasks and powers of the authorities competent to monitor compliance with applicable Union data protection law and Union privacy law.
(15)
Entities falling within the scope of this Directive for compliance with cybersecurity risk management measures and reporting obligations should be classified into two categories, essential entities and significant entities, according to the extent to which they are critical by their sector or type services provided by them, as well as their size. In that context, relevant sectoral risk assessments or guidance from competent authorities should be duly taken into account, where appropriate. The supervisory and enforcement arrangements for those two categories of entities should be differentiated to ensure a fair balance between risk-based requirements and obligations and the administrative burden arising from monitoring compliance.
(16)
In order to avoid entities with partner undertakings or associated undertakings being considered as essential or important entities where this would be disproportionate, Member States may take into account the degree of independence that those entities enjoy in relation to their partner companies or affiliated companies. In particular, Member States may take into account the fact that an entity is independent of its partner or affiliated undertakings as regards the network and information systems used by that entity in providing its services and as regards the services provided by the entity. On that basis, Member States may, where appropriate, consider such an entity as not qualifying as a medium-sized enterprise under Article 2 of the Annex to Recommendation 2003/361/EC nor the ceilings for a medium-sized enterprise set out in paragraph 1 of that Article if that entity, taking into account the degree of independence it enjoys, would not be classified as a medium-sized enterprise or would not be considered to exceed those ceilings if only its own data were taken into account. This is without prejudice to the obligations laid down in this Directive of partner undertakings and associated undertakings falling within the scope of this Directive.
(17)
Member States should be able to decide that entities identified as providers of essential services in accordance with Directive (EU) 2016/1148 before the entry into force of this Directive should be considered as essential entities.
(18)
In order to ensure a clear overview of the entities falling within the scope of this Directive, Member States should establish a list of essential and important entities and entities providing domain name registration services. To this end, Member States should require entities to provide competent authorities with at least the following information: the entity's name, address and current contact details, including email addresses, IP ranges and telephone numbers, as well as, where appropriate, the relevant sectors and sub-sectors referred to in the Annexes and, where appropriate, a list of the Member States where they provide services falling within the scope of this Directive. To this end, the Commission, with the assistance of the European Union Agency for Cybersecurity (ENISA), should without delay establish guidelines and templates regarding the obligation to submit information. In order to facilitate the establishment and updating of the list of essential and important entities and entities providing domain name registration services, Member States should be able to establish national mechanisms for entities to register. Where registers exist at national level, Member States may decide on appropriate mechanisms for the identification of entities falling within the scope of this Directive.
(19)
Member States should be responsible for submitting to the Commission at least the number of essential and important entities per sector and sub-sector referred to in the Annexes, as well as relevant information on the number of entities identified, as well as the provision laid down in this Directive on the basis of which they are identified, and the type of services they provide. Member States are encouraged to exchange information on essential and important entities with the Commission as well as, in the event of a large-scale cybersecurity incident, relevant information such as the name of the entity involved.
(20)
The Commission, in cooperation with the Cooperation Group and after consulting relevant stakeholders, should establish guidelines for the application of the criteria applicable to micro-enterprises and small enterprises to assess whether they fall within the scope of this Directive. The Commission should also ensure that appropriate guidance is provided to micro-enterprises and small enterprises within the scope of this Directive. In this context, the Commission, with the help of the Member States, should make information available to micro-enterprises and small enterprises.
(21)
The Commission may provide guidance to assist Member States in implementing the provisions of this Directive on the scope and in assessing the proportionality of the measures to be taken under this Directive, in particular with regard to entities with complex business models or operating environments, where an entity may simultaneously meet the criteria for essential and significant entities or carry out activities, some of which are within the scope of this Directive and some of which are excluded.
(22)
This Directive establishes the baseline level of cybersecurity risk management measures and reporting requirements for the sectors within its scope. In order to avoid fragmentation of the cybersecurity provisions of Union legal acts, where further sector-specific Union legal acts regarding cybersecurity risk management measures and reporting obligations are considered necessary to ensure a high level of cybersecurity in the Union, the Commission should assess whether such further provisions could be laid down in an implementing act under this Directive. Should such an implementing act not be appropriate for that purpose, sector-specific Union legal acts could contribute to ensuring a high level of cybersecurity in the Union, taking full account of the specificities and complexity of the sectors concerned. To that end, this Directive shall not prevent the adoption of further sector-specific Union legal acts regarding cybersecurity risk management measures and reporting obligations that take due account of the need for a comprehensive and coherent cybersecurity framework. This Directive is without prejudice to existing implementing powers conferred on the Commission in a number of sectors, including transport and energy.
(23)
Where a sector-specific Union legal act contains provisions requiring essential or important entities to adopt cybersecurity risk management measures or to report significant incidents and where those requirements are at least equivalent to the obligations laid down in this Directive, those provisions should, under more on supervision and enforcement, apply to those entities. Where a sector-specific Union legal act does not concern all entities in a specific sector falling within the scope of this Directive, the relevant provisions of this Directive should continue to apply to the entities not covered by that act.
(24)
Where provisions of a sector-specific Union legal act require essential or important entities to comply with reporting obligations at least equivalent to those laid down in this Directive, the coherence and effectiveness of the handling of incident reports should be ensured. To that end, the provisions of the sector-specific legal act of the Union relating to incident reporting should provide for immediate access to the CSIRTs, the competent authorities or the central contact points for cybersecurity (central contact points) under this Directive to the information provided for in the sector-specific legal act of the Union in accordance with the sector-specific legal act of incident reports submitted to the Union. This immediate access can be ensured in particular if incident reports are forwarded without delay to the CSIRT, the competent authority or the central contact point under this Directive. Where appropriate, Member States should establish an automatic and direct reporting mechanism to ensure that information relating to the handling of such incident reports is systematically and promptly exchanged with the CSIRTs, competent authorities or central contact points. In order to simplify reporting and the application of the automatic and direct reporting mechanism, Member States may, in accordance with the sector-specific Union legal act, use a single point of contact.
(25)
Sector-specific legal acts of the Union providing for cybersecurity risk management measures or reporting obligations at least equivalent to the measures and obligations laid down in this Directive may provide that the competent authorities under those acts shall exercise their supervisory and exercise enforcement powers in relation to those measures or obligations with the assistance of the competent authorities under this Directive. To this end, the competent authorities concerned may enter into cooperation arrangements. Such cooperation arrangements may, inter alia, define the procedures for the coordination of supervisory activities, including the procedures for investigations and on-site inspections in accordance with national law, and those for a mechanism for the exchange of relevant information on supervision and enforcement between the competent authorities, including requests from competent authorities under this Directive for access to cyber-related information.
(26)
Where sector-specific Union legal acts require or encourage entities to report significant cyber threats, Member States should also promote the exchange of information on significant cyber threats with the CSIRTs, the competent authorities or the central contact points under this Directive in order to increase the awareness of those bodies the cyber threat landscape and enable them to respond effectively and timely if significant cyber threats lead to incidents.
(27)
Toekomstige sectorspecifieke rechtshandelingen van de Unie moeten terdege rekening houden met de definities en het kader voor toezicht en handhaving van deze richtlijn.
(28)
Regulation (EU) 2022/2554 of the European Parliament and of the Council (10) should be regarded as a sector-specific legal act of the Union in relation to this Directive as regards financial entities. The provisions of Regulation (EU) 2022/2554 on risk management in the field of information and communications technology (ICT), the management of ICT-related incidents and in particular the reporting of major ICT-related incidents, as well as on digital operational resilience testing, information exchange arrangements and third party risk in the field of ICT should apply instead of the provisions of this Directive. Member States should therefore not apply the provisions of this Directive on cybersecurity risk management and reporting obligations, supervision and enforcement to financial entities covered by Regulation (EU) 2022/2554. At the same time, it is important to maintain a strong relationship and exchange of information with the financial sector under this Directive. To this end, Regulation (EU) 2022/2554 allows the European Supervisory Authorities (ESAs) and the competent authority under that Regulation to participate in the activities of the Cooperation Group and to exchange information and cooperate with the central contact points and with the CSIRTs and the competent authorities under that Directive. The competent authorities under Regulation (EU) 2022/2554 should also transmit details of major ICT-related incidents and significant cyber threats to the CSIRTs, the competent authorities or the central contact points under this Directive. This can be achieved by providing immediate access and direct reporting of incidents, or through a single point of contact for reporting incidents. In addition, Member States should continue to include the financial sector in their cybersecurity strategies and CSIRTs can involve the financial sector in their activities.
(29)
In order to avoid gaps or overlaps in cybersecurity obligations for aviation sector entities, national authorities should, under Regulations (EC) No 300/2008 (11) and (EU) 2018/1139 (12) of the European Parliament and the Council and the competent authorities under this Directive cooperate in implementing cybersecurity risk management measures and monitoring compliance with those measures at national level. Compliance by an entity with the security requirements laid down in Regulations (EC) No 300/2008 and (EU) 2018/1139 and in the relevant delegated and implementing acts adopted under those Regulations may be determined by the competent authorities of the Directive are expected to comply with the corresponding requirements of this Directive.
(30)
Given the interlinkages between cybersecurity and the physical security of entities, a coherent approach should be ensured between Directive (EU) 2022/2557 of the European Parliament and of the Council (13) and this Directive. To this end, entities identified as critical identities under Directive (EU) 2022/2557 should be considered essential entities under this Directive. In addition, each Member State should ensure that its national cybersecurity strategy provides a policy framework for better coordination within that Member State between its competent authorities under this Directive and those under Directive (EU) 2022/2557 in the context of the exchange of information on risks, cyber threats and incidents as well as on non-cyber risks, threats and incidents, as well as the exercise of supervisory tasks. The competent authorities under this Directive and those under Directive (EU) 2022/2557 should cooperate and exchange information without undue delay, in particular with regard to the identification of critical entities, risks, cyber threats, and incidents and non-cyber risks , threats and incidents affecting critical entities, including cybersecurity and physical measures taken by critical entities, as well as the results of monitoring activities related to those entities.
In order to streamline supervisory activities between the competent authorities under this Directive and those under Directive (EU) 2022/2557 and to minimize the administrative burden on the entities concerned, those competent authorities should endeavor to harmonize incident reporting and monitoring processes. Where appropriate, authorities competent under Directive (EU) 2022/2557 should be able to request authorities competent under this Directive to exercise their supervisory and enforcement powers in relation to an entity identified as a critical entity under Directive (EU) 2022/2557. To this end, the competent authorities under this Directive and those under Directive (EU) 2022/2557 should cooperate and exchange information, where possible in real time.
(31)
Entities belonging to the digital infrastructure sector are essentially based on network and information systems and therefore the obligations imposed on them under this Directive should cover in a comprehensive manner the physical security of such systems in the context of their management measures of cybersecurity risks and reporting obligations. Since those matters are covered by this Directive, the obligations of Chapters III, IV and VI of Directive (EU) 2022/2557 do not apply to such entities.
(32)
Het ondersteunen en instandhouden van een betrouwbaar, weerbaar en beveiligd domeinnaamsysteem (DNS) zijn sleutelfactoren voor het behoud van de integriteit van het internet en zijn essentieel voor de continue en stabiele werking ervan, waarvan de digitale economie en samenleving afhankelijk zijn. Daarom moet deze richtlijn van toepassing zijn op registers voor topleveldomeinnamen en DNS-dienstverleners die moeten worden opgevat als entiteiten die openbare recursieve domeinnaamomzettingsdiensten verlenen aan interneteindgebruikers of gezaghebbende domeinnaamomzettingsdiensten voor gebruik door derden. Deze richtlijn mag niet van toepassing zijn op root-naamservers.
(33)
Cloudcomputingdiensten moeten digitale diensten omvatten die beheer op verzoek en brede toegang op afstand (“broad remote access”) tot een schaalbare en elastische pool van deelbare computercapaciteit mogelijk maken, ook wanneer deze over verschillende locaties is gedistribueerd. Computercapaciteit omvat middelen zoals netwerken, servers of andere infrastructuur, besturingssystemen, software, opslag, toepassingen en diensten. De dienstmodellen van cloudcomputing omvatten onder meer infrastructuur als dienst (“Infrastructure as a Service” — IaaS), platform als dienst (“Platform as a Service” — PaaS), software als dienst (“Software as a Service” — SaaS) en netwerk als dienst (“Network as a Service” — NaaS). De invoeringsmodellen van cloudcomputing moeten private, gemeenschaps-, publieke en hybride cloud omvatten. De dienst- en invoeringsmodellen van cloudcomputing hebben dezelfde betekenis als de in de ISO/IEC 17788:2014-norm gedefinieerde benamingen van dienst- en invoeringsmodellen. Het vermogen van de cloudcomputinggebruiker om eenzijdig zelfvoorzienend te zijn, bijvoorbeeld wat servertijd of netwerkopslag betreft, zonder enige menselijke interactie door de cloudcomputingdienstverlener, zou kunnen worden omschreven als beheer op verzoek.
The term “broad remote access” is used to describe cloud capabilities that are delivered over the network and accessed through mechanisms that promote the use of heterogeneous thin- or thick-client platforms, including mobile phones, tablets, laptops, and workstations . The term “scalable” refers to the computing capacity that is flexibly allocated by cloud computing service providers to meet fluctuations in demand, regardless of the geographic location of the capacity. The term “elastic pool” is used to describe the computing capacity that is made available and released depending on demand in order to quickly increase and decrease this available capacity according to the volume of work. The term “divisible” is used to describe the computer capacity made available to several users who have common access to the service, but where the processing is carried out separately for each user, although the service is provided by means of the same electronic equipment . The term “distributed” is used to describe computing capacity that resides on different networked computers or devices and communicates and controls them through message passing.
(34)
Given the emergence of innovative technologies and new business models, new service and adoption models for cloud computing are expected to emerge in the internal market to meet changing customer needs. In that context, cloud computing services can be provided in a highly distributed form, even closer to where the data is generated or collected, moving from the traditional model to a highly distributed model (“edge computing”).
(35)
Services offered by data center service providers cannot always be provided in the form of a cloud computing service. Data centers are therefore not always part of cloud computing infrastructure. Therefore, in order to manage all risks to the security of network and information systems, this Directive should apply to providers of data center services that are not cloud computing services. For the purposes of this Directive, the term “data center service” should cover the provision of a service comprising structures or groups of structures intended for the centralized accommodation, interconnection and operation of information technology (IT) and network equipment providing services on offers the field of data storage, processing and transport, together with all facilities and infrastructure for energy distribution and environmental control. The term “data center service” should not apply to internal corporate data centers owned and operated by the entity concerned for its own purposes.
(36)
Research activities play a key role in the development of new products and processes. Many of these activities are carried out by entities that share, distribute or exploit the results of their research for commercial purposes. These entities can therefore be important players in the value chains, so that the security of their network and information systems is an integral part of the overall cybersecurity of the internal market. Research organizations should also include entities that focus the substantial part of their activities on applied research or experimental development within the meaning of the “Frascati Manual 2015: Guidelines for Collecting and Reporting Data on Research and Experimental Development” of the Organization for Economic Cooperation and Development, to exploit their results for commercial purposes, such as the manufacture or development of a product or a process, the provision of a service, or the marketing thereof.
(37)
De toenemende onderlinge afhankelijkheid is het resultaat van een steeds meer grensoverschrijdend en onderling afhankelijk dienstverleningsnetwerk waarin gebruik wordt gemaakt van essentiële infrastructuren in de hele Unie in sectoren zoals energie, vervoer, digitale infrastructuur, drinkwater en afvalwater, gezondheid, bepaalde aspecten van het overheidsbestuur, en ruimtevaart, voor zover het gaat om de verlening van bepaalde diensten die afhankelijk zijn van grondgebonden infrastructuren die eigendom zijn van, beheerd worden en geëxploiteerd worden door de lidstaten of door particuliere partijen, en die dus geen betrekking hebben op infrastructuren die eigendom zijn van, beheerd worden of geëxploiteerd worden door of namens de Unie in het kader van haar ruimtevaartprogramma. Die onderlinge afhankelijkheid houdt in dat elke verstoring, zelfs wanneer deze aanvankelijk beperkt blijft tot één entiteit of één sector, meer in het algemeen een cascade-effect kan hebben, met mogelijkerwijs verstrekkende en langdurige negatieve gevolgen voor de verlening van diensten op de hele interne markt. De tijdens de COVID-19-pandemie toegenomen cyberaanvallen hebben de kwetsbaarheid van onze steeds meer onderling afhankelijke samenlevingen voor de risico’s van lage waarschijnlijkheid aangetoond.
(38)
Given the differences between national governance structures and in order to safeguard pre-existing Union sectoral arrangements or supervisory and regulatory bodies, Member States should be able to designate or establish one or more competent authorities responsible for cybersecurity and for the supervisory tasks under this directive.
(39)
In order to facilitate cross-border cooperation and communication between authorities and to enable effective implementation of this Directive, each Member State should designate a single point of contact responsible for coordinating issues related to the security of network and information systems and the cross-border cooperation at Union level.
(40)
The single points of contact should ensure effective cross-border cooperation with the relevant authorities of other Member States and, where appropriate, with the Commission and ENISA. The central contact points should therefore be responsible for forwarding reports of significant incidents with cross-border implications to the central contact points of other Member States concerned upon request by the CSIRT or the competent authority. At national level, the single points of contact should enable smooth cross-sectoral cooperation with other competent authorities. The central contact points may also be the recipients of relevant information on incidents involving financial entities from the authorities competent under Regulation (EU) 2022/2554, which they should be able to forward, where appropriate, to the CSIRTs or competent authorities directive.
(41)
Member States should be adequately equipped, in terms of both technical and organizational capabilities, to prevent, detect, respond, recover from and mitigate incidents and risks. Member States should therefore establish or designate one or more CSIRTs under this Directive and ensure that they have sufficient resources and technical capabilities. CSIRTs should meet the requirements set out in this Directive to ensure that they have effective and compatible capabilities to address incidents and risks and to ensure efficient cooperation at Union level. Member States should be able to designate existing computer emergency response teams (CERTs) as CSIRTs. In order to strengthen the relationship of trust between the entities and the CSIRTs, where a CSIRT is part of a competent authority, Member States should be able to consider a functional separation between the operational tasks of the CSIRTs, in particular with regard to the information provided to the entities -exchange and assistance, and the supervisory activities of the competent authorities.
(42)
The CSIRTs are responsible for handling incidents. This involves processing large amounts of sometimes sensitive data. Member States should ensure that CSIRTs have an infrastructure for sharing and processing information, as well as well-equipped staff, to ensure the confidentiality and reliability of their activities. The CSIRTs may also establish a code of conduct in this regard.
(43)
With regard to personal data, in accordance with Regulation (EU) 2016/679, CSIRTs should be able to carry out, at the request of an essential or important entity, a proactive scan of the network and information systems used for the provision of the entity's services. Where appropriate, Member States should aim to ensure that all sectoral CSIRTs have equal technical capabilities. Member States should be able to call on ENISA's assistance in developing their CSIRTs.
(44)
CSIRTs should have the ability, at the request of an essential or important entity, to monitor the entity's Internet-facing assets, both on and off its premises, to identify overall risks to the entity's organization as regards new supply chain compromises or critical identify, understand and manage vulnerabilities. The entity should be encouraged to inform the CSIRT whether it uses a privileged management interface as this may influence the speed at which mitigation measures are taken.
(45)
Given the importance of international cooperation in the field of cybersecurity, CSIRTs should be able to participate in international cooperation networks, in addition to the CSIRT network established by this Directive. Therefore, CSIRTs and competent authorities should be able to exchange information, including personal data, with national computer security incident response teams or competent authorities of third countries for the performance of their tasks, provided that the conditions of Union data protection law on transfers of personal data to third countries, including those referred to in Article 49 of Regulation (EU) 2016/679.
(46)
In order to achieve the objectives of this Directive and to enable competent authorities and CSIRTs to carry out the tasks set out therein, it is essential to ensure sufficient resources. Member States may establish a financing mechanism at national level to cover expenditure related to the performance of the tasks of public authorities responsible for cybersecurity in the Member State under this Directive. Such a mechanism should comply with Union law and should be proportionate and non-discriminatory and allow for the provision of secure services using different approaches.
(47)
Het CSIRT-netwerk moet blijven bijdragen aan het versterken van het vertrouwen, en snelle en doeltreffende operationele samenwerking tussen de lidstaten blijven bevorderen. Om de operationele samenwerking op het niveau van de Unie te verbeteren, moet het CSIRT-netwerk overwegen om organen en agentschappen van de Unie die betrokken zijn bij het cyberbeveiligingsbeleid, zoals Europol, uit te nodigen om deel te nemen aan zijn werkzaamheden.
(48)
In order to achieve and maintain a high level of cybersecurity, national cybersecurity strategies required by this Directive should consist of coherent frameworks setting out strategic cybersecurity objectives and priorities and the governance to achieve them. These strategies may consist of one or more legislative or non-legislative instruments.
(49)
Cyberhygiënebeleid vormt de basis voor de bescherming van de infrastructuur, hardware, software en onlinetoepassingen in het kader van netwerk- en informatiesystemen, en van de gegevens van zakelijke gebruikers of eindgebruikers waar entiteiten afhankelijk van zijn. Cyberhygiënebeleid omvat een gemeenschappelijke basisreeks van praktijken, met inbegrip van software- en hardware-updates, de wijziging van wachtwoorden, het beheer van nieuwe installaties, de beperking van toegangsaccounts op beheersniveau en het back-uppen van gegevens, en het maakt een proactief kader mogelijk met betrekking tot paraatheid en algemene veiligheid en beveiliging in geval van incidenten of cyberdreigingen. Enisa moet het cyberhygiënebeleid van de lidstaten monitoren en analyseren.
(50)
Cyber security awareness and cyber hygiene are essential to increase the level of cyber security in the Union, especially in view of the increasing number of connected devices increasingly used in cyber attacks. Efforts should be made to raise general awareness of the risks associated with such devices, while assessments at Union level could contribute to a common understanding of such risks within the internal market.
(51)
Member States should encourage the use of innovative technologies, including artificial intelligence, the use of which can improve the prevention and detection of cyber-attacks, so that resources to combat cyber-attacks can be deployed more effectively. Therefore, Member States should promote research and development activities in their national cybersecurity strategy for the use of such technologies, in particular those related to automated or semi-automated cybersecurity tools, and, where necessary, sharing data to educate users of and improve such technologies. The use of innovative technologies, including artificial intelligence, should comply with Union data protection law, including the data protection principles of data accuracy, data minimization, fairness and transparency, and data security, such as advanced encryption. The data protection requirements set out in Regulation (EU) 2016/679 should be fully met by design and by default.
(52)
Open source cybersecurity tools and applications can contribute to greater openness and positively influence the efficiency of industrial innovation. Open standards promote interoperability between security tools, which benefits the security of business stakeholders. Open source cybersecurity tools and applications can leverage the broader developer community, enabling vendor diversification. Open source allows the process of verifying cybersecurity tools to be more transparent and the process of discovering vulnerabilities to be community-driven. Therefore, it should be possible for Member States to promote the use of open source software and open standards by pursuing policies aimed at using open data and open source in the context of security through transparency. Policy measures to promote the deployment and sustainable use of open source cybersecurity tools are of particular importance for SMEs that face significant implementation costs, which can be minimized by reducing the need for specific applications or tools .
(53)
Utilities are increasingly connecting to digital networks in cities to improve urban transportation networks, modernize water supplies and waste disposal facilities, and light and heat buildings more efficiently. These digitalized utilities are vulnerable to cyber attacks and run the risk of causing large-scale harm to citizens in the event of a successful cyber attack because they are interconnected. Member States should adopt policies aimed at the development of such connected or smart cities and their potential impact on society as part of their national cybersecurity strategy.
(54)
De afgelopen jaren is er in de Unie een exponentiële toename van het aantal ransomwareaanvallen, waarbij gegevens en systemen worden vergrendeld met malware en voor de ontgrendeling losgeld moet worden betaald. De toenemende frequentie en ernst van ransomwareaanvallen kan het gevolg zijn van diverse factoren, zoals verschillende aanvalspatronen, criminele bedrijfsmodellen rond “ransomware als dienst” en cryptovaluta, de vraag om losgeld en de toename van aanvallen op de toeleveringsketen. De lidstaten moeten in het kader van hun nationale cyberbeveiligingsstrategie beleidsmaatregelen ontwikkelen om de toename van ransomwareaanvallen aan te pakken.
(55)
Public-private partnerships (PPPs) in cybersecurity can provide an appropriate framework to exchange knowledge and best practices and achieve a shared level of understanding among stakeholders. Member States should promote policies supporting the establishment of dedicated PPPs in the field of cybersecurity. With regard to PPPs, those policy measures should, among other things, clarify the scope and stakeholders involved, the governance model, the financing options available and the interaction between the participating stakeholders. PPPs allow private sector entities to support competent authorities with their expertise to develop advanced services and processes, including information exchange, early warnings, exercises on cyber threats and incidents, crisis management and resilience planning.
(56)
De lidstaten moeten in hun nationale cyberbeveiligingsstrategieën rekening houden met de specifieke behoeften van kleine en middelgrote ondernemingen op het gebied van cyberbeveiliging. Kleine en middelgrote ondernemingen vertegenwoordigen in de hele Unie een groot percentage van de industriële en zakelijke markt en hebben vaak moeite om zich aan te passen aan nieuwe bedrijfspraktijken in een meer verbonden wereld en aan de digitale wereld, met thuiswerkende werknemers en steeds meer online verrichte bedrijfsactiviteiten. Sommige kleine en middelgrote ondernemingen worden geconfronteerd met specifieke uitdagingen op het gebied van cyberbeveiliging, namelijk een beperkt cyberbewustzijn, een gebrek aan IT-beveiliging op afstand, hoge kosten van cyberbeveiligingsoplossingen en een verhoogd dreigingsniveau, onder meer door ransomware, waarvoor zij begeleiding en bijstand moeten krijgen. Kleine en middelgrote ondernemingen worden steeds vaker het doelwit van aanvallen op de toeleveringsketen omdat zij minder strenge maatregelen voor het beheer van cyberbeveiligingsrisico’s en aanvalsbeheer nemen, en omdat zij beperkte beveiligingsmiddelen hebben. Dergelijke aanvallen op de toeleveringsketen hebben niet alleen gevolgen voor kleine en middelgrote ondernemingen en hun activiteiten, maar kunnen ook een cascade-effect veroorzaken en zo leiden tot grotere aanvallen op entiteiten waaraan kleine en middelgrote ondernemingen hebben geleverd. De lidstaten moeten via hun nationale cyberbeveiligingsstrategieën kleine en middelgrote ondernemingen helpen de uitdagingen in hun toeleveringsketen aan te pakken. De lidstaten moeten beschikken over een contactpunt voor kleine en middelgrote ondernemingen op nationaal of regionaal niveau, dat begeleiding en bijstand verleent aan kleine en middelgrote ondernemingen of hen doorverwijst naar de passende instanties voor begeleiding en bijstand met betrekking tot cyberbeveiliging. De lidstaten worden ook aangespoord om diensten zoals websiteconfiguratie en registratiesystemen aan te bieden aan micro-ondernemingen en kleine ondernemingen die niet over deze mogelijkheden beschikken.
(57)
Member States should adopt policies in their national cybersecurity strategies to promote active cyber protection as part of a broader defense strategy. Rather than reacting after the fact, active cyber defense consists of actively preventing, detecting, monitoring, analyzing and mitigating network security breaches, along with the use of capabilities deployed inside and outside the victims' network. This may include Member States offering free services or tools to certain entities, including self-service checks, detection tools and disposal services. The ability to quickly and automatically share and understand threat intelligence and analysis, cyber activity alerts, and response actions is critical to enabling collaborative efforts to successfully prevent, detect, and deter attacks on network and information systems. grab and stop. Active cyber protection is based on a defensive strategy that excludes offensive measures.
(58)
Aangezien de exploitatie van kwetsbaarheden in netwerk- en informatiesystemen aanzienlijke verstoringen en schade kan veroorzaken, is het snel identificeren en verhelpen van dergelijke kwetsbaarheden een belangrijke factor in het verminderen van het risico. Entiteiten die netwerk- en informatiesystemen ontwikkelen of beheren, moeten daarom passende procedures vaststellen om kwetsbaarheden aan te pakken wanneer deze worden ontdekt. Aangezien kwetsbaarheden vaak door derden worden ontdekt of bekendgemaakt, moet de fabrikant of aanbieder van ICT-producten of ICT-diensten ook voorzien in de noodzakelijke procedures om kwetsbaarheidsinformatie van derden te ontvangen. In dat verband bieden de internationale normen ISO/IEC 30111 en ISO/IEC 29147 richtsnoeren voor de respons op en de bekendmaking van kwetsbaarheden. Het versterken van de coördinatie tussen de rapporterende natuurlijke personen en rechtspersonen en de fabrikanten of aanbieders van ICT-producten of ICT-diensten is met name van belang ten behoeve van het vrijwillige kader voor de bekendmaking van kwetsbaarheden. De gecoördineerde bekendmaking van kwetsbaarheden duidt een gestructureerd proces aan waarbij kwetsbaarheden aan de fabrikant of aanbieder van de potentieel kwetsbare ICT-producten of ICT-diensten worden gemeld op een manier die deze in staat stelt de kwetsbaarheid te diagnosticeren en te verhelpen voordat gedetailleerde informatie over de kwetsbaarheid aan derden of aan het publiek wordt bekendgemaakt. De gecoördineerde bekendmaking van kwetsbaarheden moet ook betrekking hebben op de coördinatie tussen de rapporterende natuurlijke persoon of rechtspersoon en de fabrikant of aanbieder van de potentieel kwetsbare ICT-producten of ICT-diensten wat betreft het tijdstip van het herstel en de bekendmaking van de kwetsbaarheden.
(59)
The Commission, ENISA and Member States should continue to promote alignment with international standards and existing industry best practices in cybersecurity risk management, for example in the areas of supply chain security assessment, information exchange and the disclosure of vulnerabilities.
(60)
De lidstaten moeten in samenwerking met Enisa maatregelen nemen om een gecoördineerde bekendmaking van kwetsbaarheden te vergemakkelijken door een relevant nationaal beleid vast te stellen. In het kader van hun nationaal beleid moeten de lidstaten ernaar streven zoveel mogelijk de problemen weg te nemen waar onderzoekers van kwetsbaarheden mee worden geconfronteerd, waaronder hun mogelijke blootstelling aan strafrechtelijke aansprakelijkheid, overeenkomstig het nationale recht. Aangezien natuurlijke en rechtspersonen die onderzoek doen naar kwetsbaarheden in sommige lidstaten strafrechtelijk en civielrechtelijk aansprakelijk kunnen worden gesteld, worden de lidstaten aangespoord richtsnoeren vast te stellen met betrekking tot niet-vervolging van onderzoekers op het gebied van informatiebeveiliging en vrijstelling van civielrechtelijke aansprakelijkheid voor hun activiteiten.
(61)
Member States should designate one of their CSIRTs as a coordinator to act, if necessary, as a reliable intermediary between the reporting natural or legal persons and the manufacturers or providers of ICT products or ICT services likely to be affected by the vulnerability. The tasks of the CSIRT designated as coordinator should include, in particular, identifying and contacting the entities concerned, assisting the natural or legal persons reporting a vulnerability, negotiating timescales for disclosure and managing vulnerabilities affecting affect multiple entities (coordinated disclosure of vulnerabilities by multiple parties). Where the reported vulnerability may have a significant impact on entities in more than one Member State, the CSIRTs designated as coordinators should cooperate within the CSIRT network, as appropriate.
(62)
Toegang tot correcte en tijdige informatie over kwetsbaarheden die van invloed zijn op ICT-producten en ICT-diensten draagt bij aan een verbeterd risicobeheer inzake cyberbeveiliging. Bronnen van publiek beschikbare informatie over kwetsbaarheden zijn een belangrijk instrument voor de entiteiten en voor de gebruikers van hun diensten, maar ook voor de bevoegde autoriteiten en de CSIRT’s. Daarom moet Enisa een Europese kwetsbaarheidsdatabase instellen waarin entiteiten, ongeacht of zij binnen het toepassingsgebied van deze richtlijn vallen, en hun leveranciers van netwerk- en informatiesystemen, evenals de bevoegde autoriteiten en de CSIRT’s, op vrijwillige basis algemeen bekende kwetsbaarheden kunnen publiceren en registreren om gebruikers in staat te stellen passende beperkende maatregelen te nemen. Het doel van die database is de unieke uitdagingen aan te pakken die voortvloeien uit de risico’s voor entiteiten in de Unie. Voorts moet Enisa voorzien in een passende procedure voor het bekendmakingsproces teneinde entiteiten de tijd te geven om beperkende maatregelen te nemen met betrekking tot hun kwetsbaarheden en gebruik te maken van geavanceerde maatregelen voor het beheer van cyberbeveiligingsrisico’s, alsook van machinaal leesbare gegevenssets en bijbehorende interfaces. Om een cultuur van bekendmaking van kwetsbaarheden te bevorderen, mag bekendmaking geen nadelige gevolgen hebben voor de rapporterende natuurlijke persoon of rechtspersoon.
(63)
Although similar vulnerability registers or databases exist, they are hosted and maintained by entities not established in the Union. A European vulnerability database maintained by ENISA would ensure greater transparency regarding the disclosure process before the vulnerability is made public, and greater resilience in the event of a disruption or interruption of the provision of similar services. In order to avoid duplication and maximize complementarity, ENISA should explore the possibility of concluding structured cooperation agreements with similar registers or databases under the jurisdiction of third countries. In particular, ENISA should explore the possibility of close cooperation with the operators of the Common Vulnerability and Exposure System (CVE).
(64)
The cooperation group should support and promote strategic cooperation and exchange of information between Member States and increase mutual trust between Member States. The cooperation group must adopt a work program every two years. The work program should include the actions to be taken by the cooperation group to achieve its objectives and tasks. In order to avoid possible disruptions to the work of the cooperation group, the timetable for the adoption of the first work program adopted under this Directive should be aligned with the timetable of the last work program adopted under Directive (EU) 2016/ 1148 has been established.
(65)
When developing guidelines, the Collaboration Group should consistently identify national solutions and experiences, assess the impact of the Collaboration Group's results on national approaches, discuss implementation challenges and formulate specific recommendations — in particular on facilitating coordination between Member States in the transposition of this Directive — which should be addressed through better implementation of existing rules. The cooperation group may also map national solutions to promote compatible cybersecurity solutions applied in each specific sector in the Union. This is particularly relevant for sectors with an international and cross-border character.
(66)
De samenwerkingsgroep moet een flexibel forum blijven en in staat zijn te reageren op veranderende en nieuwe beleidsprioriteiten en -uitdagingen, rekening houdend met de beschikbaarheid van middelen. Zij kan regelmatig gezamenlijke bijeenkomsten organiseren met relevante particuliere belanghebbenden uit de hele Unie om de activiteiten van de samenwerkingsgroep te bespreken en gegevens en input over nieuwe beleidsuitdagingen te verzamelen. Daarnaast moet de samenwerkingsgroep regelmatig de stand van zaken met betrekking tot cyberdreigingen of -incidenten, zoals ransomware, beoordelen. Om de samenwerking op Unieniveau te versterken, moet de samenwerkingsgroep overwegen de relevante instellingen, organen en instanties van de Unie die betrokken zijn bij het cyberbeveiligingsbeleid, zoals het Europees Parlement, Europol, het Europees Comité voor gegevensbescherming, het bij Verordening (EU) 2018/1139 opgerichte Agentschap van de Europese Unie voor de veiligheid van de luchtvaart en het bij Verordening (EU) 2021/696 van het Europees Parlement en de Raad (14) opgerichte Agentschap van de Europese Unie voor het ruimtevaartprogramma, uit te nodigen om deel te nemen aan de werkzaamheden van de groep.
(67)
Competent authorities and CSIRTs should be able to participate in exchange programs for officials from other Member States, within a specific framework and, where appropriate, provided that the officials participating in such exchange programs have the necessary security clearance, in order to improve cooperation and to strengthen trust between Member States. Competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or host CSIRT.
(68)
Member States should contribute to the implementation of the EU cyber crisis response framework set out in Commission Recommendation (EU) 2017/1584 (15) through existing cooperation networks, in particular the European Network of Cyber Crisis Liaison Organizations (EU-CyCLONe) , the CSIRT Network and the Collaborative Group. EU-CyCLONe and the CSIRT network should cooperate on the basis of procedural arrangements specifying that cooperation and avoid duplication of effort. The rules of procedure of EU-CyCLONe should further specify the arrangements for the functioning of that network, including the roles of the network, the modes of cooperation, the interaction with other relevant actors and the information sharing models, as well as the means of communication. For crisis management at Union level, the relevant parties should rely on the integrated Union political crisis response arrangement in accordance with Council Implementing Decision (EU) 2018/1993 (16) (IPCR arrangement). To this end, the Commission should make use of the ARGUS high-level cross-sectoral crisis coordination process. If the crisis has an important external dimension or affects the Common Security and Defense Policy, the European External Action Service's crisis response mechanism should be activated.
(69)
In accordance with the Annex to Recommendation (EU) 2017/1584, a major cybersecurity incident should be defined as an incident that leads to a disruption that is too large to be remedied by an affected Member State alone or that has a significant impact on at least two Member States. Depending on their cause and consequences, large-scale cybersecurity incidents may escalate and turn into full-fledged crises that do not allow the proper functioning of the internal market or pose serious risks to public safety and security for entities or citizens in different Member States or in the Union if whole. Given the wide scope and in most cases the cross-border nature of such incidents, Member States and the relevant Union institutions, bodies, offices and agencies should cooperate at technical, operational and political levels to properly coordinate the response across the Union.
(70)
Grootschalige cyberbeveiligingsincidenten en crises op het niveau van de Unie vereisen een gecoördineerd optreden om een snelle en doeltreffende respons te waarborgen, gezien de sterke onderlinge verwevenheid tussen sectoren en lidstaten. De beschikbaarheid van cyberbestendige netwerk- en informatiesystemen en de beschikbaarheid, vertrouwelijkheid en integriteit van gegevens zijn van vitaal belang voor de beveiliging van de Unie en voor de bescherming van haar burgers, bedrijven en instellingen tegen incidenten en cyberdreigingen, alsook voor het versterken van het vertrouwen van personen en organisaties in het vermogen van de Unie om een mondiale, open, vrije, stabiele en beveiligde cyberspace te bevorderen en te beschermen die gebaseerd is op de mensenrechten, de fundamentele vrijheden, de democratie en de rechtsstaat.
(71)
EU-CyCLONe should act as an intermediary network between the technical and political levels during large-scale cybersecurity incidents and crises, strengthening cooperation at operational level and supporting decision-making at political level. EU-CyCLONe, in cooperation with the Commission through its crisis management competence, should build on the findings of the CSIRT network and use its own capabilities to prepare an impact assessment of large-scale cybersecurity incidents and crises.
(72)
Cyberaanvallen hebben een grensoverschrijdend karakter en een significant incident kan kritieke informatie-infrastructuur waarvan de goede werking van de interne markt afhankelijk is, verstoren en beschadigen. Aanbeveling (EU) 2017/1584 heeft betrekking op de rol van alle relevante actoren. Voorts is de Commissie, in het kader van het Uniemechanisme voor civiele bescherming dat is ingesteld bij Besluit nr. 1313/2013/EU van het Europees Parlement en de Raad (17), verantwoordelijk voor algemene paraatheidsacties, met inbegrip van het beheren van het Coördinatiecentrum voor respons in noodsituaties en het gemeenschappelijk noodcommunicatie- en informatiesysteem, het onderhouden en verder ontwikkelen van het situationeel bewustzijn en het analysevermogen, en het ontwikkelen en beheren van de noodzakelijke capaciteit om teams van deskundigen te kunnen mobiliseren en uit te zenden in geval van een verzoek om bijstand van een lidstaat of een derde land. De Commissie is ook verantwoordelijk voor het verstrekken van analytische verslagen voor de IPCR-regeling uit hoofde van Uitvoeringsbesluit (EU) 2018/1993, onder meer met betrekking tot situatiekennis en paraatheid op het gebied van cyberbeveiliging, alsook voor situatiekennis en crisisrespons op het gebied van de landbouw, ongunstige weersomstandigheden, het in kaart brengen van conflicten en prognoses, systemen voor vroegtijdige waarschuwing bij natuurrampen, noodsituaties op het gebied van de volksgezondheid, de bewaking van infectieziekten, plantgezondheid, chemische incidenten, de veiligheid van levensmiddelen en diervoeders, diergezondheid, migratie, douane, noodsituaties op nucleair en radiologisch gebied, en energie.
(73)
De Unie kan in voorkomend geval overeenkomstig artikel 218 VWEU internationale overeenkomsten met derde landen of internationale organisaties sluiten die hun deelname aan bepaalde activiteiten van de samenwerkingsgroep, het CSIRT-netwerk en EU-CyCLONe mogelijk maken en organiseren. Dergelijke overeenkomsten moeten de belangen van de Unie en de passende bescherming van gegevens waarborgen. Dit mag geen afbreuk doen aan het recht van de lidstaten om met derde landen samen te werken op het gebied van het beheer van kwetsbaarheden en risicobeheer op het gebied van cyberbeveiliging, ter vergemakkelijking van de rapportage en het delen van algemene informatie overeenkomstig het Unierecht.
(74)
Om de doeltreffende uitvoering van deze richtlijn te vergemakkelijken, onder meer wat betreft het beheer van kwetsbaarheden, maatregelen voor het beheer van cyberbeveiligingsrisico’s, rapportageverplichtingen en informatie-uitwisselingsregelingen op het gebied van cyberbeveiliging, kunnen de lidstaten samenwerken met derde landen en activiteiten ondernemen die daartoe geschikt worden geacht, waaronder informatie-uitwisseling over cyberdreigingen, incidenten, kwetsbaarheden, instrumenten en methoden, tactieken, technieken en procedures, paraatheid en oefeningen betreffende crisisbeheer op het gebied van cyberbeveiliging, opleiding, vertrouwensopbouw en gestructureerde informatie-uitwisselingsregelingen.
(75)
Er moeten collegiale toetsingen worden ingevoerd om te helpen leren van gedeelde ervaringen, het wederzijdse vertrouwen te versterken en een hoog gemeenschappelijk niveau van cyberbeveiliging te bereiken. Collegiale toetsingen kunnen leiden tot waardevolle inzichten en aanbevelingen die de algehele cyberbeveiligingscapaciteiten versterken, een ander functioneel traject creëren voor de uitwisseling van beste praktijken tussen de lidstaten en bijdragen tot een hogere mate van maturiteit van de lidstaten op het gebied van cyberbeveiliging. Voorts moeten collegiale toetsingen de resultaten van soortgelijke mechanismen — zoals het systeem voor collegiale toetsing van het CSIRT-netwerk — in aanmerking nemen, en moet zij meerwaarde toevoegen en dubbel werk vermijden. De invoering van collegiale toetsingen mag geen afbreuk doen aan het Unie- of nationale recht inzake de bescherming van vertrouwelijke of gerubriceerde informatie.
(76)
The cooperation group should establish a self-assessment methodology for Member States, aiming to cover factors such as the level of implementation of cybersecurity risk management measures and reporting obligations, the level of capacity and effectiveness of the performance of the tasks of competent authorities, the operational capabilities of the CSIRTs, the level of implementation of mutual assistance, the level of implementation of cybersecurity information sharing arrangements, or specific issues of a cross-border or cross-sectoral nature. Member States should be encouraged to carry out regular self-assessments and to present and discuss the results of their self-assessments within the cooperation group.
(77)
De verantwoordelijkheid voor het waarborgen van de beveiliging van netwerk- en informatiesystemen ligt voor een groot deel bij de essentiële en belangrijke entiteiten. Er moet een cultuur van risicobeheer worden bevorderd en ontwikkeld, die risicobeoordelingen en de uitvoering van op de risico’s afgestemde maatregelen voor het beheer van cyberbeveiligingsrisico’s behelst.
(78)
Cybersecurity risk management measures should be tailored to the critical or important entity's dependence on network and information systems and should include measures to identify any risks from incidents, to prevent, detect, respond to and to recover from it and to limit its consequences. The security of network and information systems must include the security of stored, transmitted and processed data. Cybersecurity risk management measures should provide for a systemic analysis, taking into account the human factor, to obtain a complete picture of the security of the network and information system.
(79)
Since threats to the security of network and information systems can come from different sources, cybersecurity risk management measures should be based on an all-hazards approach aimed at protecting network and information systems and the physical environment of those systems against events that could endanger the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by or through network and information systems, such as theft, fire, floods and telecommunications and power failures or unauthorized physical access to, damage to, or interference with the information and information processing facilities of an essential or important entity. Cybersecurity risk management measures should therefore also address the physical and environmental security of network and information systems, by including measures to protect such systems against system failures, human error, malicious acts and natural phenomena, in accordance with European and international standards, such as those in the ISO/IEC 27000 series. In that context, essential and important entities should also address personnel security and implement appropriate access policies as part of their cybersecurity risk management measures. These measures must be in accordance with Directive (EU) 2022/2557.
(80)
Om aan te tonen dat de maatregelen voor het beheer van cyberbeveiligingsrisico’s worden nageleefd en bij gebrek aan passende Europese regelingen voor cyberbeveiligingscertificering die zijn vastgesteld overeenkomstig Verordening (EU) 2019/881 van het Europees Parlement en de Raad (18), moeten de lidstaten, in overleg met de samenwerkingsgroep en de Europese Groep voor cyberbeveiligingscertificering, het gebruik van de relevante Europese en internationale normen door essentiële en belangrijke entiteiten bevorderen of kunnen zij eisen dat entiteiten gecertificeerde ICT-producten, ICT-diensten en ICT-processen gebruiken.
(81)
In order to avoid imposing disproportionate financial and administrative burdens on essential and important entities, cybersecurity risk management measures should be proportionate to the risks to the network and information system concerned, taking into account the state of the art of such measures and, where appropriate, the relevant European and international standards, as well as the costs of their implementation.
(82)
Maatregelen voor het beheer van cyberbeveiligingsrisico’s moeten in verhouding staan tot de mate waarin de essentiële of belangrijke entiteit aan risico’s is blootgesteld en de maatschappelijke en economische gevolgen die een incident zou hebben. Bij het vaststellen van maatregelen voor het beheer van cyberbeveiligingsrisico’s die zijn aangepast aan essentiële en belangrijke entiteiten, moet terdege rekening worden gehouden met de uiteenlopende mate waarin essentiële en belangrijke entiteiten aan risico’s zijn blootgesteld, overeenkomstig het kritieke karakter van de entiteit, de risico’s, met inbegrip van maatschappelijke risico’s, waaraan de entiteit is blootgesteld, de omvang van de entiteit en de kans dat zich incidenten voordoen en de ernst ervan, met inbegrip van de maatschappelijke en economische gevolgen.
(83)
Essential and important entities must ensure the security of the network and information systems they use in their activities. These systems are primarily private network and information systems managed by the internal IT staff of essential and important entities or whose security has been outsourced. The cybersecurity risk management measures and reporting obligations set out in this Directive should apply to the relevant essential and significant entities, regardless of whether those entities carry out the maintenance of their network and information systems in-house or outsource them.
(84)
Given their cross-border nature, the rules for DNS service providers, top-level domain name registries, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers are highly harmonized at Union level. Therefore, the implementation of cybersecurity risk management measures against these entities should be promoted by means of an implementing act.
(85)
Addressing risks arising from an entity's supply chain and its relationships with its suppliers, such as data storage and processing services providers or providers of managed security services and software editors, is particularly important given the prevalence of incidents involving entities have been victims of cyber-attacks and where malicious perpetrators have been able to compromise the security of an entity's network and information systems by exploiting vulnerabilities that affect third-party products and services. Essential and significant entities should therefore assess and take into account the overall quality and resilience of the products and services, the cybersecurity risk management measures contained therein, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures. Essential and significant entities should be particularly encouraged to include cybersecurity risk management measures in the contractual arrangements with their direct suppliers and service providers. Those entities may also consider risks arising from the activities of suppliers and service providers at another level.
(86)
Among service providers, managed security service providers in areas such as incident response, penetration testing, security auditing and consulting play a particularly important role in assisting entities in their efforts to prevent, detect, respond to and recover from incidents. However, managed security service providers have also been targets of cyber attacks themselves and pose a particular risk due to their close integration into the entities' operations. Essential and important entities should therefore exercise even more care when selecting a managed security services provider.
(87)
Competent authorities may also use cybersecurity services such as security audits, penetration testing or incident response in the context of their supervisory tasks.
(88)
Essential and important entities should also pay attention to the risks arising from their interactions and relationships with other stakeholders within a broader ecosystem, including with regard to countering industrial espionage and protecting trade secrets. In particular, those entities should take appropriate measures to ensure that their cooperation with academic and research institutions is in accordance with their cybersecurity policies and that they follow good practices regarding secure access and dissemination of information in general and the protection of intellectual property rights. property in particular. Likewise, when using third-party data transformation and data analytics services, essential and important entities, given the importance and value of data for those entities' activities, should take all appropriate cybersecurity risk management measures.
(89)
Essential and important entities must implement a wide range of basic cyber hygiene practices such as zero trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness, organizing training for their staff and cyber threat awareness , phishing or social engineering techniques. Furthermore, those entities should assess their own cybersecurity capabilities and, where appropriate, seek to integrate technologies that enhance cybersecurity, such as artificial intelligence or machine learning systems, to strengthen their capabilities and the security of network and information systems. improve.
(90)
To further address key supply chain risks and to assist essential and important entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier risks, the Cooperation Group, in cooperation with the Commission and ENISA, and after consulting relevant stakeholders, including industry, as appropriate, carry out coordinated security risk assessments of critical supply chains, such as those carried out for 5G networks following Commission Recommendation (EU) 2019/534 (19), with the aim of identifying the critical ICT services, ICT systems or ICT products, relevant threats and vulnerabilities per sector. Such coordinated security risk assessments should identify measures, mitigation plans and best practices to address critical dependencies, potential weaknesses, threats, vulnerabilities and other risks associated with the supply chain, and consider their broader adoption by essential and important entities can be further promoted. Possible non-technical risk factors, such as undue influence on suppliers and service providers by a third country, especially in the case of alternative governance models, include hidden vulnerabilities or “backdoors” and possible systemic supply disruptions, especially in the case of technological lock -ins or dependence on suppliers.
(91)
Coordinated security risk assessments of critical supply chains should take into account both technical and, where appropriate, non-technical factors, including those defined in Recommendation (EU), taking into account the characteristics of the sector concerned 2019/534, in the Coordinated Cybersecurity Risk Assessment of 5G Networks in the EU and in the EU 5G Cybersecurity Toolbox agreed by the Cooperation Group. To determine which supply chains should be subject to a coordinated security risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, ICT systems or ICT products; (ii) the relevance of specific critical ICT services, ICT systems or ICT products for the performance of critical or sensitive functions, including the processing of personal data; iii) the availability of alternative ICT services, ICT systems or ICT products; (iv) the resilience of the entire supply chain of ICT services, ICT systems or ICT products to disruptive events throughout their life cycle; and v) for emerging ICT services, ICT systems or ICT products, their potential future significance for the entities' activities. Furthermore, particular emphasis should be placed on ICT services, ICT systems or ICT products subject to specific requirements resulting from third country regulations.
(92)
In order to streamline the obligations imposed on providers of public electronic communications networks or publicly available electronic communications services and providers of trust services in relation to the security of their network and information systems, and to the European Parliament and the Council (20) and Regulation (EU) No 910/214 respectively, to enable competent authorities to use the legal framework established by this Directive, including the designation of a CSIRT responsible for the treatment and incidents, and the participation of the competent authorities concerned in the activities of the cooperation group and the CSIRT network, those entities should fall within the scope of this Directive. The corresponding provisions of Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 regarding the imposition of security and reporting requirements on those types of entities should therefore be deleted. The reporting obligations laid down in this Directive should be without prejudice to Regulation (EU) 2016/679 and Directive 2002/58/EC.
(93)
The cybersecurity obligations laid down in this Directive should be considered complementary to the requirements for trust service providers under Regulation (EU) No 910/2014. Trust service providers should be required to take all appropriate and proportionate measures to manage the risks to their services, including to customers and relying third parties, and to report incidents under this Directive. Such cybersecurity and reporting obligations should also cover the physical protection of the services provided. The requirements for qualified trust service providers set out in Article 24 of Regulation (EU) No 910/2014 continue to apply.
(94)
De lidstaten kunnen de rol van de bevoegde autoriteiten voor vertrouwensdiensten toewijzen aan de toezichthoudende organen uit hoofde van Verordening (EU) nr. 910/2014 om de voortzetting van de huidige praktijken te waarborgen en voort te bouwen op de bij de toepassing van die verordening opgedane kennis en ervaring. In een dergelijk geval moeten de uit hoofde van deze richtlijn bevoegde autoriteiten nauw en tijdig samenwerken met die toezichthoudende organen door relevante informatie uit te wisselen om doeltreffend toezicht te waarborgen en om ervoor te zorgen dat verleners van vertrouwensdiensten zich houden aan de eisen van deze richtlijn en Verordening (EU) nr. 910/2014. In voorkomend geval moet het CSIRT of de bevoegde autoriteit uit hoofde van deze richtlijn het toezichthoudend orgaan uit hoofde van Verordening (EU) nr. 910/2014 onmiddellijk informeren over alle gemelde significante cyberdreigingen of -incidenten met gevolgen voor vertrouwensdiensten, evenals over alle gevallen waarin een verlener van vertrouwensdiensten inbreuk pleegt op deze richtlijn. Voor de rapportage kunnen de lidstaten in voorkomend geval een beroep doen op het centrale contactpunt dat is ingesteld om te komen tot een gemeenschappelijke en automatische melding van incidenten aan zowel het toezichthoudend orgaan uit hoofde van Verordening (EU) nr. 910/2014 als het CSIRT of de bevoegde autoriteit uit hoofde van deze richtlijn.
(95)
Where appropriate and in order to avoid unnecessary disruptions, the transposition of this Directive should take into account existing national guidelines established for the transposition of the rules laid down in Articles 40 and 41 of Directive (EU) 2018/1972 on security measures, building on the knowledge and skills acquired under Directive (EU) 2018/1972 on security measures and incident reporting. ENISA may also develop guidelines on security requirements and on reporting obligations for providers of public electronic communications networks or of publicly available electronic communications services, in order to facilitate harmonization and transition and to minimize disruptions. Member States may delegate the role of competent authorities for electronic communications to national regulatory authorities under Directive (EU) 2018/1972 in order to ensure the continuation of current practices and to build on the lessons learned from the implementation of that Directive knowledge and experience.
(96)
Gezien het toenemende belang van nummeronafhankelijke interpersoonlijke communicatiediensten als gedefinieerd in Richtlijn (EU) 2018/1972, moet ervoor worden gezorgd dat ook voor dergelijke diensten passende beveiligingseisen gelden, gelet op hun specifieke aard en economisch belang. Nu het aanvalsoppervlak blijft groeien, worden nummeronafhankelijke interpersoonlijke communicatiediensten, zoals berichtendiensten, wijdverbreide aanvalsvectoren. Kwaadwillende daders maken gebruik van platforms om te communiceren met slachtoffers en hen ertoe aan te zetten gecompromitteerde webpagina’s te openen, waardoor de kans toeneemt op incidenten waarbij onrechtmatig gebruik van persoonsgegevens en, bij uitbreiding, de beveiliging van netwerk- en informatiesystemen betrokken is. Aanbieders van nummeronafhankelijke interpersoonlijke communicatiediensten moeten zorgen voor een beveiligingsniveau van de netwerk- en informatiesystemen dat is afgestemd op de risico’s. Aangezien aanbieders van nummeronafhankelijke interpersoonlijke communicatiediensten normaal gesproken geen daadwerkelijke controle uitoefenen op de overdracht van signalen over netwerken, kunnen de risico’s in sommige opzichten als lager worden beschouwd voor dergelijke diensten dan voor traditionele elektronischecommunicatiediensten. Hetzelfde geldt voor interpersoonlijke communicatiediensten als gedefinieerd in Richtlijn (EU) 2018/1972 die gebruikmaken van nummers en die geen daadwerkelijke controle uitoefenen op de signaaloverdracht.
(97)
The internal market is more dependent than ever on the functioning of the Internet. The services of virtually all essential and important entities depend on services provided through the Internet. To ensure smooth provision of services by essential and important entities, it is important that all providers of public electronic communications networks have appropriate cybersecurity risk management measures in place and report significant incidents related to them. Member States must ensure that the security of public electronic communications networks is maintained and that their essential security interests are protected against sabotage and espionage. As international connectivity enhances and accelerates the competitiveness-oriented digitalisation of the Union and its economy, incidents related to submarine communications cables should be reported to the CSIRT or, as appropriate, the competent authority. The national cybersecurity strategy should be aligned, where appropriate, with the cybersecurity of submarine communications cables and, in order to ensure the highest level of protection thereof, should include an inventory of possible cybersecurity risks and mitigation measures.
(98)
Om de beveiliging van openbare elektronischecommunicatienetwerken en openbare elektronischecommunicatiediensten te waarborgen, moet het gebruik van encryptietechnologieën, met name eind-tot-eindcodering evenals gegevensgerichte beveiligingsconcepten, zoals cartografie, segmentatie, markeringen, toegangsbeleid en -beheer, en geautomatiseerde toegangsbesluiten, worden bevorderd. Waar nodig moet het gebruik van encryptie, met name eind-tot-eindcodering, verplicht worden gesteld voor aanbieders van openbare elektronischecommunicatienetwerken of van openbare elektronischecommunicatiediensten, overeenkomstig de beginselen van beveiliging en privacy, standaard en door het ontwerp, voor de doeleinden van deze richtlijn. Het gebruik van eind-tot-eindcodering moet aansluiten op de bevoegdheden van de lidstaten om de bescherming van hun wezenlijke veiligheidsbelangen en de openbare veiligheid te waarborgen en om de preventie, het onderzoek, de opsporing en de vervolging van strafbare feiten overeenkomstig het Unierecht mogelijk te maken. Dit mag echter niet leiden tot verzwakking van de eind-tot-eindcodering, een kritieke technologie met het oog op een doeltreffende gegevensbescherming en privacy en beveiliging van de communicatie.
(99)
Om de beveiliging van openbare elektronischecommunicatienetwerken en openbare elektronischecommunicatiediensten te waarborgen en misbruik en manipulatie te voorkomen, moet het gebruik van normen voor veilige routering worden bevorderd om de integriteit en robuustheid van routeringsfuncties in het ecosysteem van aanbieders van internettoegangsdiensten te waarborgen.
(100)
In order to ensure the functionality and integrity of the Internet and to promote the security and resilience of the DNS, relevant stakeholders, including private sector entities in the Union, providers of publicly available electronic communications services, in particular providers of Internet access services and providers of online search engines , are urged to adopt a strategy for diversifying DNS resolution. In addition, Member States should promote the development and use of a public and secure European DNS resolution service.
(101)
Deze richtlijn voorziet in een aanpak in meerdere fasen van de melding van significante incidenten om het juiste evenwicht te vinden tussen enerzijds een snelle melding die de potentiële verspreiding van significante incidenten helpt te beperken en essentiële en belangrijke entiteiten in staat stelt om bijstand te vragen, en anderzijds een grondige melding die het mogelijk maakt waardevolle lessen te trekken uit afzonderlijke incidenten en mettertijd de digitale weerbaarheid van afzonderlijke entiteiten en hele sectoren verbetert. In dat verband moet deze richtlijn ook de melding omvatten van incidenten die, op basis van een door de betrokken entiteit uitgevoerde initiële beoordeling, ernstige operationele verstoring van de dienstverlening of financiële verliezen voor die entiteit kunnen veroorzaken of andere natuurlijke of rechtspersonen kunnen treffen door aanzienlijke materiële of immateriële schade te veroorzaken. Bij een dergelijke initiële beoordeling moet rekening worden gehouden met onder meer de getroffen netwerk- en informatiesystemen, en met name het belang daarvan voor de door de entiteit verleende diensten, de ernst en technische kenmerken van een cyberdreiging en eventuele onderliggende kwetsbaarheden die worden uitgebuit, alsook de ervaring van de entiteit met soortgelijke incidenten. Indicatoren zoals de mate waarin de werking van de dienst wordt aangetast, de duur van een incident of het aantal getroffen afnemers van de diensten kunnen van belang zijn om vast te stellen of er sprake is van een ernstige operationele verstoring van de dienst.
(102)
When essential or important entities become aware of a significant incident, they should be obliged to provide an early warning without delay and in any case within 24 hours. This early warning must be followed by reporting the incident. The entities concerned must report that incident without undue delay and in any case within 72 hours of becoming aware of a significant incident, in particular to update the information submitted in the early warning and to carry out an initial assessment of the significant incident, including its severity and consequences, as well as, where available, indicators of impairment. A final report must be submitted no later than one month after reporting the incident. The early warning should contain only the information necessary to inform the CSIRT or, as appropriate, the competent authority, of the significant incident and to enable the entity concerned to request assistance if necessary. Where appropriate, this early warning should indicate whether the significant incident is likely to have been caused by unlawful or malicious acts and whether it is likely to have cross-border implications. Member States should ensure that the obligation to submit that early warning or subsequent reporting of the incident does not divert the reporting entity's resources from activities related to the handling of the incident which should be identified as a priority, in order to prevent incident reporting obligations from diverting resources from responding to significant incidents or otherwise jeopardizing the entity's response efforts. If the incident is still ongoing at the time of submitting the final report, Member States should ensure that the entities involved submit a progress report at that time and submit a final report within one month of the significant incident being resolved.
(103)
In voorkomend geval moeten essentiële en belangrijke entiteiten de ontvangers van hun diensten onverwijld in kennis stellen van alle maatregelen of voorzieningen die hun ter beschikking staan om de uit een significante cyberdreiging voortvloeien risico’s te beperken. In voorkomend geval, en met name wanneer de significante cyberdreigingen waarschijnlijk tot incidenten zullen leiden, moeten die entiteiten de ontvangers van hun dienst ook op de hoogte brengen van de dreiging zelf. De eis om die ontvangers van significante cyberdreigingen op de hoogte te brengen, moet naar best vermogen in acht worden genomen, maar mag de entiteiten niet ontslaan van de verplichting om op eigen kosten passende en onmiddellijke maatregelen te nemen om dergelijke dreigingen te voorkomen of te verhelpen en het normale beveiligingsniveau van de dienst te herstellen. Dergelijke informatie over significante cyberdreigingen aan de ontvangers van de dienst moet gratis worden verstrekt en in gemakkelijk te begrijpen taal worden opgesteld.
(104)
Providers of public electronic communications networks or publicly available electronic communications services should provide security by default and by design and inform their service recipients of significant cyber threats and of the measures they can take to protect the security of their devices and communications, for example by using creating specific types of software or encryption technologies.
(105)
A proactive approach to cyber threats is an indispensable part of cybersecurity risk management and should ensure that competent authorities can effectively prevent cyber threats from leading to incidents that could cause significant material or non-material damage. To this end, it is crucial that cyber threats are reported. Therefore, entities are encouraged to report cyber threats on a voluntary basis.
(106)
Om de rapportage van de krachtens deze richtlijn vereiste informatie te vereenvoudigen en de administratieve lasten voor entiteiten te verminderen, moeten de lidstaten technische middelen ter beschikking stellen, zoals één centraal contactpunt, geautomatiseerde systemen, onlineformulieren, gebruikersvriendelijke interfaces, modellen en specifieke platforms ten behoeve van entiteiten, ongeacht of zij binnen het toepassingsgebied van deze richtlijn vallen, voor de indiening van de relevante te rapporteren informatie. De Uniefinanciering ter ondersteuning van de uitvoering van deze richtlijn, met name in het kader van het programma Digitaal Europa, dat is vastgesteld bij Verordening (EU) 2021/694 van het Europees Parlement en de Raad (21), kan steun voor centrale contactpunten omvatten. Bovendien bevinden entiteiten zich vaak in een situatie waarin een bepaald incident, vanwege de kenmerken ervan, aan verschillende autoriteiten moet worden gemeld als gevolg van meldingsverplichtingen die in verschillende rechtsinstrumenten zijn opgenomen. Dergelijke gevallen creëren extra administratieve lasten en kunnen ook leiden tot onzekerheden met betrekking tot het format en de procedures van dergelijke meldingen. Wanneer één enkel toegangspunt is ingesteld, worden de lidstaten aangespoord om dat ene centrale toegangspunt ook te gebruiken voor de melding van beveiligingsincidenten als vereist krachtens ander Unierecht zoals Verordening (EU) 2016/679 en Richtlijn 2002/58/EG. Het gebruik van het ene centrale contactpunt voor de melding van beveiligingsincidenten krachtens Verordening (EU) 2016/679 en Richtlijn 2002/58/EG mag geen afbreuk doen aan de toepassing van de bepalingen van Verordening (EU) 2016/679 en Richtlijn 2002/58/EG, en met name de bepalingen met betrekking tot de onafhankelijkheid van de daarin bedoelde autoriteiten. Enisa moet, in samenwerking met de samenwerkingsgroep, gemeenschappelijke meldingsmodellen ontwikkelen door middel van richtsnoeren om de krachtens het Unierecht te rapporteren informatie te vereenvoudigen en te stroomlijnen en de administratieve lasten voor meldende entiteiten te verminderen.
(107)
Wanneer het vermoeden bestaat dat een incident verband houdt met ernstige criminele activiteiten op grond van het Unie- of nationale recht, moeten de lidstaten essentiële en belangrijke entiteiten aansporen om, op basis van de toepasselijke regels voor strafrechtelijke procedures overeenkomstig het Unierecht, incidenten met een vermoedelijk ernstig crimineel karakter aan de betrokken rechtshandhavingsinstanties te melden. In voorkomend geval en onverminderd de voor Europol geldende regels inzake de bescherming van persoonsgegevens is het wenselijk dat de coördinatie tussen de bevoegde autoriteiten en de rechtshandhavingsinstanties van de verschillende lidstaten wordt vergemakkelijkt door het Europees Centrum voor de bestrijding van cybercriminaliteit (EC3) en Enisa.
(108)
In many cases, personal data is compromised as a result of incidents. In that context, competent authorities should cooperate and exchange information on all relevant matters with the authorities referred to in Regulation (EU) 2016/679 and Directive 2002/58/EC.
(109)
Maintaining accurate and complete databases of domain name registration data ("WHOIS data") and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high level of commonality of cybersecurity in the Union. For that specific purpose, top-level domain name registries and entities providing domain name registration services should be required to process certain data necessary for that purpose. Such processing should constitute a legal obligation within the meaning of Article 6(1)(c) of Regulation (EU) 2016/679. That obligation is without prejudice to the possibility of collecting domain name registration data for other purposes, for example on the basis of legal requirements or contractual arrangements established in other Union or national law. The aim of this obligation is to ensure a complete and accurate set of registration data and should not lead to the same data being collected more than once. Top-level domain name registries and entities providing domain name registration services should cooperate with each other to avoid duplication of effort.
(110)
The availability and timely accessibility of domain name registration data to legitimate access requesters is essential to prevent and combat DNS misuse and to prevent, detect and respond to incidents. An applicant for legitimate access means any natural or legal person making a request under Union or national law. This may include authorities competent under this Directive and authorities competent under Union or national law for the prevention, investigation, detection or prosecution of criminal offences, as well as CERTs or CSIRTs. Top-level domain name registries and entities providing domain name registration services should be required to grant legitimate access to specific domain name registration data, necessary for the purposes of the access request, to legitimate access applicants, in accordance with Union and national law. Applicants' request for legitimate access must be accompanied by a statement of reasons allowing an assessment of whether access to the data is necessary.
(111)
Om de beschikbaarheid van nauwkeurige en volledige domeinnaamregistratiegegevens te waarborgen, moeten registers voor topleveldomeinnamen en entiteiten die domeinnaamregistratiediensten verlenen , domeinnaamregistratiegegevens verzamelen en de integriteit en beschikbaarheid ervan waarborgen. Met name registers voor topleveldomeinnamen en entiteiten die domeinnaamregistratiediensten verlenen, moeten beleid en procedures vaststellen om nauwkeurige en volledige domeinnaamregistratiegegevens te verzamelen en bij te houden en om onjuiste registratiegegevens te voorkomen en te corrigeren, in overeenstemming met het Uniegegevensbeschermingsrecht. Uit hoofde van dat beleid en die procedures moet zoveel mogelijk rekening worden gehouden met de normen die zijn ontwikkeld door de structuren voor multistakeholdergovernance op internationaal niveau. Registers voor topleveldomeinnamen en entiteiten die domeinnaamregistratiediensten verlenen, moeten evenredige procedures vaststellen en toepassen om domeinnaamregistratiegegevens te verifiëren. Die procedures moeten de beste praktijken in het bedrijfsleven en, voor zover mogelijk, de vooruitgang op het gebied van elektronische identificatie weerspiegelen. Voorbeelden van verificatieprocedures kunnen betrekking hebben op controles vooraf die worden uitgevoerd bij de registratie, en controles achteraf die worden uitgevoerd na de registratie. De registers voor topleveldomeinnamen en de entiteiten die domeinnaamregistratiediensten verlenen, moeten met name ten minste een van de manieren om met de registrant contact op te nemen, verifiëren.
(112)
Top-level domain name registries and entities providing domain name registration services should be required to disclose domain name registration data that falls outside the scope of Union data protection law, such as data relating to legal persons, in accordance with the preamble to Regulation (EU) 2016/679. For legal entities, top-level domain name registries and entities providing domain name registration services must make public at least the name and telephone number of the registrant. The e-mail address must also be disclosed, provided that it does not contain any personal data, such as e-mail aliases or functional mailboxes. Top-level domain name registries and entities providing domain name registration services should also grant legitimate access to specific domain name registration data relating to natural persons to legitimate access applicants, in accordance with Union data protection law. Member States should require top-level domain name registries and entities providing domain name registration services to respond promptly to requests for disclosure of domain name registration data from applicants for legitimate access. Top-level domain name registries and entities providing domain name registration services must establish policies and procedures for the disclosure and disclosure of registration data, including service level agreements for handling access requests from legitimate access applicants. Such policies and procedures should take full account of all guidelines and standards developed by multi-stakeholder governance structures at international level. The access procedure may include the use of an interface, a portal or other technical tool to provide an efficient system for requesting and consulting registration data. In order to promote harmonized practices throughout the internal market, the Commission may, without prejudice to the powers of the European Data Protection Board, establish guidelines for such procedures, taking as far as possible into account the standards developed by the structures for multi-stakeholder governance at international level. Member States should ensure that all forms of access to personal and non-personal domain name registration data are free of charge.
(113)
Binnen het toepassingsgebied van deze richtlijn vallende entiteiten moeten worden geacht te vallen onder de jurisdictie van de lidstaat waar zij zijn gevestigd. Aanbieders van openbare elektronischecommunicatienetwerken of aanbieders van openbare elektronischecommunicatiediensten moeten evenwel worden geacht te vallen onder de jurisdictie van de lidstaat waar zij hun diensten verlenen. DNS-dienstverleners, registers voor topleveldomeinnamen, entiteiten die domeinnaamregistratiediensten verlenen, aanbieders van cloudcomputingdiensten, aanbieders van datacentra, aanbieders van netwerken voor de levering van inhoud, aanbieders van beheerde diensten, aanbieders van beheerde beveiligingsdiensten, alsmede aanbieders van onlinemarktplaatsen, van onlinezoekmachines en van platforms voor socialenetwerkdiensten moeten worden geacht te vallen onder de jurisdictie van de lidstaat waar zij hun hoofdvestiging in de Unie hebben. Overheidsinstanties moeten vallen onder de jurisdictie van de lidstaat die ze heeft opgericht. Indien de entiteit diensten verleent of gevestigd is in meer dan één lidstaat, moet zij vallen onder de afzonderlijke en gelijktijdige jurisdictie van elk van die lidstaten. De bevoegde autoriteiten van die lidstaten moeten samenwerken, elkaar wederzijds bijstand verlenen en, in voorkomend geval, gezamenlijke toezichtsacties uitvoeren. Wanneer lidstaten hun jurisdictie uitoefenen, mogen zij overeenkomstig het ne bis in idem-beginsel niet meer dan één keer handhavingsmaatregelen of sancties opleggen voor dezelfde gedraging.
(114)
Om rekening te houden met het grensoverschrijdende karakter van de diensten en activiteiten van DNS-dienstverleners, registers voor topleveldomeinnamen, entiteiten die domeinnaamregistratiediensten verlenen, aanbieders van cloudcomputingdiensten, aanbieders van datacentra, aanbieders van netwerken voor de levering van inhoud, aanbieders van beheerde diensten, aanbieders van beheerde beveiligingsdiensten, alsmede aanbieders van onlinemarktplaatsen, van onlinezoekmachines en van platforms voor socialenetwerkdiensten, mag slechts één lidstaat jurisdictie hebben over die entiteiten. Deze jurisdictie moet worden toegekend aan de lidstaat waar de betrokken entiteit haar hoofdvestiging in de Unie heeft. Het vestigingscriterium voor de toepassing van deze richtlijn houdt de daadwerkelijke uitoefening van de activiteit in door middel van stabiele regelingen. De rechtsvorm van dergelijke regelingen, hetzij via een filiaal, hetzij via een dochteronderneming met rechtspersoonlijkheid, is in dat opzicht geen bepalende factor. Of aan dat criterium wordt voldaan, mag niet afhangen van de vraag of de netwerk- en informatiesystemen zich fysiek op een bepaalde plaats bevinden; de aanwezigheid en het gebruik van dergelijke systemen vormen op zich niet een dergelijke hoofdvestiging en zijn dus geen doorslaggevende criteria voor het bepalen van de hoofdvestiging. De hoofdvestiging moet geacht worden zich te bevinden in de lidstaat waar de besluiten met betrekking tot de risicobeheersmaatregelen op het gebied van cyberbeveiliging hoofdzakelijk worden genomen in de Unie. Dit zal doorgaans overeenkomen met de plaats van de centrale administratie van de entiteiten in de Unie. Indien niet kan worden bepaald welke lidstaat dat is of indien dergelijke besluiten niet in de Unie worden genomen, moet de hoofdvestiging worden geacht zich te bevinden in de lidstaat waar cyberbeveiligingsactiviteiten worden uitgevoerd. Indien niet kan worden bepaald welke lidstaat dat is, moet de hoofdvestiging worden geacht zich te bevinden in de lidstaat waar de entiteit de vestiging met het grootste aantal werknemers in de Unie heeft. Wanneer de diensten door een groep van ondernemingen worden verricht, moet de hoofdvestiging van de zeggenschap uitoefenende onderneming worden beschouwd als de hoofdvestiging van de groep van ondernemingen.
(115)
Where a provider of public electronic communications networks or publicly available electronic communications services provides a public recursive DNS service solely as part of the internet access service, the entity should be considered to be subject to the jurisdiction of all Member States where its services are provided.
(116)
Indien een DNS-dienstverlener, een register voor topleveldomeinnamen, een entiteiten die domeinnaamregistratiediensten verleent, een aanbieder van cloudcomputingdiensten, een aanbieder van datacentra, een aanbieder van netwerken voor de levering van inhoud, een aanbieder van beheerde diensten, een aanbieder van beheerde beveiligingsdiensten, of een aanbieder van een onlinemarktplaats, van een onlinezoekmachine of van een platform voor socialenetwerkdiensten, niet in de Unie is gevestigd maar diensten in de Unie aanbiedt, moet deze een vertegenwoordiger in de Unie aanduiden. Om te bepalen of een dergelijke entiteit diensten binnen de Unie aanbiedt, moet worden nagegaan of de entiteit van plan is diensten aan te bieden aan personen in een of meer lidstaten. De loutere toegankelijkheid in de Unie van de website van de entiteit of van een tussenpersoon, of van een e-mailadres of van andere contactgegevens, of het gebruik van een taal die algemeen wordt gebruikt in het derde land waar de entiteit is gevestigd, moet als zodanig onvoldoende worden geacht om een dergelijk voornemen vast te stellen. Factoren zoals het gebruik van een taal of een valuta die in een of meer lidstaten algemeen wordt gebruikt en de mogelijkheid om diensten in die taal te bestellen, of de vermelding van klanten of gebruikers die zich in de Unie bevinden, kunnen echter duidelijk maken dat de entiteit van plan is om diensten binnen de Unie aan te bieden. De vertegenwoordiger moet namens de entiteit optreden en de bevoegde autoriteiten of de CSIRT’s moeten zich kunnen wenden tot de vertegenwoordiger. De vertegenwoordiger moet uitdrukkelijk bij schriftelijke opdracht van de entiteit worden aangewezen om namens de entiteit op te treden met betrekking tot in deze richtlijn vastgelegde verplichtingen, met inbegrip van de melding van incidenten.
(117)
For the purpose of providing a clear overview of DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data center providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines and social networking service platforms, which provide services falling within the scope of this Directive throughout the Union, ENISA should establish and manage a register of such entities, based on the information provided by Member States and where necessary using national mechanisms for self-registration by entities. The central contact points must forward the information and any changes thereto to ENISA. In order to ensure the accuracy and completeness of the information to be included in this register, Member States may provide ENISA with the information available on those entities in their national registers. ENISA and the Member States should take measures to promote the interoperability of such registers, while ensuring the protection of confidential or classified information. ENISA should establish appropriate protocols for the classification and management of information to ensure the security and confidentiality of reported information, and to restrict access, storage and transfer of that information to its intended users.
(118)
Where information is exchanged, reported or otherwise shared under this Directive and which is classified under Union or national law, the relevant rules for the treatment of classified information should be applied. In addition, ENISA must have the necessary infrastructure, procedures and rules to handle sensitive and classified information in accordance with the applicable security regulations for the protection of EU classified information.
(119)
Aangezien cyberdreigingen complexer en geavanceerder worden, zijn een goede opsporing van dergelijke dreigingen en preventiemaatregelen dienaangaande voor een groot deel afhankelijk van het regelmatige delen van inlichtingen over dreigingen en kwetsbaarheden tussen entiteiten. Het delen van informatie draagt bij aan een grotere bewustwording van cyberdreigingen, wat op zijn beurt het vermogen van entiteiten om te voorkomen dat zulke dreigingen tot echte incidenten leiden, vergroot en entiteiten in staat stelt om de gevolgen van incidenten beter in te dammen en efficiënter te herstellen. Bij gebrek aan richtsnoeren op Unieniveau lijken verschillende factoren een dergelijk delen van inlichtingen te hebben afgeremd, met name de onzekerheid over de verenigbaarheid met de mededingings- en aansprakelijkheidsregels.
(120)
Entities should be encouraged and assisted by Member States to collectively use their individual knowledge and practical experience at strategic, tactical and operational levels with a view to improving their capabilities to adequately prevent, detect, respond to incidents provide, recover from or limit its impact. It is therefore necessary to enable the emergence of voluntary cybersecurity information sharing schemes at Union level. Therefore, Member States should actively assist and encourage entities, such as those providing cybersecurity services and research, as well as relevant entities not within the scope of this Directive, to participate in such cybersecurity information sharing arrangements. These arrangements must comply with Union competition rules and Union data protection law.
(121)
De verwerking van persoonsgegevens, voor zover noodzakelijk en evenredig met het oog op de beveiliging van netwerk- en informatiesystemen door essentiële en belangrijke entiteiten, kan als rechtmatig worden beschouwd op grond van het feit dat dergelijke verwerking voldoet aan een wettelijke verplichting waaraan de verwerkingsverantwoordelijke onderworpen is overeenkomstig de eisen van artikel 6, lid 1, punt c), en artikel 6, lid 3, van Verordening (EU) 2016/679. De verwerking van persoonsgegevens kan ook noodzakelijk zijn voor de behartiging van de gerechtvaardigde belangen van essentiële en belangrijke entiteiten, alsook van aanbieders van beveiligingstechnologieën en -diensten die namens die entiteiten optreden, op grond van artikel 6, lid 1, punt f), van Verordening (EU) 2016/679, onder meer wanneer een dergelijke verwerking noodzakelijk is voor regelingen voor het delen van cyberbeveiligingsinformatie of de vrijwillige melding van relevante informatie overeenkomstig deze richtlijn. Maatregelen met betrekking tot de preventie, opsporing, identificatie, indamming en analyse van incidenten en de reactie erop, maatregelen om het bewustzijn met betrekking tot specifieke cyberdreigingen te vergroten, uitwisseling van informatie in het kader van herstel van de kwetsbaarheid en gecoördineerde openbaarmaking van de kwetsbaarheid, de vrijwillige uitwisseling van informatie over die incidenten, alsmede cyberdreigingen en kwetsbaarheden, indicatoren voor aantasting, tactieken, technieken en procedures, cyberbeveiligingswaarschuwingen en configuratiehulpmiddelen kunnen de verwerking vereisen van bepaalde categorieën persoonsgegevens, zoals IP-adressen, uniforme resources locators (URL’s), domeinnamen, e-mailadressen en, voor zover hieruit persoonsgegevens blijken, tijdstempels. De verwerking van persoonsgegevens door de bevoegde autoriteiten, de centrale contactpunten en de CSIRT’s kan een wettelijke verplichting vormen of noodzakelijk worden geacht voor de vervulling van een taak van algemeen belang of van een taak in het kader van de uitoefening van het openbaar gezag dat aan de verwerkingsverantwoordelijke is opgedragen op grond van artikel 6, lid 1, punt c) of e), en artikel 6, lid 3, van Verordening (EU) 2016/679, of voor de behartiging van een gerechtvaardigd belang van de essentiële en belangrijke entiteiten als bedoeld in artikel 6, lid 1, punt f), van die verordening. Voorts kunnen in het nationale recht regels worden vastgesteld die het de bevoegde autoriteiten, de centrale contactpunten en de CSIRT’s, voor zover noodzakelijk en evenredig ten behoeve van het waarborgen van de beveiliging van netwerk- en informatiesystemen van essentiële en belangrijke entiteiten, toelaten om bijzondere categorieën van persoonsgegevens te verwerken overeenkomstig artikel 9 van Verordening (EU) 2016/679, met name door te voorzien in passende en specifieke maatregelen ter bescherming van de grondrechten en de belangen van natuurlijke personen, met inbegrip van technische beperkingen op het hergebruik van dergelijke gegevens en het gebruik van geavanceerde beveiligings- en privacybeschermingsmaatregelen, zoals pseudonimisering, of versleuteling wanneer anonimisering het nagestreefde doel aanzienlijk kan beïnvloeden.
(122)
In order to strengthen supervisory powers and measures that contribute to effective compliance, this Directive should provide for a minimum list of supervisory measures and tools to enable competent authorities to supervise essential and important entities. Furthermore, this Directive should distinguish between the supervisory regime for essential and significant entities in order to ensure a fair balance between the obligations for those entities and for the competent authorities. Therefore, essential entities should be subject to a comprehensive ex-ante and ex-post supervision regime, while important entities should only be subject to a light ex-post supervision regime. Significant entities should therefore not be required to systematically document compliance with cybersecurity risk management measures, as competent authorities should carry out supervision reactively and ex post and therefore have no general obligation to supervise those entities. Ex-post supervision of significant entities may be activated where evidence, indications or information have been brought to the attention of competent authorities and are considered by those authorities to indicate possible infringements of this Directive. Such evidence, indications or information may, for example, be of the type provided to the competent authorities by other authorities, entities, citizens, media or other sources, may be publicly available information, or may arise from other work carried out by the competent authorities in the in the performance of their duties.
(123)
The performance of supervisory tasks by the competent authorities should not unduly hinder the business activities of the entity concerned. When carrying out their supervisory functions in relation to essential entities, including conducting on-site inspections and off-site surveillance, investigating breaches of this Directive, and conducting security audits or security scans, competent authorities should consider the impact on minimize the business activities of the entity concerned.
(124)
When exercising ex ante supervision, competent authorities should be able to decide in a proportionate manner how to prioritize the use of the supervisory measures and resources at their disposal. This means that competent authorities can decide on such prioritization based on supervisory methods that should follow a risk-based approach. More specifically, such methods may include criteria or benchmarks for the classification of essential entities into risk categories and corresponding supervisory measures and means recommended per risk category, such as the use, frequency or types of on-site inspections, targeted security audits or security scans, the type of information to be requested and the level of detail of that information. Such monitoring methods may also be accompanied by work programs and regularly assessed and evaluated, including aspects such as resource allocation and needs. In relation to public authorities, supervisory powers should be exercised in accordance with national legislative and institutional frameworks.
(125)
Competent authorities should ensure that their supervisory tasks in relation to essential and important entities are carried out by trained professionals, who should have the necessary skills to carry out those tasks, in particular in carrying out on-site inspections and off-site supervision. location, including detecting weaknesses in databases, hardware, firewalls, encryption and networks. These inspections and supervision must be carried out in an objective manner.
(126)
In duly justified cases where the competent authority is aware of a significant cyber threat or an imminent risk, it should be able to take immediate enforcement decisions to prevent or respond to an incident.
(127)
In order to make enforcement effective, a minimum list of enforcement powers that can be exercised in the event of breaches of the cybersecurity risk management measures and reporting obligations laid down in this Directive should be established, providing a clear and coherent framework for such enforcement across the Union created. Due account should be taken of the nature, gravity and duration of the infringement of this Directive, the material or non-material damage caused, the intentional or negligent nature of the infringement, the measures taken to remedy the material or non-material damage prevention or mitigation, the degree of responsibility or any relevant previous infringements, the degree of cooperation with the competent authority and any other aggravating or mitigating circumstance. Enforcement measures, including administrative fines, should be proportionate and their imposition should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union (the “Charter”), including the right to an effective remedy and to an impartial trial, the presumption of innocence and the rights of defence.
(128)
This Directive does not oblige Member States to provide for a liability regime under which natural persons responsible for ensuring that an entity complies with this Directive are liable, criminally or civilly, for damage suffered by third parties as a result of an infringement of this Directive.
(129)
In order to ensure effective enforcement of the obligations set out in this Directive, each competent authority should have the power to impose or request the imposition of administrative fines.
(130)
Wanneer een administratieve geldboete wordt opgelegd aan een essentiële of belangrijke entiteit die een onderneming is, moet een onderneming voor die doeleinden worden opgevat als een onderneming in de zin van de artikelen 101 en 102 VWEU. Wanneer een administratieve geldboete wordt opgelegd aan een persoon die geen onderneming is, moet de bevoegde autoriteit bij het bepalen van het passende bedrag van de boete rekening houden met het algemene inkomensniveau in de lidstaat en met de economische situatie van de persoon. Het is aan de lidstaten om te bepalen of en in welke mate overheidsinstanties aan administratieve geldboeten moeten worden onderworpen. Het opleggen van een administratieve geldboete doet geen afbreuk aan de toepassing van andere bevoegdheden van de bevoegde autoriteiten of van andere sancties die zijn vastgesteld in de nationale voorschriften tot omzetting van deze richtlijn.
(131)
Member States should be able to lay down the rules on criminal penalties for infringements of the internal rules transposing this Directive. However, the imposition of criminal sanctions for infringements of such national rules and related administrative sanctions should not lead to a breach of the “ne bis in idem” principle as interpreted by the Court of Justice of the European Union.
(132)
Where this Directive does not provide for the harmonization of administrative sanctions or where necessary in other cases, for example in the event of a serious infringement of this Directive, Member States should apply a system providing for effective, proportionate and dissuasive sanctions. The nature of those sanctions and whether they are criminal or administrative should be determined by national law.
(133)
In order to further enhance the effectiveness and deterrent effect of enforcement measures applicable to infringements of this Directive, competent authorities should be authorized to temporarily suspend, or to request temporary suspension of, a certification or authorization for part or all of the relevant services provided or activities carried out by an essential entity, and to request the imposition of a temporary ban on the exercise of managerial functions by a natural person with managerial responsibilities at the level of the general manager or the legal representative. Given the severity and impact of such temporary suspensions or bans on the activities of the entities and ultimately on their consumers, they should only be applied in proportion to the seriousness of the infringement and taking into account the specific circumstances of each individual case, with including the intentional or negligent nature of the infringement, and measures taken to prevent or limit material or non-material damage. Such temporary suspensions or prohibitions should only be applied as a last resort, in particular only after the other relevant enforcement measures provided for in this Directive have been exhausted, and only until the entity concerned takes the necessary steps to remedy the deficiencies or comply with the obligations imposed by the competent authority for which such temporary suspensions or prohibitions were applied. The imposition of such temporary suspensions or bans should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including the right to an effective remedy and to a fair trial, the presumption of innocence and the rights of the defense.
(134)
In order to ensure that entities comply with their obligations under this Directive, Member States should cooperate and assist each other in supervisory and enforcement measures, in particular where an entity provides services in more than one Member State or where its network and information systems are located in a Member State other than that in which it provides services. When providing assistance, the requested competent authority should take supervisory or enforcement measures in accordance with national law. In order to ensure the smooth functioning of mutual assistance under this Directive, competent authorities should use the cooperation group as a forum to discuss issues and specific requests for assistance.
(135)
Om te zorgen voor doeltreffend toezicht en doeltreffende handhaving, met name in situaties met een grensoverschrijdende dimensie, moet een lidstaat die een verzoek om wederzijdse bijstand heeft ontvangen, binnen de grenzen van dat verzoek passende toezichts- en handhavingsmaatregelen nemen ten aanzien van de entiteit die het voorwerp van dat verzoek is, en die diensten verleent of over een netwerk- en informatiesysteem op het grondgebied van die lidstaat beschikt.
(136)
This Directive should lay down rules for the cooperation between competent authorities and supervisory authorities in the handling of personal data breaches of this Directive in accordance with Regulation (EU) 2016/679.
(137)
This Directive should aim at ensuring a high level of accountability for cybersecurity risk management measures and reporting obligations at the level of essential and significant entities. Therefore, the governing bodies of the essential and important entities should approve the cybersecurity risk management measures and monitor their implementation.
(138)
In order to ensure a high common level of cybersecurity in the Union on the basis of this Directive, the power to adopt acts in accordance with Article 290 TFEU should be delegated to this Directive by specifying the categories of essential and important entities should be required to use certain certified ICT products, ICT services and ICT processes or obtain a certificate under a European cybersecurity certification scheme. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that such consultations are carried out in accordance with the principles set out in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (22). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts have systematic access to the meetings of the Commission's expert groups engage in the preparation of delegated acts.
(139)
In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission to adopt the procedural arrangements necessary for the functioning of the cooperation group as well as the technical, methodological and sectoral requirements relating to cybersecurity risk management measures and to provide further clarification on the type of information, format and procedure for reporting incidents, cyber threats and near incidents as well as significant cyber threat messages, and on cases where an incident should be considered significant. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (23).
(140)
The Commission should keep this Directive under regular review, after consulting stakeholders, in particular to determine whether it is appropriate to propose amendments in the light of changes in social, political, technological or market conditions. In the context of those reviews, the Commission should assess the relevance of the size of the entities concerned, and the sectors, sub-sectors and types of entities referred to in the Annexes to this Directive for the functioning of the economy and society in connection with cybersecurity. The Commission should, inter alia, assess whether providers falling within the scope of this Directive and designated as very large online platforms within the meaning of Article 33 of Regulation (EU) 2022/2065 of the European Parliament and of the Council (24) can be considered as essential entities under this Directive.
(141)
This Directive creates new tasks for ENISA, giving it a greater role, and could also require ENISA to carry out its existing tasks under Regulation (EU) 2019/881 at a higher level than before. In order to ensure that ENISA has the necessary financial and human resources to carry out existing and new tasks, and to meet a higher level of implementation of those tasks resulting from its increased role, its budget should be increased accordingly. Moreover, in order to ensure efficient use of resources, ENISA should be given greater flexibility so that it is able to allocate resources internally to carry out its tasks effectively and meet expectations.
(142)
Since the objective of this Directive, namely to achieve a high common level of cybersecurity throughout the Union, cannot be sufficiently achieved by the Member States but can, by reason of the effects of its action, be better achieved at Union level, the Union may, take measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in the same Article, this Directive does not go beyond what is necessary to achieve that objective.
(143)
This Directive respects the fundamental rights and observes the principles recognized by the Charter, in particular the right to respect for private life and communication, the right to the protection of personal data, the freedom to conduct a business, the right to property, right to an effective remedy and to an impartial trial, the presumption of innocence and the rights of defence. The right to an effective remedy also applies to recipients of services provided by essential and important entities. This Directive should be implemented in accordance with those rights and principles.
(144)
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (25) and delivered an opinion on 11 March 2021 (26),
HAVE ADOPTED THE FOLLOWING DIRECTIVE:
HOOFDSTUK I
GENERAL PROVISIONS
Article 1
Onderwerp
1. This Directive provides for measures aimed at achieving a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market.
2. To this end, this Directive provides:
a)
obligations requiring Member States to adopt national cybersecurity strategies, and to designate or establish competent authorities, cyber crisis management authorities, single points of contact for cybersecurity (central contact points) and computer security incident response teams (CSIRTs);
b)
risicobeheersmaatregelen en rapportageverplichtingen op het gebied van cyberbeveiliging voor entiteiten van het type waarnaar in bijlage I of II wordt verwezen alsmede voor entiteiten die uit hoofde van Richtlijn (EU) 2022/2557 als kritieke entiteiten worden aangemerkt;
c)
rules and obligations regarding the sharing of cybersecurity information;
d)
monitoring and enforcement obligations for Member States.
Article 2
Scope of application
1. This Directive applies to public or private entities of a type referred to in Annexes I and II that qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or the entities referred to in paragraph 1 exceed the ceilings laid down in that Article for medium-sized enterprises and which provide their services or carry out their activities in the Union.
Article 3(4) of the Annex to that Recommendation shall not apply to the application of this Directive.
2. This Directive shall also apply to entities of the type referred to in Annex I or II, regardless of their size, where:
a)
the services are provided by:
i)
providers of public electronic communications networks or of public electronic communications services;
ii)
providers of trust services;
iii)
top-level domain name registries and domain name registration service providers;
b)
de entiteit in een lidstaat de enige aanbieder is van een dienst die essentieel is voor de instandhouding van kritieke maatschappelijke of economische activiteiten;
c)
disruption of the service provided by the entity may have a significant impact on public safety, public security or public health;
d)
disruption of the service provided by the entity could pose significant systemic risk, in particular for sectors where such disruption could have a cross-border impact;
e)
the entity is critical because of its specific importance at national or regional level for the specific sector or type of service, or for other interdependent sectors in the Member State;
f)
the entity is a public authority:
i)
of central government as defined by a Member State in accordance with national law, or
ii)
at regional level as defined by a Member State in accordance with national law, which, following a risk assessment, provides services the disruption of which could have a significant impact on critical social or economic activities.
3. This Directive applies to entities identified as a critical entity under Directive (EU) 2022/2557, regardless of their size.
4. This Directive applies to entities providing domain name registration services, regardless of their size.
5. Member States may provide that this Directive applies to:
a)
government agencies at local level;
b)
educational institutions, especially when conducting critical research activities.
6. Deze richtlijn laat de verantwoordelijkheid van de lidstaten om de nationale veiligheid te beschermen en hun bevoegdheid om andere essentiële staatsfuncties te beschermen, waaronder het verdedigen van de territoriale integriteit van de staat en het handhaven van de openbare orde, onverlet.
7. Deze richtlijn is niet van toepassing op overheidsinstanties die activiteiten uitvoeren op het gebied van nationale veiligheid, openbare veiligheid, defensie of rechtshandhaving, met inbegrip van het voorkomen, onderzoeken, opsporen en vervolgen van strafbare feiten.
8. Member States may designate specific entities carrying out national security, public safety, defense or law enforcement activities, including the prevention, investigation, detection and prosecution of criminal offences, or providing services exclusively to the persons referred to in paragraph 7 of public authorities referred to in this Article, in respect of those activities or services, from the obligations laid down in Article 21 or Article 23. In such cases, the supervisory and enforcement measures referred to in Chapter VII shall not apply to those specific activities or services. Where the entities exclusively carry out activities or provide services of the type referred to in this paragraph, Member States may decide to also exempt those entities from the obligations laid down in Articles 3 and 27.
9. Paragraphs 7 and 8 shall not apply where an entity acts as a trust service provider.
10. This Directive shall not apply to entities excluded by Member States from the scope of Regulation (EU) 2022/2554 in accordance with Article 2(4) of that Regulation.
11. The obligations laid down in this Directive do not include the provision of information the disclosure of which would be contrary to the essential interests of Member States' national security, public safety or defense.
12. This Directive applies without prejudice to Regulation (EU) 2016/679, Directive 2002/58/EC, Directives 2011/93/EU (27) and 2013/40/EU (28) of the European Parliament and of the Council, and Directive (EU) 2022/2557.
13. Without prejudice to Article 346 TFEU, information which is confidential under Union or national rules, such as rules on confidentiality of business information, shall be exchanged with the Commission and other competent authorities in accordance with this Directive only where such exchange is necessary for the application of this Directive . The information exchanged is limited to information that is relevant and proportionate to the purpose of that exchange. When exchanging information, the confidentiality of that information is ensured and the security and commercial interests of the entities involved are protected.
14. Entities, competent authorities, central contact points and CSIRTs shall process personal data to the extent necessary for the application of this Directive and in accordance with Regulation (EU) 2016/679, and in particular such processing shall be based on Article 6 thereof .
The processing of personal data under this Directive by providers of public electronic communications networks or providers of publicly available electronic communications services shall be carried out in accordance with Union data protection law and Union law on privacy, in particular Directive 2002/58/EC.
Article 3
Essentiële en belangrijke entiteiten
1. For the purposes of this Directive, the following entities shall be considered essential entities:
a)
entities of a type referred to in Annex I exceeding the ceilings for medium-sized enterprises set out in Article 2(1) of the Annex to Recommendation 2003/361/EC;
b)
qualified providers of trust services and registries for top-level domain names as well as DNS service providers, regardless of their size;
c)
providers of public electronic communications networks or of publicly available electronic communications services that qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC;
d)
public authorities referred to in Article 2(2)(f)(i);
e)
all other entities of a type referred to in Annex I or II that have been identified by a Member State as essential entities under Article 2(2)(b) to (e);
f)
entities designated as critical entities under Directive (EU) 2022/2557, as referred to in Article 2(3) of this Directive;
g)
where the Member State so decides, entities identified by that Member State as providers of essential services in accordance with Directive (EU) 2016/1148 or national law before 16 January 2023.
2. For the purposes of this Directive, entities of a type referred to in Annex I or II that do not qualify as essential entities under paragraph 1 of this Article shall be considered as significant entities. This includes entities identified by Member States as significant entities under Article 2(2)(b) to (e).
3. By 17 April 2025, Member States shall establish a list of essential and important entities and entities providing domain name registration services. Member States shall review that list regularly and at least every two years thereafter and update it as necessary.
4. For the purpose of establishing the list referred to in paragraph 3, Member States shall require the entities referred to in that paragraph to provide at least the following information to the competent authorities:
a)
the name of the entity;
b)
the address and current contact details, including email addresses, IP ranges and telephone numbers;
c)
where applicable, the relevant sector and sub-sector referred to in Annex I or II, and
d)
where applicable, a list of the Member States where they provide services falling within the scope of this Directive.
De in lid 3 bedoelde entiteiten melden onmiddellijk elke wijziging in de bijzonderheden die zij op grond van de eerste alinea van dit lid hebben ingediend, en in elk geval binnen twee weken na de datum van de wijziging.
The Commission, with the assistance of the European Union Cybersecurity Agency (ENISA), shall, without undue delay, establish guidelines and templates in relation to the obligations laid down in this paragraph.
De lidstaten kunnen nationale mechanismen instellen waarmee entiteiten zichzelf kunnen registreren.
5. By 17 April 2025 and every two years thereafter, the competent authorities shall report:
a)
to the Commission and the cooperation group: the number of essential and important entities listed under paragraph 3 for each sector and sub-sector referred to in Annex I or II, and
b)
to the Commission: relevant information on the number of essential and important entities identified as such under Article 2(2)(b) to (e), the sector and sub-sector referred to in Annex I or II to which they belong , the type of service they provide, and the provision of Article 2(2)(b) to (e) on the basis of which they are classified as such.
6. Until 17 April 2025 and at the request of the Commission, Member States may notify to the Commission the names of the essential and important entities referred to in paragraph 5(b).
Article 4
Sectorspecifieke rechtshandelingen van de Unie
1. Where sector-specific legal acts of the Union require essential or important entities to implement cybersecurity risk management measures or to report significant incidents, and where those requirements are at least equivalent to the obligations laid down in this Directive, the relevant provisions of this Directive shall be Directive, including the supervisory and enforcement provisions referred to in Chapter VII, do not apply to such entities. Where sector-specific Union legal acts do not cover all entities in a specific sector falling within the scope of this Directive, the relevant provisions of this Directive shall continue to apply to entities not covered by those sector-specific Union legal acts.
2. The requirements referred to in paragraph 1 of this Article shall be considered equivalent to the obligations laid down in this Directive where:
a)
the cybersecurity risk management measures have at least a comparable impact to those set out in Article 21(1) and (2); or
b)
the sector-specific Union legal act provides for immediate access, where appropriate automatically and directly, to incident reporting by CSIRTs, competent authorities or central contact points under this Directive, and where the requirements for reporting significant incidents have at least an effect comparable to that of Article 23(1) to (6) of this Directive.
3. By 17 July 2023, the Commission shall adopt guidelines to clarify the application of paragraphs 1 and 2. Those guidelines shall be regularly reviewed by the Commission. When preparing those guidelines, the Commission shall take into account all comments made by the Cooperation Group and ENISA.
Article 5
Minimum harmonization
This Directive shall not prevent Member States from adopting or maintaining provisions ensuring a higher level of cybersecurity, provided that such provisions are consistent with the obligations of the Member States under Union law.
Article 6
Definitions
Voor de toepassing van deze richtlijn wordt verstaan onder:
1)
“network and information system”:
a)
an electronic communications network within the meaning of Article 2(1) of Directive (EU) 2018/1972;
b)
elk apparaat of elke groep van onderling verbonden of verwante apparaten, waarvan er een of meer, op grond van een programma, een automatische verwerking van digitale gegevens uitvoeren, of
c)
digital data stored, processed, retrieved or transmitted using the elements referred to in points (a) and (b) for the purpose of their operation, use, protection and maintenance;
2)
“security of network and information systems” means the ability of network and information systems to withstand, at a certain level of reliability, any event that may affect the availability, authenticity, integrity or confidentiality of data stored, transmitted or processed or of the services provided offered by or through these network and information systems;
3)
“cybersecurity” means cybersecurity as defined in Article 2(1) of Regulation (EU) 2019/881;
4)
“national cybersecurity strategy” means a coherent framework of a Member State setting out strategic cybersecurity objectives and priorities and the governance to achieve those objectives and priorities in that Member State;
5)
“near incident”: an event that could have compromised the availability, authenticity, integrity or confidentiality of data stored, transmitted or processed or of the services offered by or accessible through network and information systems, but which success was prevented or did not occur;
6)
“incident”: an event that endangers the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by or accessible through network and information systems;
7)
“grootschalig cyberbeveiligingsincident”: een incident dat leidt tot een verstoringsniveau dat te groot is om door een getroffen lidstaat alleen te worden verholpen of dat significante gevolgen heeft voor ten minste twee lidstaten;
8)
“incident handling”: all actions and procedures aimed at preventing, detecting, analyzing and containing or responding to and recovering from an incident;
9)
“risk” means the possibility of loss or disruption resulting from an incident, which is expressed as a combination of the magnitude of such loss or disruption and the likelihood of the incident occurring;
10)
“cyber threat” means a cyber threat as defined in Article 2(8) of Regulation (EU) 2019/881;
11)
“significant cyber threat”: a cyber threat that, based on its technical characteristics, can be assumed to have serious consequences for the network and information systems of an entity or the users of the entity's services by causing significant material or non-material damage ;
12)
“ICT product” means an ICT product as defined in Article 2(12) of Regulation (EU) 2019/881;
13)
“ICT-dienst”: een ICT-dienst zoals gedefinieerd in artikel 2, punt 13), van Verordening (EU) 2019/881;
14)
“ICT process” means an ICT process as defined in Article 2(14) of Regulation (EU) 2019/881;
15)
“vulnerability”: a weakness, susceptibility or defect of ICT products or ICT services that can be exploited by a cyber threat;
16)
“standard” means a standard as defined in Article 2(1) of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (29);
17)
“technical specification” means a technical specification within the meaning of Article 2(4) of Regulation (EU) No 1025/2012;
18)
“Internet node” means a network facility that allows the interconnection of more than two independent networks (autonomous systems), primarily to facilitate the exchange of Internet traffic, that provides interconnection only for autonomous systems and that does not require that the Internet traffic flowing between a pair of participating autonomous systems, via a third autonomous system, nor which alters or otherwise disrupts traffic;
19)
“domain name system (DNS)” means a hierarchical distributed naming system that allows the identification of Internet services and resources, thereby enabling end-user devices to use routing and connectivity services on the Internet to reach those services and resources;
20)
“DNS service provider” means an entity that provides the following services:
a)
openbare recursieve domeinnaamomzettingsdiensten voor interneteindgebruikers, of
b)
authoritative domain name resolution services for use by third parties, excluding root name servers;
21)
“top-level domain name registry” means an entity to which a specific top-level domain name has been delegated and which is responsible for the management of the top-level domain name, including the registration of domain names under the top-level domain name and the technical operation of the top-level domain name, including the operation of the name servers, the maintenance of the databases and the distribution of the zone files of the top-level domain name among the name servers, whether those activities are carried out by the entity itself or outsourced, but excluding situations where top-level domain names are used exclusively by a registry for its own use ;
22)
“entity providing domain name registration services” means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller;
23)
“digital service” means a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council (30);
24)
“vertrouwensdienst”: een vertrouwensdienst zoals gedefinieerd in artikel 3, punt 16), van Verordening (EU) nr. 910/2014;
25)
“trust service provider” means a trust service provider as defined in Article 3(19) of Regulation (EU) No 910/2014;
26)
“qualified trust service” means a qualified trust service as defined in Article 3(17) of Regulation (EU) No 910/2014;
27)
“qualified trust service provider” means a qualified trust service provider as defined in Article 3(20) of Regulation (EU) No 910/2014;
28)
“online marketplace” means an online marketplace as defined in Article 2(n) of Directive 2005/29/EC of the European Parliament and of the Council (31);
29)
“onlinezoekmachine”: een onlinezoekmachine zoals gedefinieerd in artikel 2, punt 5), van Verordening (EU) 2019/1150 van het Europees Parlement en de Raad (32);
30)
“cloudcomputingdienst”: een digitale dienst die administratie op aanvraag en brede toegang op afstand tot een schaalbare en elastische pool van deelbare computerbronnen mogelijk maakt, ook wanneer die bronnen over verschillende locaties verspreid zijn;
31)
“data center service” means a service comprising structures or groups of structures intended for the centralized accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services, together with all facilities and energy distribution and environmental control infrastructures;
32)
“content delivery network” means a network of geographically distributed servers for the purpose of providing high availability, accessibility or rapid delivery of digital content and services to Internet users on behalf of content and service providers;
33)
“social networking services platform” means a platform that allows end users to connect, share, discover and interact with each other across multiple devices, in particular through chats, posts, videos and recommendations;
34)
“representative” means a natural or legal person established within the Union expressly designated to act on behalf of a DNS service provider, a top-level domain name registry, an entity providing domain name registration services, a cloud computing services provider, a data center services provider, a provider of a content delivery network, a managed service provider, a managed security service provider, or a provider of an online marketplace, an online search engine or a social networking service platform not established in the Union and recognized by a competent authority whether a CSIRT can be addressed instead of the entity itself in relation to that entity's obligations under this Directive;
35)
“public authority” means an entity recognized as such in a Member State in accordance with national law, with the exception of the judiciary, parliaments and central banks, and which meets the following criteria:
a)
it was established to meet needs of general interest and has no industrial or commercial character;
b)
it has legal personality or is legally permitted to act on behalf of another entity with legal personality;
c)
it is largely financed by the State, regional authorities or other public law bodies, is subject to management supervision by those authorities or bodies, or has an administrative, management or supervisory body, more than half of whose members are controlled by the State, regional authorities or bodies other public law bodies are appointed;
d)
it has the power to take administrative or regulatory decisions regarding natural or legal persons affecting their rights to the cross-border movement of persons, goods, services or capital;
36)
“public electronic communications network” means a public electronic communications network as defined in Article 2(8) of Directive (EU) 2018/1972;
37)
“electronic communications service” means an electronic communications service as defined in Article 2(4) of Directive (EU) 2018/1972;
38)
“entity”: a natural or legal person established and recognized as such under the national law of its place of establishment and which may exercise rights and be subject to obligations in its own name;
39)
“aanbieder van beheerde diensten”: een entiteit die diensten verleent die verband houden met de installatie, het beheer, de exploitatie of het onderhoud van ICT-producten, -netwerken, -infrastructuur, -toepassingen of andere netwerk- en informatiesystemen, via bijstand of actieve administratie bij de consument ter plaatse of op afstand;
40)
“managed security services provider” means a managed services provider that provides or provides assistance for activities related to cybersecurity risk management;
41)
“research organization” means an entity whose principal purpose is to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, excluding educational institutions.
CHAPTER II
COORDINATED FRAMEWORKS IN THE FIELD OF CYBER SECURITY
Article 7
Nationale cyberbeveiligingsstrategie
1. Each Member State shall adopt a national cybersecurity strategy that sets out the strategic objectives, the resources necessary to achieve those objectives, and appropriate policy and regulatory measures, to achieve and maintain a high level of cybersecurity. The national cybersecurity strategy includes:
a)
objectives and priorities of the Member State's cybersecurity strategy, in particular in the sectors referred to in Annexes I and II;
b)
a governance framework to achieve the objectives and priorities referred to in point (a) of this paragraph, including the policies referred to in paragraph 2;
c)
a governance framework that clarifies the roles and responsibilities of relevant stakeholders at national level, underpinning cooperation and coordination at national level between competent authorities, central contact points and CSIRTs under this Directive, as well as coordination and cooperation between those bodies and authorities competent under sector-specific legal acts of the Union;
d)
a mechanism to identify relevant assets and an assessment of the risks in that Member State;
e)
an inventory of measures to ensure preparedness, response and recovery from incidents, including cooperation between the public and private sectors;
f)
een lijst van de verschillende autoriteiten en belanghebbenden die betrokken zijn bij de uitvoering van de nationale cyberbeveiligingsstrategie;
g)
a policy framework for enhanced coordination between the competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2557, with the aim of sharing information on risks, cyber threats, and incidents as well as on non-cyber risks, - threats and incidents, and, where appropriate, the exercise of supervisory tasks;
h)
a plan, including the necessary measures, to improve the general level of cybersecurity awareness among citizens.
2. In het kader van de nationale cyberbeveiligingsstrategie stellen de lidstaten met name beleid vast:
a)
on cybersecurity in the supply chain for ICT products and ICT services used by entities to provide their services;
b)
on including and specifying cybersecurity-related requirements for ICT products and ICT services in public procurement, including with regard to cybersecurity certification, encryption and the use of open source cybersecurity products;
c)
for the management of vulnerabilities, including the promotion and facilitation of coordinated disclosure of vulnerabilities under Article 12(1);
d)
on maintaining the general availability, integrity and confidentiality of the public core of the open Internet, including, where appropriate, the cybersecurity of submarine communications cables;
e)
to promote the development and integration of relevant advanced technologies for the application of advanced cybersecurity risk management measures;
f)
to promote and develop cybersecurity education and training, cybersecurity skills, awareness and research and development initiatives, as well as guidance on good practices and controls in cyber hygiene, aimed at citizens, stakeholders and entities;
g)
voor het ondersteunen van academische en onderzoeksinstellingen bij de ontwikkeling, versterking en bevordering van de uitrol van instrumenten voor cyberbeveiliging en een veilige netwerkinfrastructuur;
h)
including relevant procedures and appropriate information sharing tools, to support voluntary sharing of cybersecurity information between entities in accordance with Union law;
i)
to strengthen the digital resilience and basic level of cyber hygiene of small and medium-sized enterprises, in particular those excluded from the scope of this Directive, by providing easily accessible guidance and assistance for their specific needs;
j)
for promoting active cyber protection.
3. De lidstaten stellen de Commissie in kennis van hun nationale cyberbeveiligingsstrategieën binnen drie maanden na de vaststelling ervan. De lidstaten kunnen informatie die verband houdt met hun nationale veiligheid uitsluiten van dergelijke kennisgevingen.
4. Member States shall regularly and at least every five years assess their national cybersecurity strategies against key performance indicators and update them as necessary. At the request of Member States, they shall receive assistance from ENISA in developing or updating a national cybersecurity strategy and key performance indicators for the assessment of that strategy in order to align it with the requirements and obligations laid down in this Directive.
Article 8
Competent authorities and central contact points
1. Each Member State shall designate or establish one or more competent authorities responsible for cybersecurity and for the supervisory tasks referred to in Chapter VII of this Directive (competent authorities).
2. The competent authorities referred to in paragraph 1 shall monitor the implementation of this Directive at national level.
3. Each Member State shall designate or establish a central contact point. Where a Member State designates or establishes only one competent authority under paragraph 1, that competent authority shall also be the single point of contact for that Member State.
4. Each central contact point shall fulfill a liaison function to ensure cross-border cooperation between the authorities of its Member State with the relevant authorities of other Member States and, where appropriate, with the Commission and ENISA, as well as to ensure cross-sectoral cooperation with other competent authorities within its member state.
5. Member States shall ensure that their competent authorities and central contact points have sufficient resources to carry out the tasks assigned to them effectively and efficiently and thus achieve the objectives of this Directive.
6. Each Member State shall immediately inform the Commission of the identity of the competent authority referred to in paragraph 1 and of the central contact point referred to in paragraph 3, of the tasks of those authorities and of any subsequent changes thereto. Each Member State shall make public the identity of its competent authority. The Commission shall make a list of the central contact points available to the public.
Article 9
National frameworks for cyber crisis management
1. Each Member State shall designate or establish one or more competent authorities responsible for the management of large-scale cybersecurity incidents and crises (cyber crisis management authorities). Member States shall ensure that those authorities have sufficient resources to carry out the tasks assigned to them effectively and efficiently. Member States shall ensure coherence with existing frameworks for general national crisis management.
2. Where a Member State designates or establishes more than one cyber crisis management authority under paragraph 1, it shall clearly indicate which of those competent authorities should serve as coordinator for the management of large-scale cyber security incidents and crises.
3. Each Member State shall determine the capabilities, resources and procedures that may be deployed in the event of a crisis for the purposes of this Directive.
4. Elke lidstaat stelt een nationaal plan voor grootschalige cyberbeveiligingsincidenten en crisisrespons vast, waarin de doelstellingen van en regelingen voor het beheer van grootschalige cyberbeveiligingsincidenten en crises zijn vastgelegd. In dat plan wordt in het bijzonder het volgende vastgelegd:
a)
the objectives of national preparedness measures and activities;
b)
the roles and responsibilities of the cyber crisis management authorities;
c)
the cyber crisis management procedures, including their integration into the overall national crisis management framework and information exchange channels;
d)
the national preparedness measures, including exercises and training activities;
e)
the relevant public and private stakeholders and infrastructure involved;
f)
the national procedures and arrangements between the relevant national authorities and bodies to ensure the effective participation of the Member State in the coordinated management and support of large-scale cybersecurity incidents and crises at Union level.
5. Within three months of the designation or establishment of the cyber crisis management authority referred to in paragraph 1, each Member State shall notify the Commission of the identity of its authority and of any subsequent changes thereto. Within three months of the adoption of their national large-scale cybersecurity incident and crisis response plans, Member States shall submit to the Commission and to the European Network of Cyber Crisis Liaison Organizations (EU-CyCLONe) relevant information relating to the requirements of paragraph 4 on those plans . Member States may omit information if and to the extent that such omission is necessary for their national security.
Artikel 10
Computer security incident response teams (CSIRT’s)
1. Elke lidstaat gaat over tot het aanwijzen of instellen van een of meer CSIRT’s. De CSIRT’s kunnen worden aangewezen of ingesteld binnen een bevoegde autoriteit. De CSIRT’s voldoen aan de in artikel 11, lid 1, opgenomen eisen, bestrijken ten minste de in bijlagen I en II bedoelde sectoren, subsectoren en types entiteiten, en zijn verantwoordelijk voor incidentenbehandeling volgens een welbepaald proces.
2. Member States shall ensure that each CSIRT has sufficient resources to effectively carry out its tasks referred to in Article 11(3).
3. Member States shall ensure that each CSIRT has an appropriate, secure and resilient communications and information infrastructure allowing the exchange of information with essential and important entities and other relevant stakeholders. To this end, Member States shall ensure that each CSIRT contributes to the deployment of secure information sharing tools.
4. CSIRTs shall cooperate and, where appropriate, exchange relevant information in accordance with Article 29 with sectoral or cross-sectoral communities of essential and important entities.
5. CSIRTs shall participate in peer reviews organized in accordance with Article 19.
6. De lidstaten zorgen voor een doeltreffende, efficiënte en veilige samenwerking van hun CSIRT’s in het CSIRT-netwerk.
7. The CSIRTs may establish cooperative relationships with the national computer security incident response teams of third countries. In the context of such cooperative relationships, Member States shall facilitate effective, efficient and secure information exchange with those national computer security incident response teams of third countries, using relevant information exchange protocols, including the traffic light protocol. The CSIRTs may exchange relevant information with national computer security incident response teams of third countries, including personal data in accordance with Union data protection law.
8. The CSIRTs may cooperate with national computer security incident response teams of third countries or equivalent bodies of third countries, in particular to provide them with cybersecurity assistance.
9. Elke lidstaat stelt de Commissie onverwijld in kennis van de identiteit van het in lid 1 van dit artikel bedoelde CSIRT en van het CSIRT dat als coördinator is aangewezen op grond van artikel 12, lid 1, van hun respectieve taken met betrekking tot essentiële en belangrijke entiteiten, en van elke latere wijziging ervan.
10. De lidstaten kunnen bij de ontwikkeling van hun CSIRT’s de hulp van Enisa inroepen.
Artikel 11
Requirements, technical capabilities and tasks of the CSIRTs
1. De CSIRT’s voldoen aan de volgende eisen:
a)
the CSIRTs ensure a high level of availability of their communication channels by avoiding single points of failure and have various means by which they can be contacted and contacted at any time; they clearly specify communication channels and communicate them to the user group and cooperation partners;
b)
the premises and work areas of the CSIRTs and the supporting information systems are located in secure locations;
c)
CSIRTs shall be equipped with an adequate request management and routing system to ensure effective and efficient transfers;
d)
the CSIRTs guarantee the confidentiality and reliability of their activities;
e)
CSIRTs shall be sufficiently staffed to ensure the availability of their services at all times and shall ensure that their staff are appropriately trained;
f)
de CSIRT’s zijn uitgerust met redundante systemen en reservewerkruimten om de continuïteit van hun diensten te waarborgen.
The CSIRTs can participate in international cooperation networks.
2. Member States shall ensure that their CSIRTs jointly have the necessary technical capabilities to carry out the tasks referred to in paragraph 3. Member States shall ensure that sufficient resources are allocated to their CSIRTs to ensure that CSIRTs have sufficient staff to develop their technical capabilities.
3. The CSIRTs shall have the following tasks:
a)
monitoring and analyzing cyber threats, vulnerabilities and incidents at national level, and, upon request, providing assistance to relevant essential and important entities with regard to real-time or near-real-time monitoring of their network and information systems;
b)
providing early warnings, notifications and announcements and disseminating information to relevant essential and important entities and to competent authorities and other relevant stakeholders on cyber threats, vulnerabilities and incidents, in near real-time where possible;
c)
responding to incidents and providing assistance to the essential and important entities involved, as appropriate;
d)
het verzamelen en analyseren van forensische gegevens en het zorgen voor dynamische risico- en incidentenanalyse en situationeel bewustzijn met betrekking tot cyberbeveiliging;
e)
at the request of an essential or important entity: proactively scanning the network and information systems of the entity concerned to detect vulnerabilities with potentially significant consequences;
f)
participating in the CSIRT network and, in accordance with their capacities and competences, providing mutual assistance to other members of the network at their request;
g)
where applicable, acting as a coordinator for the coordinated vulnerability disclosure process referred to in Article 12(1);
h)
contributing to the deployment of secure information sharing tools under Article 10(3).
The CSIRTs may engage in proactive and non-intrusive scanning of publicly accessible network and information systems of essential and important entities. Such scanning is performed to detect vulnerable or insecurely configured network and information systems and to inform the involved entities. Such scanning should not have a negative impact on the operation of the entities' services.
When carrying out the tasks referred to in the first subparagraph, CSIRTs may, based on a risk-based approach, prioritize certain tasks.
4. CSIRTs shall establish cooperative relationships with relevant stakeholders in the private sector in order to achieve the objectives of this Directive.
5. In order to facilitate the cooperation referred to in paragraph 4, CSIRTs shall promote the introduction and use of common or standardized practices, classification schemes and taxonomies relating to:
a)
incident handling procedures;
b)
crisisbeheer, en
c)
coordinated disclosure of vulnerabilities under Article 12(1).
Artikel 12
Coordinated disclosure of vulnerabilities and a European vulnerability database
1. Elke lidstaat wijst een van zijn CSIRT’s aan als coördinator met het oog op een gecoördineerde bekendmaking van kwetsbaarheden. Het als coördinator aangewezen CSIRT treedt op als een betrouwbare tussenpersoon en vergemakkelijkt, waar nodig, de interactie tussen de natuurlijke of rechtspersoon die een kwetsbaarheid meldt enerzijds en de fabrikant of aanbieder van de mogelijk kwetsbare ICT-producten of -diensten anderzijds, op verzoek van een van beide partijen. De taken van het als coördinator aangewezen CSIRT omvatten:
a)
identifying and contacting the entities involved;
b)
het bijstaan van de natuurlijke of rechtspersonen die een kwetsbaarheid melden; en
c)
negotiating disclosure timelines, and managing vulnerabilities affecting multiple entities.
Member States shall ensure that natural or legal persons can report a vulnerability, anonymously upon request, to the CSIRT designated as coordinator. The CSIRT designated as coordinator ensures that careful follow-up is given to the reported vulnerability and guarantees the anonymity of the natural or legal person reporting the vulnerability. Where a reported vulnerability may have a significant impact on entities in more than one Member State, the designated CSIRT of each Member State concerned shall, where appropriate, cooperate with other designated CSIRTs within the CSIRT network.
2. ENISA, after consulting the cooperation group, shall develop and maintain a European vulnerability database. To this end, ENISA shall establish and maintain appropriate information systems, policies and procedures, as well as the necessary technical and organizational measures to ensure the security and integrity of the European Vulnerability Database, in particular to identify entities, whether or not they fall within the scope of this Directive, and their suppliers of network and information systems, to disclose and register on a voluntary basis the generally known vulnerabilities present in ICT products or ICT services. All stakeholders will have access to the vulnerability information included in the European Vulnerability Database. That database includes:
a)
information describing the vulnerability;
b)
de betrokken ICT-producten of ICT-diensten en de ernst van de kwetsbaarheid in het licht van de omstandigheden waarin deze kan worden uitgebuit;
c)
the availability of related patches and, in the absence of available patches, guidance provided by competent authorities or CSIRTs to users of vulnerable ICT products and ICT services on how to mitigate risks arising from disclosed vulnerabilities.
Artikel 13
Cooperation at national level
1. Wanneer zij afzonderlijk bestaan, werken de bevoegde autoriteiten, het centrale contactpunt en de CSIRT’s van dezelfde lidstaat met elkaar samen om de in deze richtlijn vastgestelde verplichtingen na te komen.
2. Member States shall ensure that their CSIRTs or, where appropriate, their competent authorities, receive notifications of significant incidents under Article 23, and of incidents, cyber threats and near misses under Article 30.
3. Member States shall ensure that their CSIRTs or, where appropriate, their competent authorities, inform their central contact points of incident, cyber threat and near miss reports submitted under this Directive.
4. Om te garanderen dat de taken en verplichtingen van de bevoegde autoriteiten, de centrale contactpunten en de CSIRT’s doeltreffend worden uitgevoerd, zorgen de lidstaten, voor zover mogelijk, voor passende samenwerking tussen die organen en rechtshandhavingsautoriteiten, gegevensbeschermingsautoriteiten, de nationale autoriteiten uit hoofde van Verordeningen (EG) nr. 300/2008 en (EU) 2018/1139, de toezichthoudende organen uit hoofde van Verordening (EU) nr. 910/2014, de bevoegde autoriteiten uit hoofde van Verordening (EU) 2022/2554, de nationale regulerende instanties uit hoofde van Richtlijn (EU) 2018/1972, de bevoegde autoriteiten uit hoofde van Richtlijn (EU) 2022/2557, alsmede de bevoegde autoriteiten uit hoofde van andere sectorspecifieke rechtshandelingen van de Unie, in die lidstaat.
5. Member States shall ensure that their competent authorities under this Directive and their competent authorities under Directive (EU) 2022/2557 cooperate and regularly exchange information on the designation of entities as critical, on risks, cyber threats, and incidents , as well as on non-cyber risks, threats and incidents affecting essential entities identified as critical entities under Directive (EU) 2022/2557, and on the measures taken in response to such risks, threats and incidents taken. Member States shall also ensure that their competent authorities under this Directive and their competent authorities under Regulation (EU) No 910/2014, Regulation (EU) 2022/2554 and Directive (EU) 2018/1972 regularly review relevant exchange information, including regarding relevant incidents and cyber threats.
6. Member States shall simplify reporting by technical means for the notifications referred to in Articles 23 and 30.
CHAPTER III
COOPERATION AT UNION AND INTERNATIONAL LEVEL
Artikel 14
Collaborative group
1. To support and facilitate strategic cooperation and exchange of information between Member States, as well as to enhance trust, a Cooperation Group is hereby established.
2. The cooperation group shall carry out its tasks on the basis of the biennial work programs referred to in paragraph 7.
3. The cooperation group shall consist of representatives of the Member States, the Commission and ENISA. The European External Action Service participates in the activities of the Cooperation Group as an observer. The European Supervisory Authorities (ESAs) and the competent authorities under Regulation (EU) 2022/2554 may participate in the activities of the cooperation group in accordance with Article 47(1) of that Regulation.
Where appropriate, the Cooperation Group may invite the European Parliament and representatives of relevant stakeholders to participate in its work.
Het secretariaat wordt verzorgd door de diensten van de Commissie.
4. The cooperation group shall have the following tasks:
a)
providing guidance to the competent authorities regarding the transposition and implementation of this Directive;
b)
providing guidance to competent authorities on the development and implementation of the coordinated vulnerability disclosure policy referred to in Article 7(2)(c);
c)
exchanging best practices and information related to the implementation of this Directive, including on cyber threats, incidents, vulnerabilities, near misses, awareness initiatives, training, exercises and skills, capacity building, standards and technical specifications, as well as on designation of essential and important entities under Article 2(2)(b) to (e);
d)
exchanging advice and cooperating with the Commission on emerging cybersecurity policy initiatives and on the overall coherence of sector-specific cybersecurity requirements;
e)
het uitwisselen van advies en samenwerken met de Commissie rondom ontwerpen van uitvoeringshandelingen of gedelegeerde handelingen die op grond van deze richtlijn worden vastgesteld;
f)
exchanging best practices and information with relevant Union institutions, bodies, offices and agencies;
g)
het van gedachten wisselen over de uitvoering van sectorspecifieke rechtshandelingen van de Unie die bepalingen inzake cyberbeveiliging bevatten;
h)
where applicable, discussing the reports of the peer review referred to in Article 19(9) and drawing up conclusions and recommendations;
i)
carrying out coordinated security risk assessments of critical supply chains in accordance with Article 22(1);
j)
discussing cases of mutual assistance, including experiences and results of cross-border joint surveillance actions referred to in Article 37;
k)
at the request of one or more Member States concerned, discussing specific requests for mutual assistance referred to in Article 37;
l)
het verstrekken van strategische richtsnoeren over specifieke opkomende kwesties aan het CSIRT-netwerk en EU-CyCLONe;
m)
exchanging views on policies on the follow-up to large-scale cybersecurity incidents and crises, based on lessons learned from the CSIRT network and EU-CyCLONe;
n)
contributing to cybersecurity capabilities across the Union by facilitating the exchange of national officials through a capacity building program involving staff from the competent authorities or from the CSIRTs;
o)
organizing regular and joint meetings with relevant private stakeholders from across the Union to discuss the Cooperation Group's activities and gather input on emerging policy challenges;
p)
discussing work on cybersecurity exercises, including ENISA's work;
q)
establishing the methodology and organizational aspects of the peer reviews referred to in Article 19(1), as well as establishing the self-evaluation methodology for Member States in accordance with Article 19(5), with the assistance of the Commission and ENISA, and, in cooperation with the Commission and ENISA, developing codes of conduct to underpin the working methods of designated cybersecurity experts in accordance with Article 19(6);
r)
preparing reports on experience gained at strategic level and in peer reviews for the evaluation referred to in Article 40;
s)
regularly assessing the status of cyber threats or incidents, such as ransomware.
The cooperation group shall submit the reports referred to in point (r) of the first paragraph to the Commission, the European Parliament and the Council.
5. Member States shall ensure that their representatives cooperate effectively, efficiently and securely within the cooperation group.
6. The Collaboration Group may request a technical report on selected topics from the CSIRT Network.
7. By 1 February 2024, and every two years thereafter, the Cooperation Group shall establish a work program on measures to be taken to implement its objectives and tasks.
8. The Commission may adopt implementing acts laying down the procedural arrangements necessary for the functioning of the cooperation group.
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).
The Commission shall exchange advice and cooperate with the cooperation group on the draft implementing acts referred to in the first and second subparagraphs of this Article, in accordance with paragraph 4(e).
9. De samenwerkingsgroep komt regelmatig en in ieder geval ten minste eenmaal per jaar bijeen met de krachtens Richtlijn (EU) 2022/2557 opgerichte groep voor de weerbaarheid van kritieke entiteiten, om de strategische samenwerking en de uitwisseling van informatie te bevorderen en te vergemakkelijken.
Artikel 15
CSIRT network
1. In order to contribute to the development of confidence and to promote rapid and effective operational cooperation between Member States, a network of national CSIRTs is hereby established.
2. The CSIRT network shall be composed of representatives of the CSIRTs designated or established under Article 10 and the Computer Crisis Response Team for the Union institutions, bodies, offices and agencies (CERT-EU). The Commission participates as an observer in the CSIRT network. ENISA provides the secretariat and provides assistance to the cooperation between the CSIRTs.
3. The CSIRT network shall have the following tasks:
a)
exchanging information on the capabilities of the CSIRTs;
b)
facilitating the sharing, transfer and exchange of technology and relevant measures, policies, tools, processes, best practices, and frameworks between the CSIRTs;
c)
het uitwisselen van relevante informatie over incidenten, bijna-incidenten, cyberdreigingen, risico’s en kwetsbaarheden;
d)
exchanging information on cybersecurity publications and recommendations;
e)
ensuring interoperability with regard to specifications and protocols for information exchange;
f)
at the request of a member of the CSIRT network that may be affected by an incident, exchanging and discussing information about that incident and the associated cyber threats, risks and vulnerabilities;
g)
at the request of a member of the CSIRT network, to discuss and, where possible, implement a coordinated response to an incident identified within the jurisdiction of that Member State;
h)
providing assistance to Member States in tackling cross-border incidents under this Directive;
i)
to cooperate, exchange best practices and provide assistance to the CSIRTs designated as coordinators under Article 12(1) in managing the coordinated disclosure of vulnerabilities that could have a significant impact on entities in more then one Member State;
j)
discussing and identifying further forms of operational cooperation, including with regard to:
i)
categories of cyber threats and incidents;
ii)
early warnings;
iii)
mutual assistance;
iv)
principles and arrangements for coordination in response to cross-border risks and incidents;
v)
op verzoek van een lidstaat, bijdragen aan het in artikel 9, lid 4, bedoelde nationale plan voor grootschalige cyberbeveiligingsincidenten en crisisrespons;
k)
informing the Cooperation Group about its activities and further forms of operational cooperation discussed under point (j) and, if necessary, requesting guidance in that regard;
l)
taking stock of cybersecurity exercises, including those organized by ENISA;
m)
op verzoek van een individueel CSIRT, het bespreken van de capaciteiten en de paraatheid van dat CSIRT;
n)
cooperating and exchanging information with Security Operations Centers (SOCs) at regional and Union level to improve common situational awareness of incidents and cyber threats across the Union;
o)
where applicable, discussing the peer review reports referred to in Article 19(9);
p)
providing guidance to facilitate the convergence of operational practices when applying the provisions of this Article on operational cooperation.
4. Uiterlijk op 17 januari 2025, en vervolgens om de twee jaar, beoordeelt het CSIRT-netwerk, met het oog op de in artikel 40 bedoelde evaluatie, de vooruitgang die werd geboekt op het gebied van de operationele samenwerking en stelt het een verslag op. In het verslag worden met name conclusies en aanbevelingen geformuleerd op basis van het resultaat van de in artikel 19 bedoelde collegiale toetsingen, die worden uitgevoerd met betrekking tot de nationale CSIRT’s. Dit verslag wordt voorgelegd aan de samenwerkingsgroep.
5. The CSIRT network shall establish its rules of procedure.
6. The CSIRT Network and EU-CyCLONe shall agree on procedural arrangements and cooperate on this basis.
Artikel 16
The European Network of Cyber Crisis Liaison Organizations (EU-CyCLONe)
1. EU-CyCLONe wordt opgericht om het gecoördineerde beheer van grootschalige cyberbeveiligingsincidenten en crises op operationeel niveau te ondersteunen en te zorgen voor een regelmatige uitwisseling van relevante informatie tussen de lidstaten en de instellingen, organen en agentschappen van de Unie.
2. EU-CyCLONe bestaat uit de vertegenwoordigers van de cybercrisisbeheerautoriteiten van de lidstaten alsmede, in gevallen waarin een potentieel of aan de gang zijnd grootschalig cyberbeveiligingsincident een aanzienlijke impact heeft of dreigt te hebben op diensten en activiteiten die binnen het toepassingsgebied van deze richtlijn vallen, de Commissie. In andere gevallen neemt de Commissie als waarnemer deel aan de activiteiten van EU-CyCLONe.
ENISA provides the secretariat of EU-CyCLONe, supports the secure exchange of information and provides the necessary tools to support cooperation between Member States for the secure exchange of information.
If necessary, EU-CyCLONe may invite representatives of stakeholders to participate in its work as observers.
3. EU-CyCLONe's mission is:
a)
increase the level of preparedness in managing large-scale cybersecurity incidents and crises;
b)
develop shared situational awareness for large-scale cybersecurity incidents and crises;
c)
assess the consequences and impact of relevant large-scale cybersecurity incidents and crises and propose possible mitigation measures;
d)
coordinate the management of large-scale cybersecurity incidents and crises and support decision-making at political level regarding such incidents and crises;
e)
op verzoek van een betrokken lidstaat de in artikel 9, lid 4, bedoelde nationale plannen voor grootschalige cyberbeveiligingsincidenten en crisisrespons te bespreken.
4. EU-CyCLONe stelt zijn reglement van orde vast.
5. EU-CyCLONe shall regularly report to the Cooperation Group on the management of large-scale cybersecurity incidents and crises, as well as trends, paying particular attention to their impact on essential and important entities.
6. EU-CyCLONe shall cooperate with the CSIRT network on the basis of agreed procedural arrangements as set out in Article 15(6).
7. By 17 July 2024 and every 18 months thereafter, EU-CyCLONe shall submit an assessment report on its activities to the European Parliament and the Council.
Artikel 17
Internationale samenwerking
De Unie kan indien nodig overeenkomstig artikel 218 VWEU internationale overeenkomsten met derde landen of internationale organisaties sluiten die hun deelname aan bepaalde activiteiten van de samenwerkingsgroep, het CSIRT-netwerk en EU-CyCLONe mogelijk maken en organiseren. Dergelijke overeenkomsten moeten in overeenstemming zijn met het Uniegegevensbeschermingsrecht.
Artikel 18
Report on the state of cybersecurity in the Union
1. ENISA, in cooperation with the Commission and the Cooperation Group, shall prepare a biennial report on the state of cybersecurity in the Union and submit it to the European Parliament. The report shall, among other things, be made available in machine-readable data and contain the following:
a)
an assessment of cybersecurity risks at Union level, taking into account the cyber threat landscape;
b)
an assessment of the development of cybersecurity capabilities in the public and private sectors across the Union;
c)
an assessment of the general level of cybersecurity and cyber hygiene awareness among citizens and entities, including small and medium-sized enterprises;
d)
an aggregated assessment of the outcome of the peer reviews referred to in Article 19;
e)
an aggregated assessment of the maturity level of cybersecurity capabilities and assets across the Union, including at sector level, and the extent to which Member States' national cybersecurity strategies are aligned.
2. The report shall contain specific policy recommendations to address deficiencies and increase the level of cybersecurity in the Union, and a summary of the findings on incidents and cyber threats for the specific period from the assessment in accordance with Article 7(6) of Regulation (EU) 2019/ 881 technical situational reports on EU cybersecurity prepared by ENISA ENISA.
3. ENISA, in cooperation with the Commission, the Cooperation Group and the CSIRT Network, shall develop the methodology, including the relevant variables, such as quantitative and qualitative indicators, of the aggregated assessment referred to in paragraph 1(e).
Artikel 19
Peer reviews
1. By 17 January 2025, the Cooperation Group shall, with the assistance of the Commission, ENISA and, where relevant, the CSIRT Network, establish the methodology and organizational aspects of peer reviews with a view to learning from shared experiences, mutual trust to achieve a high common level of cybersecurity and to strengthen the cybersecurity capabilities and policies of the Member States necessary for the implementation of this Directive. Participation in peer reviews is voluntary. The peer reviews are conducted by cybersecurity experts. The cybersecurity experts shall be appointed by at least two Member States other than the Member State under evaluation.
The peer reviews shall cover at least one of the following:
a)
the level of implementation of the cybersecurity risk management measures and reporting obligations referred to in Articles 21 and 23;
b)
the level of capabilities, including available financial, technical and human resources, and the effectiveness of the performance of the tasks of the competent authorities;
c)
de operationele capaciteit van de CSIRT’s;
d)
the level of implementation of the mutual assistance referred to in Article 37;
e)
the level of implementation of the framework for the exchange of information on cybersecurity referred to in Article 29;
f)
specific issues of a cross-border or cross-sectoral nature.
2. The methodology referred to in paragraph 1 shall include objective, non-discriminatory, fair and transparent criteria on the basis of which Member States shall designate cybersecurity experts eligible to carry out the peer reviews. The Commission and ENISA participate as observers in the peer reviews.
3. Member States may submit specific issues referred to in paragraph 1(f) for peer review.
4. Vóór de aanvang van een collegiale toetsing als bedoeld in lid 1, stellen de lidstaten de deelnemende lidstaten in kennis van de reikwijdte ervan, met inbegrip van de krachtens lid 3 voorgelegde specifieke kwesties.
5. Before the start of the peer review, Member States may carry out a self-assessment of the aspects evaluated and provide that self-assessment to the designated cybersecurity experts. The Collaboration Group, assisted by the Commission and ENISA, shall establish the methodology for Member States' self-assessment.
6. The peer reviews shall include physical or virtual on-site visits and off-site information exchanges. In accordance with the principle of good cooperation, the Member State subject to a peer review shall provide the designated cybersecurity experts with the information necessary for the assessment, without prejudice to Union or national law on the protection of confidential or classified information and the protection of essential State functions, such as national security. The Collaboration Group, in cooperation with the Commission and ENISA, shall develop appropriate codes of conduct to support the working methods of the designated cybersecurity experts. Any information obtained through the peer review will be used solely for that purpose. The cybersecurity experts participating in the peer review shall not disclose to third parties any sensitive or confidential information obtained through that peer review.
7. After a Member State has been subject to a peer review, the same aspects evaluated in that Member State shall not be subject to a peer review for the two years following the conclusion of the peer review, unless the Member State so requests or unless it is agreed following a proposal from the cooperation group.
8. Member States shall ensure that any risk of conflict of interest regarding the designated cybersecurity experts is reported to the other Member States, the Cooperation Group, the Commission and ENISA before the start of the peer review. The Member State subject to peer review may object to the appointment of certain cybersecurity experts for duly justified reasons which shall be communicated to the Member State appointing the experts.
9. Cybersecurity experts participating in peer reviews shall prepare reports on the findings and conclusions of the peer reviews. Member States subject to peer review may comment on draft reports concerning them and those comments will be attached to the reports. The reports contain recommendations to enable improvement of the aspects included in the peer review. The reports shall be submitted to the Cooperation Group and the CSIRT Network when relevant. A Member State subject to peer review may decide to make public its report or an edited version thereof.
CHAPTER IV
CYBER SECURITY RISK MANAGEMENT MEASURES AND REPORTING OBLIGATIONS
Artikel 20
Governance
1. Member States shall ensure that the governing bodies of essential and important entities approve the cybersecurity risk management measures taken by those entities to comply with Article 21, monitor their implementation and are liable for infringements by the entities of that Article .
The application of this paragraph shall be without prejudice to national law regarding the liability rules applicable to public authorities and to the liability of public officials and elected or appointed public officials.
2. Member States shall ensure that members of the governing bodies of essential and important entities are subject to training, and shall encourage essential and important entities to regularly provide similar training to their employees, so that they acquire sufficient knowledge and skills to manage risks identify and assess cybersecurity risk management practices and their implications for the services provided by the entity.
Artikel 21
Cybersecurity risk management measures
1. Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks to the security of the network and information systems used by those entities for their activities or for the provision of their services and to prevent incidents or limit the consequences of incidents for the recipients of their services and for other services.
Rekening houdend met de stand van de techniek en, indien van toepassing, de desbetreffende Europese en internationale normen, alsook met de uitvoeringskosten, zorgen de in de eerste alinea bedoelde maatregelen voor een beveiligingsniveau van de netwerk- en informatiesystemen dat is afgestemd op de risico’s die zich voordoen. Bij de beoordeling van de evenredigheid van die maatregelen wordt naar behoren rekening gehouden met de mate waarin de entiteit aan risico’s is blootgesteld, de omvang van de entiteit en de kans dat zich incidenten voordoen en de ernst ervan, met inbegrip van de maatschappelijke en economische gevolgen.
2. The measures referred to in paragraph 1 shall be based on an all-hazards approach aimed at protecting network and information systems and the physical environment of those systems from incidents, and shall include at least the following:
a)
beleid inzake risicoanalyse en beveiliging van informatiesystemen;
b)
incident handling;
c)
business continuity, such as backup management and contingency plans, and crisis management;
d)
the security of the supply chain, including security-related aspects relating to the relationships between each entity and its direct suppliers or service providers;
e)
security in the acquisition, development and maintenance of network and information systems, including vulnerability response and disclosure;
f)
policies and procedures to assess the effectiveness of cybersecurity risk management measures;
g)
basic cyber hygiene practices and cybersecurity training;
h)
policies and procedures regarding the use of cryptography and, where appropriate, encryption;
i)
security aspects regarding personnel, access policies and asset management;
j)
when appropriate, the use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and secure emergency communications systems within the entity.
3. Member States shall ensure that, when considering which measures referred to in paragraph 2(d) of this Article are appropriate, entities take into account the specific vulnerabilities of each direct supplier and service provider and the overall quality of the products and the cybersecurity practices of their suppliers and service providers, including their secure development procedures. Member States shall also ensure that, when considering which measures referred to in point (d) of paragraph 2 are appropriate, entities take into account the results of coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1).
4. Member States shall ensure that an entity which finds that it is not complying with the measures referred to in paragraph 2 takes without delay all necessary, appropriate and proportionate corrective measures.
5. By 17 October 2024, the Commission shall adopt implementing acts laying down the technical and methodological requirements of the measures referred to in paragraph 2 in relation to DNS service providers, top-level domain name registries, cloud computing service providers, data center providers, delivery network providers content providers, managed service providers, managed security service providers, online marketplace providers, online search engine providers, social networking service providers and trust service providers.
The Commission may adopt implementing acts laying down the technical and methodological requirements and, where necessary, the sectoral requirements for the measures referred to in paragraph 2 in relation to essential and important entities other than those referred to in the first subparagraph of this paragraph.
Bij de voorbereiding van de in de eerste en de tweede alinea van dit lid bedoelde uitvoeringshandelingen volgt de Commissie zoveel mogelijk de Europese en internationale normen en de relevante technische specificaties. De Commissie wisselt advies uit en werkt samen met de samenwerkingsgroep en Enisa rond de ontwerpuitvoeringshandelingen overeenkomstig artikel 14, lid 4, punt e).
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).
Artikel 22
Union-level coordinated security risk assessments of critical supply chains
1. The Cooperation Group may, in cooperation with the Commission and ENISA, conduct coordinated security risk assessments of specific critical ICT services, ICT systems or ICT product supply chains, taking into account technical and, where applicable, non-technical risk factors.
2. Na raadpleging van de samenwerkingsgroep en Enisa en, indien nodig, van relevante belanghebbenden stelt de Commissie vast welke specifieke kritieke ICT-diensten, ICT-systemen of ICT-producten aan de in lid 1 bedoelde gecoördineerde beveiligingsrisicobeoordeling kunnen worden onderworpen.
Artikel 23
Rapportageverplichtingen
1. Elke lidstaat zorgt ervoor dat essentiële en belangrijke entiteiten elk incident dat aanzienlijke gevolgen heeft voor de verlening van hun diensten als bedoeld in lid 3 (significant incident) onverwijld meldt bij zijn CSIRT of, indien van toepassing, zijn bevoegde autoriteit overeenkomstig lid 4. In voorkomend geval stellen de betrokken entiteiten de ontvangers van hun diensten onverwijld in kennis van significante incidenten die een nadelige invloed kunnen hebben op de verlening van die diensten. Elke lidstaat zorgt ervoor dat die entiteiten onder meer alle informatie rapporteren die het CSIRT of, indien van toepassing, de bevoegde autoriteit in staat stelt om eventuele grensoverschrijdende gevolgen van het incident te bepalen. Melding leidt niet tot blootstelling van de entiteit aan een verhoogde aansprakelijkheid.
Where the entities concerned report a significant incident to the competent authority in accordance with the first subparagraph, the Member State shall ensure that that competent authority forwards the report to the CSIRT upon receipt.
In the event of a cross-border or cross-sectoral significant incident, Member States shall ensure that relevant information reported in accordance with paragraph 4 is provided to their central contact points in a timely manner.
2. Indien van toepassing zorgen de lidstaten ervoor dat essentiële en belangrijke entiteiten de ontvangers van hun diensten die mogelijkerwijs door een significante cyberdreiging worden getroffen, onverwijld meedelen welke maatregelen die ontvangers kunnen nemen in reactie op die dreiging. Indien nodig stellen de entiteiten die ontvangers ook in kennis van de significante cyberdreiging zelf.
3. An incident is considered significant if it:
a)
causes or may cause serious operational disruption of services or financial losses for the entity concerned;
b)
has affected or may affect other natural or legal persons by causing significant material or immaterial damage.
4. Member States shall ensure that, for the notification referred to in paragraph 1, the entities concerned submit to the CSIRT or, where applicable, the competent authority:
a)
onverwijld en in elk geval binnen 24 uur nadat zij kennis hebben gekregen van het significante incident, een vroegtijdige waarschuwing geven, waarin, indien van toepassing, wordt aangegeven of het significante incident vermoedelijk door een onrechtmatige of kwaadwillige handeling is veroorzaakt, dan wel grensoverschrijdende gevolgen zou kunnen hebben;
b)
without undue delay and in any event within 72 hours of becoming aware of the significant incident, submit an incident report containing, where applicable, an update of the information referred to in point (a), an initial assessment of the significant incident, including the severity and its consequences and, if available, the indicators of deterioration;
c)
op verzoek van het CSIRT of, indien van toepassing, de bevoegde autoriteit, een tussentijds verslag indienen over relevante updates van de situatie;
d)
no later than one month after the submission of the incident report referred to in point (b), submit a final report containing the following:
i)
a detailed description of the incident, including its severity and consequences;
ii)
the type of threat or root cause that likely led to the incident;
iii)
applied and ongoing risk mitigation measures;
iv)
where applicable, the cross-border consequences of the incident;
e)
if the incident is still ongoing at the time of submitting the final report referred to in point (d), Member States shall ensure that the entities concerned submit a progress report at that time and submit a final report within one month of dealing with the incident .
In afwijking van de eerste alinea, punt b), meldt een verlener van vertrouwensdiensten significante incidenten die gevolgen hebben voor de verlening van zijn vertrouwensdiensten onverwijld, en in elk geval binnen 24 uur nadat hij kennis heeft gekregen van het significante incident, bij het CSIRT of, indien van toepassing, de bevoegde autoriteit.
5. The CSIRT or the competent authority shall provide a response to the reporting entity, including initial feedback on the significant incident and, on request from the entity, guidance or operational advice for the implementation of possible risk mitigation measures. Where the CSIRT has not received the notification referred to in paragraph 1 first, guidance shall be provided by the competent authority in cooperation with the CSIRT. The CSIRT shall provide additional technical support if requested by the entity concerned. Where the significant incident is suspected to be of a criminal nature, the CSIRT or the competent authority shall also provide guidance on reporting the significant incident to law enforcement authorities.
6. Where appropriate, and in particular where the significant incident affects two or more Member States, the CSIRT, the competent authority or the central contact point shall without delay inform the other affected Member States and ENISA of the significant incident. That information shall include the type of information received in accordance with paragraph 4. In doing so, the CSIRT, the competent authority or the central contact point shall, in accordance with Union or national law, protect the security and commercial interests of the entity, as well as the confidentiality of the information provided.
7. Wanneer publieke bewustmaking nodig is om een significant incident te voorkomen of een lopend incident aan te pakken, of wanneer de bekendmaking van het significante incident anderszins in het algemeen belang is, kunnen het CSIRT van een lidstaat of, indien van toepassing, zijn bevoegde autoriteit , en in voorkomend geval de CSIRT’s of de bevoegde autoriteiten van andere betrokken lidstaten, na raadpleging van de betrokken entiteit, het publiek over het significante incident informeren of van de entiteit verlangen dat zij dit doet.
8. At the request of the CSIRT or the competent authority, the central contact point shall forward the notifications received under paragraph 1 to the central contact points of the other Member States concerned.
9. The single point of contact shall submit to ENISA every three months a summary report containing anonymised and aggregated data on significant incidents, incidents, cyber threats and near misses reported in accordance with paragraph 1 of this Article and in accordance with Article 30. To contribute to the provision of comparable information, ENISA may establish technical guidelines on the parameters of the information to be included in the summary report. ENISA shall inform the Cooperation Group and the CSIRT Network every six months of its findings on the notifications received.
10. De CSIRT’s of, indien van toepassing, de bevoegde autoriteiten verstrekken de uit hoofde van Richtlijn (EU) 2022/2557 bevoegde autoriteiten informatie over significante incidenten, en cyberdreigingen en bijna-incidenten die overeenkomstig lid 1 van dit artikel en overeenkomstig artikel 30 zijn gemeld door entiteiten die uit hoofde van Richtlijn (EU) 2022/2557 zijn aangemerkt als kritieke entiteiten.
11. The Commission may adopt implementing acts specifying the type of information, format and procedure of a notification submitted under paragraph 1 of this Article and under Article 30 and of a communication made under paragraph 2 of this Article specified.
By 17 October 2024, the Commission shall, with regard to DNS service providers, top-level domain name registries, cloud computing service providers, data center providers, content delivery network providers, managed service providers, managed security service providers, as well as online marketplace providers, , of online search engines and of social networking service platforms, adopt implementing acts further specifying the cases in which an incident is considered significant as referred to in paragraph 3. The Commission may adopt such implementing acts in respect of other essential and important entities.
The Commission shall exchange advice and cooperate with the cooperation group on the draft implementing acts referred to in the first and second subparagraphs of this Article in accordance with Article 14(4)(e).
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).
Artikel 24
Use of European cybersecurity certification schemes
1. In order to demonstrate compliance with certain requirements of Article 21, Member States may require essential and important entities to use certain ICT products, ICT services and ICT processes developed or purchased by the essential or important entity to third parties certified under European cybersecurity certification schemes established under Article 49 of Regulation (EU) 2019/881. Furthermore, Member States shall encourage essential and important entities to use qualified trust services.
2. The Commission is empowered to adopt delegated acts in accordance with Article 38 to supplement this Directive by determining which categories of essential and important entities are required to use certain ICT products, ICT services and ICT processes or to obtain a certificate under a European cybersecurity scheme established under Article 49 of Regulation (EU) 2019/881. Those delegated acts shall be adopted where the level of cybersecurity has been identified as insufficient and shall provide for an implementation period.
Before adopting such delegated acts, the Commission shall carry out an impact assessment and consultations in accordance with Article 56 of Regulation (EU) 2019/881.
3. Indien er geen passende Europese cyberbeveiligingscertificeringsregeling voor de toepassing van lid 2 van dit artikel beschikbaar is, kan de Commissie, na raadpleging van de samenwerkingsgroep en de Europese Groep voor cyberbeveiligingscertificering, Enisa verzoeken een potentiële regeling op te stellen op grond van artikel 48, lid 2, van Verordening (EU) 2019/881.
Artikel 25
Normalization
1. In order to promote the convergent implementation of Article 21(1) and (2), Member States shall, without imposing or favoring the use of any particular type of technology, encourage the use of European and international standards and technical specifications that are relevant for the security of network and information systems.
2. ENISA, in cooperation with the Member States and, where appropriate, after consultation with relevant stakeholders, shall develop opinions and guidelines on the technical areas to be taken into account in relation to paragraph 1, as well as on pre-existing standards, including of national standards, which allow these areas to be covered.
HOOFDSTUK V
JURISDICTION AND REGISTRATION
Artikel 26
Jurisdiction and territoriality
1. Binnen het toepassingsgebied van deze richtlijn vallende entiteiten worden geacht onder de jurisdictie te vallen van de lidstaat waar zij zijn gevestigd, behalve in het geval van:
a)
aanbieders van openbare elektronischecommunicatienetwerken of aanbieders van openbare elektronischecommunicatiediensten, die worden geacht te vallen onder de jurisdictie van de lidstaat waar zij hun diensten aanbieden;
b)
DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data center providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines or platforms for social networking services, which are deemed to fall under the jurisdiction of the Member State where they have their main establishment in the Union in accordance with paragraph 2;
c)
public authorities, which are deemed to fall under the jurisdiction of the Member State that established them.
2. For the purposes of this Directive, an entity referred to in point (b) of paragraph 1 shall be deemed to have its principal place of business in the Union in the Member State where decisions regarding cybersecurity risk management measures are mainly taken. If it cannot be determined which Member State is or if such decisions are not taken in the Union, the main establishment shall be deemed to be located in the Member State where cybersecurity activities are carried out. If the Member State cannot be determined, the main establishment shall be deemed to be located in the Member State where the entity concerned has the establishment with the largest number of employees in the Union.
3. Where an entity referred to in point (b) of paragraph 1 is not established in the Union but provides services in the Union, it shall designate a representative in the Union. The representative is established in one of the Member States where the services are offered. This entity is deemed to be under the jurisdiction of the Member State where the representative is established. In the absence of a representative in the Union designated in accordance with this paragraph, any Member State in which the entity provides services may take legal action against the entity for infringement of this Directive.
4. De aanwijzing van een vertegenwoordiger door een entiteit als bedoeld in lid 1, punt b), doet geen afbreuk aan juridische stappen die tegen de entiteit zelf kunnen worden ingesteld.
5. Member States that have received a request for mutual assistance in respect of an entity referred to in point (b) of paragraph 1 may, within the limits of that request, take appropriate supervisory and enforcement measures in respect of the entity concerned that is on their territory provides services or has a network and information system located on their territory.
Artikel 27
Register van entiteiten
1. ENISA shall create and maintain a register of DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data center providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines and social networking service platforms, based on the information received from the central contact points in accordance with paragraph 4. Upon request, ENISA shall provide competent authorities with access to that register, ensuring, where necessary, that the confidentiality of the information is protected.
2. Member States shall require the entities referred to in paragraph 1 to submit the following information to the competent authorities by 17 January 2025:
a)
the name of the entity;
b)
the relevant sector, sub-sector and type of entity referred to in Annex I or II, as applicable;
c)
the address of the entity's principal place of business and its other legal establishments in the Union or, if not established in the Union, of its representative designated under Article 26(3);
d)
actuele contactgegevens, met inbegrip van e-mailadressen en telefoonnummers van de entiteit en, indien van toepassing, haar op grond van artikel 26, lid 3, aangewezen vertegenwoordiger;
e)
the Member States where the entity provides services, and
f)
the entity's IP ranges.
3. De lidstaten zorgen ervoor dat de in lid 1 bedoelde entiteiten de bevoegde autoriteit onverwijld en in elk geval binnen drie maanden na de datum waarop de wijziging van kracht is geworden, in kennis stellen van eventuele wijzigingen in de gegevens die zij op grond van lid 2 hebben ingediend.
4. Upon receipt of the information referred to in paragraphs 2 and 3, with the exception of the information referred to in point (f) of paragraph 2, the central contact point of the Member State concerned shall transmit it to ENISA without undue delay.
5. Where applicable, the information referred to in paragraphs 2 and 3 of this Article shall be submitted through the national mechanism referred to in the fourth subparagraph of Article 3(4).
Artikel 28
Domain name registration data database
1. Om bij te dragen aan de beveiliging, stabiliteit en weerbaarheid van het DNS schrijven de lidstaten voor dat de registers voor topleveldomeinnamen en de entiteiten die domeinnaamregistratiediensten verlenen, met de nodige zorgvuldigheid nauwkeurige en volledige domeinnaamregistratiegegevens verzamelen en bijhouden in een speciale database overeenkomstig de het Unierecht inzake gegevensbescherming voor wat betreft gegevens die persoonsgegevens zijn.
2. For the purposes of paragraph 1, Member States shall require that the database of domain name registration data on the registration of domain names contains the necessary information to identify and contact the holders of the domain names and the contact points that manage the domain names under the top-level domain names. That information includes:
a)
the domain name;
b)
the registration date of registration;
c)
de naam, het e-mailadres en het telefoonnummer van de registrant;
d)
the email address and telephone number of the contact point managing the domain name, if different from those of the registrant.
3. Member States shall require that top-level domain name registries and entities providing domain name registration services have policies and procedures, including verification procedures, in place to ensure that the databases referred to in paragraph 1 contain accurate and complete information. Member States shall require that these policies and procedures be made public.
4. Member States shall require that top-level domain name registries and entities providing domain name registration services make public domain name registration data that is not personal data without undue delay after the registration of a domain name.
5. De lidstaten schrijven voor dat de registers voor topleveldomeinnamen en de entiteiten die domeinnaamregistratiediensten verlenen, op rechtmatige en naar behoren gemotiveerde verzoeken van legitieme toegangvragende partijen toegang verlenen tot specifieke met gegevens over de registratie van domeinnamen, overeenkomstig het Uniegegevensbeschermingsrecht van de Unie. De lidstaten schrijven voor dat registers voor topleveldomeinnamen en entiteiten die domeinnaamregistratiediensten verlenen, verzoeken om toegang onverwijld en in elk geval binnen 72 uur na ontvangst van het verzoek beantwoorden. De lidstaten schrijven voor dat het beleid en de procedures met betrekking tot de bekendmaking van dergelijke gegevens openbaar worden gemaakt.
6. Compliance with the obligations set out in paragraphs 1 to 5 shall not result in the need to collect domain name registration data twice. To this end, Member States shall require top-level domain name registries and entities providing domain name registration services to cooperate with each other.
CHAPTER VI
INFORMATION EXCHANGE
Artikel 29
Information sharing arrangements in the field of cybersecurity
1. Member States shall ensure that entities within the scope of this Directive and, where applicable, other entities not within the scope of this Directive, can, on a voluntary basis, exchange relevant cybersecurity information among themselves, including information on cyber threats , near misses, vulnerabilities, techniques and procedures, indicators of compromise, adversary tactics, threat actor-specific information, cybersecurity alerts and recommendations on the configuration of cybersecurity tools to detect cyber-attacks, when exchanging information:
a)
aims to prevent, detect, respond to or recover from incidents or limit their consequences;
b)
het niveau van de cyberbeveiliging verhoogt, met name door de bewustwording met betrekking tot cyberdreigingen te vergroten, het vermogen van dergelijke dreigingen om zich te verspreiden te beperken of te belemmeren, een reeks verdedigingscapaciteiten, het herstel en openbaarmaking van kwetsbaarheden, het opsporen van dreigingen, beheersings- en preventietechnieken, beperkingsstrategieën of respons- en herstelfasen te ondersteunen of gezamenlijk onderzoek naar cyberdreigingen door publieke en particuliere entiteiten te bevorderen.
2. Member States shall ensure that information exchange takes place within communities of essential and important entities and, where applicable, their suppliers or service providers. That exchange shall be carried out through cybersecurity information sharing arrangements with regard to the potentially sensitive nature of the information exchanged.
3. De lidstaten faciliteren de vaststelling van de in lid 2 van dit artikel bedoelde informatie-uitwisselingsregelingen op het gebied van cyberbeveiliging. In dergelijke regelingen kunnen de operationele elementen, met inbegrip van het gebruik van specifieke ICT-platforms en automatiseringshulpmiddelen, de inhoud en de voorwaarden van de informatie-uitwisselingsregelingen worden gespecificeerd. Bij het vaststellen van de details van de betrokkenheid van de overheid bij dergelijke regelingen kunnen de lidstaten voorwaarden opleggen aan de informatie die door de bevoegde autoriteiten of de CSIRT’s ter beschikking wordt gesteld. De lidstaten bieden bijstand aan voor de toepassing van dergelijke regelingen overeenkomstig hun in artikel 7, lid 2, punt h), bedoelde beleid.
4. Member States shall ensure that essential and important entities notify competent authorities of their participation in the cybersecurity information exchange arrangements referred to in paragraph 2 when entering into such arrangements or, where applicable, of their withdrawal from such arrangements, once the withdrawal takes effect.
5. ENISA shall support the implementation of the cybersecurity information exchange arrangements referred to in paragraph 2 by exchanging best practices and providing guidance.
Artikel 30
Voluntary reporting of relevant information
1. Member States shall ensure that, in addition to the reporting obligations provided for in Article 23, reports may be submitted on a voluntary basis to the CSIRTs or, where applicable, to the competent authorities by:
a)
essential and important entities regarding cyber threats and near misses;
b)
andere dan in punt a) bedoelde entiteiten, ongeacht of zij binnen het toepassingsgebied van deze richtlijn vallen, wat significante incidenten, cyberdreigingen en bijna-incidenten betreft.
2. De lidstaten verwerken de in lid 1 van dit artikel bedoelde meldingen volgens de in artikel 23 vastgestelde procedure. De lidstaten kunnen voorrang geven aan de verwerking van verplichte meldingen boven vrijwillige meldingen.
Where necessary, CSIRTs and, where applicable, competent authorities, shall provide central contact points with information on reports received under this Article, taking into account the confidentiality and appropriate protection of the information provided by the reporting entity . Without prejudice to the prevention, investigation, detection and prosecution of criminal offences, voluntary reporting should not result in additional obligations being imposed on the reporting entity to which it would not have been subject if it had not made the reporting.
CHAPTER VII
TOEZICHT EN HANDHAVING
Artikel 31
General aspects of supervision and enforcement
1. Member States shall ensure that their competent authorities effectively monitor and take the necessary measures to ensure compliance with this Directive.
2. Member States may allow their competent authorities to give priority to supervisory tasks. This prioritization is based on a risk-based approach. To this end, competent authorities, when carrying out their supervisory tasks referred to in Articles 32 and 33, may establish supervisory methods to allow such tasks to be prioritized in accordance with a risk-based approach.
3. When addressing incidents leading to personal data breaches, competent authorities shall cooperate closely with the supervisory authorities under Regulation (EU) 2016/679, without prejudice to the powers and duties of the supervisory authorities under that Regulation.
4. Without prejudice to national legal and institutional frameworks, Member States shall ensure that competent authorities have appropriate powers when monitoring compliance with this Directive by public authorities and when imposing enforcement measures against infringements of this Directive. to be operationally independent of the government agencies they supervise. Member States may decide to take appropriate, proportionate and effective supervisory and enforcement measures against those authorities in accordance with national legal and institutional frameworks.
Artikel 32
Supervisory and enforcement measures regarding essential entities
1. Member States shall ensure that supervisory or enforcement measures imposed on essential entities in relation to the obligations set out in this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case.
2. De lidstaten zorgen ervoor dat de bevoegde autoriteiten bij de uitoefening van hun toezichthoudende taken met betrekking tot essentiële entiteiten de bevoegdheid hebben om deze entiteiten te onderwerpen aan ten minste:
a)
on-site inspections and off-site surveillance, including random checks carried out by trained professionals;
b)
regular and targeted security audits carried out by an independent body or a competent authority;
c)
ad hoc audits, including where justified by a significant incident or breach of this Directive by the essential entity;
d)
security scanning based on objective, non-discriminatory, fair and transparent risk assessment criteria, if necessary in cooperation with the relevant entity;
e)
verzoeken om informatie die nodig is om de door de betrokken entiteit genomen maatregelen voor het beheer van cyberbeveiligingsrisico’s te beoordelen, met inbegrip van gedocumenteerd cyberbeveiligingsbeleid, alsmede de naleving van de verplichting op grond van artikel 27 om bij de bevoegde autoriteiten informatie in te dienen;
f)
request access to data, documents and information necessary for the exercise of their supervisory functions;
g)
request evidence of the implementation of the cybersecurity policy, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence.
The targeted security audits referred to in point (b) of the first subparagraph shall be based on risk assessments carried out by the competent authority or the audited entity or on other available risk-related information.
The results of a targeted security audit are made available to the competent authority. The costs of such a targeted security audit carried out by an independent body shall be paid by the audited entity, except in duly justified cases where the competent authority decides otherwise.
3. When exercising their powers under paragraph 2(e), (f) or (g), competent authorities shall indicate the purpose of the request and specify the information requested.
4. Member States shall ensure that their competent authorities, when exercising their enforcement powers against essential entities, have the power to at least:
a)
to issue warnings about infringements of this Directive by the entities concerned;
b)
establish binding directions, including directions on the necessary measures to prevent or remedy an incident as well as deadlines for the implementation of such measures and for reporting on their implementation, or issue an order directing the entities concerned obliged to remedy the identified shortcomings or infringements of this Directive;
c)
de betrokken entiteiten te gelasten een einde te maken aan gedragingen die inbreuk maken op deze richtlijn en af te zien van herhaling van die gedragingen;
d)
de betrokken entiteiten te gelasten er op een gespecificeerde wijze en binnen een gespecificeerde termijn voor te zorgen dat hun maatregelen voor het beheer van cyberbeveiligingsrisico’s in overeenstemming zijn met artikel 21 of te voldoen aan de in artikel 23 vastgestelde rapportageverplichtingen;
e)
de betrokken entiteiten te gelasten de natuurlijke of rechtspersonen aan wie zij diensten verlenen of voor wie zij activiteiten uitvoeren die mogelijkerwijs door een significante cyberdreiging worden beïnvloed, in kennis te stellen van de aard van de dreiging en alle mogelijke beschermings- of herstelmaatregelen die deze natuurlijke of rechtspersonen kunnen nemen als reactie op die dreiging;
f)
to order the entities concerned to implement within a reasonable time the recommendations made following a security audit;
g)
appoint a control officer with clearly defined tasks for a specified period to ensure that the entities concerned comply with Articles 21 and 23;
h)
order the entities concerned to disclose aspects of infringements of this Directive in a specified manner;
i)
impose an administrative fine pursuant to Article 34 or request its imposition by the competent bodies or judicial authorities in accordance with national law in addition to one or more of the measures referred to in points (a) to (h) of this paragraph.
5. Where enforcement measures taken pursuant to points (a) to (d) and (f) of paragraph 4 are ineffective, Member States shall ensure that their competent authorities have the power to set a period within which the essential entity shall be requested to take the necessary measures to remedy the deficiencies or to meet the requirements of those authorities. If the requested action is not taken within the specified period, Member States shall ensure that the competent authorities have the power to:
a)
temporarily suspend a certification or authorization or request a certification or licensing authority or a judicial authority in accordance with national law to temporarily suspend it in respect of all or part of the relevant services provided or activities carried out by the essential entity;
b)
request that the competent bodies or judicial authorities, in accordance with national law, temporarily prohibit a natural person with managerial responsibilities at the level of the general manager or legal representative in the essential entity from exercising managerial functions in that entity.
Temporary suspensions or prohibitions imposed under this paragraph shall only be applied until the entity concerned takes the necessary measures to remedy the deficiencies or complies with the requirements of the competent authority for which such enforcement measures have been imposed. The imposition of such temporary suspensions or bans should be subject to appropriate procedural safeguards in accordance with general principles of Union law and the Charter, including the right to an effective remedy and to a fair trial, the presumption of innocence and the rights of the defense.
The enforcement measures referred to in this paragraph shall not apply to public authorities covered by this Directive.
6. Member States shall ensure that any natural person responsible for or acting as legal representative of an essential entity on the basis of the power to represent it, the power to take decisions on behalf of that entity or the power to exercise control on this entity, has the authority to ensure that this entity complies with this Directive. Member States shall ensure that such natural persons are held liable for failure to fulfill their obligations to ensure compliance with this Directive.
As regards public authorities, this paragraph shall not affect national law on the liability of public officials and elected or appointed public officials.
7. When taking the enforcement measures referred to in paragraph 4 or 5, competent authorities shall respect the rights of the defense and take into account the circumstances of each individual case and shall take due account of at least:
a)
the seriousness of the infringement and the importance of the violated provisions, whereby, among other things, the following in any case constitutes a serious infringement:
i)
herhaalde inbreuken;
ii)
failure to report or resolve significant incidents;
iii)
niet verhelpen van tekortkomingen naar aanleiding van bindende aanwijzingen van de bevoegde autoriteiten;
iv)
hindering audits or monitoring activities ordered by the competent authority following the discovery of an infringement;
v)
providing false or grossly inaccurate information in relation to the cybersecurity risk management measures or reporting obligations laid down in Articles 21 and 23;
b)
the duration of the infringement;
c)
any relevant previous infringements by the entity concerned;
d)
elke veroorzaakte materiële of immateriële schade, met inbegrip van elke financiële of economische schade, effecten op andere diensten en het aantal getroffen gebruikers;
e)
intent or negligence of the perpetrator of the infringement;
f)
door de entiteit genomen maatregelen om de materiële of immateriële schade te voorkomen of te beperken;
g)
compliance with approved codes of conduct or approved certification mechanisms;
h)
the extent to which the natural or legal persons held liable cooperate with the competent authorities.
8. Competent authorities shall provide detailed justification for their enforcement measures. Before adopting such measures, the competent authorities shall inform the entities concerned of their preliminary findings. They shall also give those entities a reasonable period to comment, except in duly justified cases where immediate action to prevent or respond to incidents would otherwise be hampered.
9. Member States shall ensure that their competent authorities under this Directive notify the relevant authorities competent under Directive (EU) 2022/2557 within the same Member State when exercising their supervisory and enforcement powers to ensure that an entity identified as a critical entity under Directive (EU) 2022/2557 complies with this Directive. Where appropriate, the authorities competent under Directive (EU) 2022/2557 may request the authorities competent under this Directive to exercise their supervisory and enforcement powers over an entity identified as a critical entity under Directive ( EU) 2022/2557.
10. Member States shall ensure that their competent authorities under this Directive cooperate with the relevant authorities competent under Regulation (EU) 2022/2554 of the Member State concerned. In particular, Member States shall ensure that their competent authorities under this Directive inform the oversight forum established under Article 32(1) of Regulation (EU) 2022/2554 when exercising their supervisory and enforcement powers to ensure that an essential entity designated as a critical third party provider of ICT services under Article 31 of Regulation (EU) 2022/2554 complies with this Directive.
Artikel 33
Supervisory and enforcement measures regarding significant entities
1. Where evidence, indication or information is provided that an important entity is alleged to be in breach of this Directive, and in particular Articles 21 and 23, Member States shall ensure that the competent authorities take action, where necessary, by means of ex-post surveillance measures. Member States shall ensure that those measures are effective, proportionate and dissuasive, taking into account the circumstances of each individual case.
2. Member States shall ensure that competent authorities, when exercising their supervisory functions in relation to significant entities, have the power to subject those entities to at least:
a)
on-site inspections and subsequent supervision elsewhere, carried out by trained professionals;
b)
targeted security audits carried out by an independent body or a competent authority;
c)
security scanning based on objective, non-discriminatory, fair and transparent risk assessment criteria, if necessary in cooperation with the relevant entity;
d)
verzoeken om informatie die nodig is om de door de betrokken entiteit genomen maatregelen voor het beheer van cyberbeveiligingsrisico’s achteraf te beoordelen, met inbegrip van gedocumenteerd cyberbeveiligingsbeleid, alsmede de naleving van de verplichting op grond van artikel 27 om informatie in te dienen bij de bevoegde autoriteiten;
e)
request access to data, documents and information necessary for the exercise of their supervisory functions;
f)
request evidence of the implementation of the cybersecurity policy, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence.
The targeted security audits referred to in point (b) of the first subparagraph shall be based on risk assessments carried out by the competent authority or the audited entity or on other available risk-related information.
The results of a targeted security audit are made available to the competent authority. The costs of such a targeted security audit carried out by an independent body shall be paid by the audited entity, except in duly justified cases where the competent authority decides otherwise.
3. When exercising their powers under paragraph 2(d), (e) or (f), the competent authorities shall indicate the purpose of the request and the information requested.
4. Member States shall ensure that competent authorities, when exercising their enforcement powers over significant entities, have at least the power to:
a)
waarschuwingen te geven over inbreuken op deze richtlijn door de betrokken entiteiten;
b)
to adopt binding directions or to issue an order requiring the entities concerned to remedy the identified deficiencies or infringement of this Directive;
c)
de betrokken entiteiten te gelasten een einde te maken aan gedragingen die inbreuk maken op deze richtlijn en af te zien van herhaling van die gedragingen;
d)
de betrokken entiteiten te gelasten er op een gespecificeerde wijze en binnen een gespecificeerde termijn voor te zorgen dat hun maatregelen voor het beheer van cyberbeveiligingsrisico’s in overeenstemming zijn met artikel 21 of te voldoen aan de in artikel 23 vastgestelde rapportageverplichtingen;
e)
to instruct the entities concerned to inform the natural or legal persons to whom they provide services or carry out activities that may be affected by a significant cyber threat of the nature of the threat and any possible protective or remedial measures that such natural or legal persons may take can take in response to that threat;
f)
to order the entities concerned to implement within a reasonable time the recommendations made following a security audit;
g)
order the entities concerned to disclose aspects of infringements of this Directive in a specified manner;
h)
impose an administrative fine pursuant to Article 34 or request its imposition by the competent bodies or courts in accordance with national law in addition to any of the measures referred to in points (a) to (g) of this paragraph.
5. Article 32(6) to (8) shall apply mutatis mutandis to the supervisory and enforcement measures provided for in this Article for significant entities.
6. Member States shall ensure that their competent authorities under this Directive cooperate with the relevant authorities competent under Regulation (EU) 2022/2554 of the Member State concerned. In particular, Member States shall ensure that their competent authorities under this Directive inform the oversight forum established under Article 32(1) of Regulation (EU) 2022/2554 when exercising their supervisory and enforcement powers to ensure that a significant entity designated as a critical third party provider of ICT services under Article 31 of Regulation (EU) 2022/2554 complies with this Directive.
Artikel 34
General conditions for imposing administrative fines on essential and important entities
1. Member States shall ensure that administrative pecuniary penalties imposed on essential and important entities under this Article for infringements of this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case.
2. Administratieve geldboeten worden opgelegd bovenop een of meer van de in artikel 32, lid 4, punten a) tot en met h), artikel 32, lid 5, en artikel 33, lid 4, punten a) tot en met g), bedoelde maatregelen.
3. The decision to impose an administrative fine and the amount thereof in each individual case shall take due account of at least the elements referred to in Article 32(7).
4. Member States shall ensure that essential entities that infringe Article 21 or 23 in accordance with paragraphs 2 and 3 of this Article are subject to administrative pecuniary penalties of a maximum amount of at least EUR 10 000 000 or at least 2% of the total worldwide annual turnover in the previous financial year of the undertaking to which the essential entity belongs, whichever amount is higher.
5. De lidstaten zorgen ervoor dat belangrijke entiteiten die inbreuk maken op artikel 21 of 23 overeenkomstig de leden 2 en 3 van dit artikel onderworpen worden aan administratieve geldboeten met een maximumbedrag van ten minste 7 000 000 EUR of ten minste 1,4 % van de totale wereldwijde jaaromzet in het voorgaande boekjaar van de onderneming waartoe de belangrijke entiteit behoort, afhankelijk van welk bedrag hoger is.
6. Member States may provide for the power to impose periodic penalty payments to compel an essential or important entity to cease an infringement of this Directive in accordance with a prior decision of the competent authority.
7. Onverminderd de bevoegdheden van de bevoegde autoriteiten uit hoofde van de artikelen 32 en 33 kan elke lidstaat bepalen of en in welke mate administratieve geldboeten kunnen worden opgelegd aan overheidsinstanties.
8. Where the legal system of a Member State does not provide for administrative fines, that Member State shall ensure that this Article is applied in such a way that the fine is initiated by the competent authority and imposed by the competent national courts, ensuring that those legal provisions be effective and have an equivalent effect to administrative fines imposed by competent authorities. In any case, the fines imposed are effective, proportionate and dissuasive. The Member State shall notify the Commission by 17 October 2024 of the legal provisions it adopts under this paragraph and without delay of any subsequent amending laws or changes affecting it.
Artikel 35
Breaches involving a personal data breach
1. Where, during the course of supervision or enforcement, the competent authorities become aware that the breach by an essential or important entity of the obligations laid down in Articles 21 and 23 of this Directive constitutes a personal data breach as defined in Article 4(12) , of Regulation (EU) 2016/679, which is notifiable under Article 33 of that Regulation, they shall without delay inform the competent supervisory authorities referred to in Articles 55 and 56 of that Regulation.
2. Where the supervisory authorities referred to in Article 55 or 56 of Regulation (EU) 2016/679 impose an administrative fine pursuant to Article 58(2)(i) of that Regulation, the competent authorities shall not impose an administrative fine Article 34 of this Directive for an infringement referred to in paragraph 1 of this Article resulting from the same conduct as that punishable by the administrative fine under Article 58(2)(i) of Regulation (EU) 2016/ 679 has been imposed. However, competent authorities may impose the enforcement measures provided for in Article 32(4)(a) to (h), Article 32(5) and Article 33(4)(a) to (g) of this Directive .
3. Where the supervisory authority competent under Regulation (EU) 2016/679 is established in a Member State other than the competent authority, the competent authority shall inform the supervisory authority established in its own Member State of the potential infringement referred to in paragraph 1 in connection with personal data.
Artikel 36
Sanctions
Member States shall lay down rules on penalties applicable to infringements of national provisions adopted pursuant to this Directive and shall take all necessary measures to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive. Member States shall notify those rules and measures to the Commission by 17 January 2025 and shall notify it without delay of any subsequent amendment thereto.
Artikel 37
Mutual assistance
1. Wanneer een entiteit diensten verricht in meer dan één lidstaat, of indien zij diensten verricht in een of meer lidstaten en haar netwerk- en informatiesystemen zich in een of meer andere lidstaten bevinden, werken de bevoegde autoriteiten van de betrokken lidstaten met elkaar samen en verlenen ze elkaar indien nodig bijstand. Die samenwerking houdt ten minste in dat:
a)
the competent authorities applying supervisory or enforcement measures in a Member State shall inform and consult, through the single point of contact, the competent authorities in the other Member States concerned about the supervisory and enforcement measures taken;
b)
a competent authority may request another competent authority to take supervisory or enforcement measures;
c)
a competent authority, upon receipt of a reasoned request from another competent authority, shall provide mutual assistance to the other competent authority commensurate with its own resources to enable the supervisory or enforcement measures to be carried out in an effective, efficient and consistent manner.
De in punt c) van de eerste alinea bedoelde wederzijdse bijstand kan betrekking hebben op verzoeken om informatie en toezichtsmaatregelen, met inbegrip van verzoeken om inspecties ter plaatse of toezicht elders of gerichte beveiligingsaudits uit te voeren. Een bevoegde autoriteit waaraan een verzoek om bijstand is gericht, mag dat verzoek niet weigeren, tenzij wordt vastgesteld dat zij niet bevoegd is om de gevraagde bijstand te verlenen, dat de gevraagde bijstand niet in verhouding staat tot de toezichthoudende taken van de bevoegde autoriteit, of dat het verzoek betrekking heeft op informatie of activiteiten inhoudt die, indien ze openbaar zouden worden gemaakt of zouden worden uitgevoerd, in strijd zouden zijn met de wezenlijke belangen van zijn nationale veiligheid, de openbare veiligheid of de defensie van die lidstaat. Alvorens een dergelijk verzoek af te wijzen, raadpleegt de bevoegde autoriteit de andere betrokken bevoegde autoriteiten alsmede, op verzoek van een van de betrokken lidstaten, de Commissie en Enisa.
2. Where appropriate, the competent authorities of different Member States may carry out joint supervisory actions by mutual agreement.
HOOFDSTUK VIII
GEDELEGEERDE HANDELINGEN EN UITVOERINGSHANDELINGEN
Artikel 38
Exercise of the delegation of power
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
2. The power to adopt delegated acts referred to in Article 24(2) shall be conferred on the Commission for a period of five years from 16 January 2023.
3. The delegation of power referred to in Article 24(2) may be revoked at any time by the European Parliament or by the Council. The decision to revoke terminates the delegation of the power referred to in that decision. It shall enter into force on the day following that of its publication in the Official Journal of the European Union or on a later date specified therein. It shall not affect the validity of delegated acts already in force.
4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles set out in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.
5. Once the Commission has adopted a delegated act, it shall simultaneously notify the European Parliament and the Council thereof.
6. A delegated act adopted pursuant to Article 24(2) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council, or if, before the expiry of that period, both the European Parliament and the Council have informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or the Council.
Artikel 39
Comitéprocedure
1. The Commission shall be assisted by a committee. That committee is a committee within the meaning of Regulation (EU) No 182/2011.
2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
3. Where the opinion of the committee is to be obtained by written procedure, that procedure shall be terminated without effect if the chairman of the committee so decides within the time limit for delivering the opinion or if a member of the committee so requests.
CHAPTER IX
SLOTBEPALINGEN
Artikel 40
Evaluation
By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive and report to the European Parliament and to the Council. In particular, the report shall assess the relevance of the size of the entities concerned, and the sectors, sub-sectors and types of entities referred to in Annexes I and II for the functioning of the economy and society with regard to cybersecurity. To this end and in order to further promote strategic and operational cooperation, the Commission shall take into account reports from the Cooperation Group and the CSIRT Network on experience gained at strategic and operational level. The report shall be accompanied, if necessary, by a legislative proposal.
Artikel 41
Omzetting
1. By 17 October 2024, Member States shall adopt and publish the provisions necessary to comply with this Directive. They shall immediately inform the Commission thereof.
They shall apply those provisions from 18 October 2024.
2. When Member States adopt the provisions referred to in paragraph 1, they shall contain a reference to this Directive or shall be accompanied by such reference on the occasion of their official publication. The rules for referral are determined by the Member States.
Artikel 42
Wijziging van Verordening (EU) nr. 910/2014
In Verordening (EU) nr. 910/2014 wordt artikel 19 geschrapt met ingang van 18 oktober 2024.
Artikel 43
Amendment of Directive (EU) 2018/1972
In Directive (EU) 2018/1972, Articles 40 and 41 are deleted with effect from 18 October 2024.
Artikel 44
Withdrawal
Directive (EU) 2016/1148 is repealed with effect from 18 October 2024.
References to the repealed Directive shall be construed as references to this Directive and shall be read in accordance with the correlation table in Annex III.
Artikel 45
Entry into force
This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Artikel 46
Addressees
Deze richtlijn is gericht tot de lidstaten.
Done at Strasbourg, December 14, 2022.
For the European Parliament
Chairman
R. METSOLA
For the Council
Chairman
M. BEK
In contact met Cyberus
Office
Wilhelmina van Pruisenweg 104, 2595 AN, The Hague
Contact
070-3695275
info@cyberus.nl
info@cyberus.nl
©2024 All rights reserved.Terms & ConditionsKvK: 76932605NL860844870B01Website DisclaimerPrivacy Statement