Directive on the security of network and information systems

Rec. 1

Directive (EU) 2016/1148 of the European Parliament and the Council...

Rec. 2

Since the entry into force of Directive (EU) 2016/1148, significant...

Rec. 3

Network and information systems have developed into a central feature...

Rec. 4

The legal basis of Directive (EU) 2016/1148 was Article 114 of the...

Rec. 5

All those divergences entail a fragmentation of the internal market...

Rec. 6

With the repeal of Directive (EU) 2016/1148, the scope of application...

Rec. 7

Under Directive (EU) 2016/1148, Member States were responsible for...

Rec. 8

The exclusion of public administration entities from the scope of...

Rec. 9

Member States should be able to take the necessary measures to ensure...

Rec. 10

Although this Directive applies to entities carrying out activities...

Rec. 11

Some entities carry out activities in the areas of national security,...

Rec. 12

Postal service providers as defined in Directive 97/67/EC of the...

Rec. 13

Given the intensification and increased sophistication of cyber...

Rec. 14

Union data protection law and Union privacy law applies to any...

Rec. 15

Entities falling within the scope of this Directive for the purpose...

Rec. 16

In order to avoid entities that have partner enterprises or that are...

Rec. 17

Member States should be able to decide that entities identified...

Rec. 18

In order to ensure a clear overview of the entities falling within...

Rec. 19

Member States should be responsible for submitting to the Commission...

Rec. 20

The Commission should, in cooperation with the Cooperation Group and...

Rec. 21

The Commission could provide guidance to assist Member States in...

Rec. 22

This Directive sets out the baseline for cybersecurity...

Rec. 23

Where a sector-specific Union legal act contains provisions requiring...

Rec. 24

Where provisions of a sector-specific Union legal act require...

Rec. 25

Sector-specific Union legal acts which provide for cybersecurity...

Rec. 26

Where sector-specific Union legal acts require or provide incentives...

Rec. 27

Future sector-specific Union legal acts should take due account of...

Rec. 28

Regulation (EU) 2022/2554 of the European Parliament and of the...

Rec. 29

In order to avoid gaps between or duplications of cybersecurity...

Rec. 30

In view of the interlinkages between cybersecurity and the physical...

Rec. 31

Entities belonging to the digital infrastructure sector are in...

Rec. 32

Upholding and preserving a reliable, resilient and secure domain name...

Rec. 33

Cloud computing services should cover digital services that enable...

Rec. 34

Given the emergence of innovative technologies and new business...

Rec. 35

Services offered by data centre service providers may not always be...

Rec. 36

Research activities play a key role in the development of new...

Rec. 37

The growing interdependencies are the result of an increasingly...

Rec. 38

In view of the differences in national governance structures and in...

Rec. 39

In order to facilitate cross-border cooperation and communication...

Rec. 40

The single points of contact should ensure effective cross-border...

Rec. 41

Member States should be adequately equipped, in terms of both...

Rec. 42

The CSIRTs are tasked with incident handling. This includes the...

Rec. 43

As regards personal data, the CSIRTs should be able to provide, in...

Rec. 44

The CSIRTs should have the ability, upon an essential or important...

Rec. 45

Given the importance of international cooperation on cybersecurity,...

Rec. 46

Ensuring adequate resources to meet the objectives of this Directive...

Rec. 47

The CSIRTs network should continue to contribute to strengthening...

Rec. 48

For the purpose of achieving and maintaining a high level of...

Rec. 49

Cyber hygiene policies provide the foundations for protecting network...

Rec. 50

Cybersecurity awareness and cyber hygiene are essential to enhance...

Rec. 51

Member States should encourage the use of any innovative technology,...

Rec. 52

Open-source cybersecurity tools and applications can contribute to a...

Rec. 53

Utilities are increasingly connected to digital networks in cities,...

Rec. 54

In recent years, the Union has faced an exponential increase in...

Rec. 55

Public-private partnerships (PPPs) in the field of cybersecurity can...

Rec. 56

Member States should, in their national cybersecurity strategies,...

Rec. 57

As part of their national cybersecurity strategies, Member States...

Rec. 58

Since the exploitation of vulnerabilities in network and information...

Rec. 59

The Commission, ENISA and the Member States should continue to foster...

Rec. 60

Member States, in cooperation with ENISA, should take measures to...

Rec. 61

Member States should designate one of its CSIRTs as a coordinator,...

Rec. 62

Access to correct and timely information about vulnerabilities...

Rec. 63

Although similar vulnerability registries or databases exist, they...

Rec. 64

The Cooperation Group should support and facilitate strategic...

Rec. 65

When developing guidance documents, the Cooperation Group should...

Rec. 66

The Cooperation Group should remain a flexible forum and be able to...

Rec. 67

The competent authorities and the CSIRTs should be able to...

Rec. 68

Member States should contribute to the establishment of the EU...

Rec. 69

In accordance with the Annex to Recommendation (EU) 2017/1584, a...

Rec. 70

Large-scale cybersecurity incidents and crises at Union level require...

Rec. 71

EU-CyCLONe should work as an intermediary between the technical and...

Rec. 72

Cyberattacks are of a cross-border nature, and a significant incident...

Rec. 73

The Union can, where appropriate, conclude international agreements,...

Rec. 74

In order to facilitate the effective implementation of this Directive...

Rec. 75

Peer reviews should be introduced to help learn from shared...

Rec. 76

The Cooperation Group should establish a self-assessment methodology...

Rec. 77

Responsibility for ensuring the security of network and information...

Rec. 78

Cybersecurity risk-management measures should take into account the...

Rec. 79

As threats to the security of network and information systems can...

Rec. 80

For the purpose of demonstrating compliance with cybersecurity...

Rec. 81

In order to avoid imposing a disproportionate financial and...

Rec. 82

Cybersecurity risk-management measures should be proportionate to the...

Rec. 83

Essential and important entities should ensure the security of the...

Rec. 84

Taking account of their cross-border nature, DNS service providers,...

Rec. 85

Addressing risks stemming from an entity’s supply chain and its...

Rec. 86

Among service providers, managed security service providers in areas...

Rec. 87

The competent authorities, in the context of their supervisory tasks,...

Rec. 88

Essential and important entities should also address risks stemming...

Rec. 89

Essential and important entities should adopt a wide range of basic...

Rec. 90

To further address key supply chain risks and assist essential and...

Rec. 91

The coordinated security risk assessments of critical supply chains,...

Rec. 92

In order to streamline the obligations imposed on providers of public...

Rec. 93

The cybersecurity obligations laid down in this Directive should be...

Rec. 94

Member States can assign the role of the competent authorities for...

Rec. 95

Where appropriate and in order to avoid unnecessary disruption,...

Rec. 96

Given the growing importance of number-independent interpersonal...

Rec. 97

The internal market is more reliant on the functioning of the...

Rec. 98

In order to safeguard the security of public electronic...

Rec. 99

In order to safeguard the security, and to prevent abuse and...

Rec. 100

In order to safeguard the functionality and integrity of the internet...

Rec. 101

This Directive lays down a multiple-stage approach to the reporting...

Rec. 102

Where essential or important entities become aware of a significant...

Rec. 103

Where applicable, essential and important entities should...

Rec. 104

Providers of public electronic communications networks or of publicly...

Rec. 105

A proactive approach to cyber threats is a vital component of...

Rec. 106

In order to simplify the reporting of information required under this...

Rec. 107

Where it is suspected that an incident is related to serious criminal...

Rec. 108

Personal data are in many cases compromised as a result of incidents....

Rec. 109

Maintaining accurate and complete databases of domain name...

Rec. 110

The availability and timely accessibility of domain name registration...

Rec. 111

In order to ensure the availability of accurate and complete domain...

Rec. 112

TLD name registries and entities providing domain name registration...

Rec. 113

Entities falling within the scope of this Directive should be...

Rec. 114

In order to take account of the cross-border nature of the services...

Rec. 115

Where a publicly available recursive DNS service is provided by a...

Rec. 116

Where a DNS service provider, a TLD name registry, an entity...

Rec. 117

In order to ensure a clear overview of DNS service providers, TLD...

Rec. 118

Where information which is classified in accordance with Union or...

Rec. 119

With cyber threats becoming more complex and sophisticated, good...

Rec. 120

Entities should be encouraged and assisted by Member States to...

Rec. 121

The processing of personal data, to the extent necessary and...

Rec. 122

In order to strengthen the supervisory powers and measures that help...

Rec. 123

The execution of supervisory tasks by the competent authorities...

Rec. 124

In the exercise of ex ante supervision, the competent authorities...

Rec. 125

The competent authorities should ensure that their supervisory tasks...

Rec. 126

In duly substantiated cases where it is aware of a significant cyber...

Rec. 127

In order to make enforcement effective, a minimum list of enforcement...

Rec. 128

This Directive does not require Member States to provide for criminal...

Rec. 129

In order to ensure effective enforcement of the obligations laid down...

Rec. 130

Where an administrative fine is imposed on an essential or important...

Rec. 131

Member States should be able to lay down the rules on criminal...

Rec. 132

Where this Directive does not harmonise administrative penalties or...

Rec. 133

In order to further strengthen the effectiveness and dissuasiveness...

Rec. 134

For the purpose of ensuring entities’ compliance with their...

Rec. 135

In order to ensure effective supervision and enforcement, in...

Rec. 136

This Directive should establish cooperation rules between the...

Rec. 137

This Directive should aim to ensure a high level of responsibility...

Rec. 138

In order to ensure a high common level of cybersecurity across the...

Rec. 139

In order to ensure uniform conditions for the implementation of this...

Rec. 140

The Commission should periodically review this Directive, after...

Rec. 141

This Directive creates new tasks for ENISA, thereby enhancing its...

Rec. 142

Since the objective of this Directive, namely to achieve a high...

Rec. 143

This Directive respects the fundamental rights, and observes the...

Rec. 144

The European Data Protection Supervisor was consulted in accordance...