1. Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systemsSecurity of Network and Information Systems Means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.
Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entityEntity Means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.
2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:
(a) policies on riskRisk Means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) analysis and information system security;
(b) incident handlingIncident handling Means any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive);
(c) business continuity, such as backup management and disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in network and information systems acquisition, development and maintenance, including vulnerabilityVulnerability Means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurityCybersecurity ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) 'cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats; - Definition according Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies and asset management;
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
3. Member States shall ensure that, when considering which measures referred to in paragraph 2, point (d), of this Article are appropriate, entities take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures. Member States shall also ensure that, when considering which measures referred to in that point are appropriate, entities are required to take into account the results of the coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1).
4. Member States shall ensure that an entity that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropriate and proportionate corrective measures.
5. By 17 October 2024, the Commission shall adopt implementing acts laying down the technical and the methodological requirements of the measures referred to in paragraph 2 with regard to DNS service providers, TLD name registries, cloud computing serviceCloud computing service Means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) providers, data centre serviceData centre service Means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) providers, content delivery networkContent delivery network Means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust serviceTrust service Means an electronic service normally provided for remuneration which consists of: (a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or (b) the creation, verification and validation of certificates for website authentication; or (c) the preservation of electronic signatures, seals or certificates related to those services. - Definition according Article 3, point (16), of Regulation (EU) No 910/2014 providers.
The Commission may adopt implementing acts laying down the technical and the methodological requirements, as well as sectoral requirements, as necessary, of the measures referred to in paragraph 2 with regard to essential and important entities other than those referred to in the first subparagraph of this paragraph.
When preparing the implementing acts referred to in the first and second subparagraphs of this paragraph, the Commission shall, to the extent possible, follow European and international standards, as well as relevant technical specifications. The Commission shall exchange advice and cooperate with the Cooperation Group and ENISA on the draft implementing acts in accordance with Article 14(4), point (e).
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).