Article 6, Definitions

For the purposes of this Directive, the following definitions apply:

(1) ‘network and information systemNetwork and Information System (a) an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; (b) any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or (c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means:

(a) an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;

(b) any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or

(c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;

(2) ‘security of network and information systemsSecurity of Network and Information Systems Means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems;

(3) ‘cybersecurityCybersecurity ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) 'cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats; - Definition according Article 2, point (1), of Regulation (EU) 2019/881;’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;

(4) ‘national cybersecurity strategyNational Cybersecurity Strategy Means a coherent framework of a Member State providing strategic objectives and priorities in the area of cybersecurity and the governance to achieve them in that Member State. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a coherent framework of a Member State providing strategic objectives and priorities in the area of cybersecurity and the governance to achieve them in that Member State;

(5) ‘near missNear miss Means an event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means an event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise;

(6) ‘incidentIncident Means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;

(7) ‘large-scale cybersecurity incidentLarge-scale cybersecurity incident Means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States;

(8) ‘incident handlingIncident handling Means any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident;

(9) ‘riskRisk Means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;

(10) ‘cyber threatCyber threat means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons - Definition according Article 2, point (8), Regulation (EU) 2019/881’ means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;

(11) ‘significant cyber threatSignificant cyber threat Means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity’s services by causing considerable material or non-material damage. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entityEntity Means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) or the users of the entity’s services by causing considerable material or non-material damage;

(12) ‘ICT productICT product Means an element or a group of elements of a network or information system. - Definition according Article 2, point (12), Regulation (EU) 2019/881’ means an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881;

(13) ‘ICT serviceICT service Means a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems. - Definition according Article 2, point (13), Regulation (EU) 2019/881’ means an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881;

(14) ‘ICT processICT process Means a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service. - Definition according Article 2, point (14), Regulation (EU) 2019/881’ means an ICT process as defined in Article 2, point (14), of Regulation (EU) 2019/881;

(15) ‘vulnerabilityVulnerability Means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat;

(16) ‘standardStandard Means a technical specification, adopted by a recognised standardisation body, for repeated or continuous application, with which compliance is not compulsory, and which is one of the following: (a) ‘international standard’ means a standard adopted by an international standardisation body; (b) ‘European standard’ means a standard adopted by a European standardisation organisation; (c) ‘harmonised standard’ means a European standard adopted on the basis of a request made by the Commission for the application of Union harmonisation legislation; (d) ‘national standard’ means a standard adopted by a national standardisation body - Definition according Article 2, point (1), ofRegulation (EU) No 1025/2012 of the European Parliament and of the Council.’ means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (29);

(17) ‘technical specificationTechnical specification Means a document that prescribes technical requirements to be fulfilled by a product, process, service or system and which lays down one or more of the following: a) the characteristics required of a product including levels of quality, performance, interoperability, environmental protection, health, safety or dimensions, and including the requirements applicable to the product as regards the name under which the product is sold, terminology, symbols, testing and test methods, packaging, marking or labelling and conformity assessment procedures; (b) production methods and processes used in respect of agricultural products as defined in Article 38(1) TFEU, products intended for human and animal consumption, and medicinal products, as well as production methods and processes relating to other products, where these have an effect on their characteristics; (c) the characteristics required of a service including levels of quality, performance, interoperability, environmental protection, health or safety, and including the requirements applicable to the provider as regards the information to be made available to the recipient, as specified in Article 22(1) to (3) of Directive 2006/123/EC; (d) the methods and the criteria for assessing the performance of construction products, as defined in point 1 of Article 2 of Regulation (EU) No 305/2011 of the European Parliament and of the Council of 9 March 2011 laying down harmonised conditions for the marketing of construction products, in relation to their essential characteristics; - Definition according Article 2, point (1), ofRegulation (EU) No 1025/2012 of the European Parliament and of the Council.’ means a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012;

(18) ‘internet exchange pointInternet exchange point Means a network facility which enables the interconnection of more than two independent networks (autonomous systems), primarily for the purpose of facilitating the exchange of internet traffic, which provides interconnection only for autonomous systems and which neither requires the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomous system nor alters or otherwise interferes with such traffic. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a network facility which enables the interconnection of more than two independent networks (autonomous systems), primarily for the purpose of facilitating the exchange of internet traffic, which provides interconnection only for autonomous systems and which neither requires the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomous system nor alters or otherwise interferes with such traffic;

(19) ‘domain name system’ or ‘DNSDomain name system’ or ‘DNS Means a hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a hierarchical distributed naming system which enables the identification of internet services and resources, allowing end-user devices to use internet routing and connectivity services to reach those services and resources;

(20) ‘DNS service providerDNS service provider Means an entity that provides: (a) publicly available recursive domain name resolution services for internet end-users; or (b) authoritative domain name resolution services for third-party use, with the exception of root name servers. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means an entity that provides:

(a) publicly available recursive domain name resolution services for internet end-users; or

(b) authoritative domain name resolution services for third-party use, with the exception of root name servers;

(21) ‘top-level domain name registry’ or ‘TLD name registryTop-level domain name registry’ or ‘TLD name registry Means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are carried out by the entity itself or are outsourced, but excluding situations where TLD names are used by a registry only for its own use. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are carried out by the entity itself or are outsourced, but excluding situations where TLD names are used by a registry only for its own use;

(22) ‘entity providing domain name registration servicesEntity providing domain name registration services Means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a registrar or an agent acting on behalf of registrars, such as a privacy or proxy registration service provider or reseller;

(23) ‘digital serviceDigital service means any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. For the purposes of this definition: (i) ‘at a distance’ means that the service is provided without the parties being simultaneously present; (ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means; (iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request. - Definition according Article 1(1), point (b), of Directive (EU) 2015/1535 of the European Parliament and of the Council’ means a service as defined in Article 1(1), point (b), of Directive (EU) 2015/1535 of the European Parliament and of the Council (30);

(24) ‘trust serviceTrust service Means an electronic service normally provided for remuneration which consists of: (a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or (b) the creation, verification and validation of certificates for website authentication; or (c) the preservation of electronic signatures, seals or certificates related to those services. - Definition according Article 3, point (16), of Regulation (EU) No 910/2014’ means a trust service as defined in Article 3, point (16), of Regulation (EU) No 910/2014;

(25) ‘trust service providerTrust service provider Means a natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider. - Definition according Article 3, point (19), of Regulation (EU) No 910/2014’ means a trust service provider as defined in Article 3, point (19), of Regulation (EU) No 910/2014;

(26) ‘qualified trust serviceQualified trust service Means a trust service that meets the applicable requirements laid down in this Regulation. - Definition according Article 3, point (17), of Regulation (EU) No 910/2014’ means a qualified trust service as defined in Article 3, point (17), of Regulation (EU) No 910/2014;

(27) ‘qualified trust service providerQualified trust service provider Means a trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body. - Definition according Article 3, point (20), of Regulation (EU) No 910/2014’ means a qualified trust service provider as defined in Article 3, point (20), of Regulation (EU) No 910/2014;

(28) ‘online marketplace’ means an online marketplace as defined in Article 2, point (n), of Directive 2005/29/EC of the European Parliament and of the Council (31);

(29) ‘online search engineOnline search engine Means a digital service that allows users to input queries in order to perform searches of, in principle, all websites, or all websites in a particular language, on the basis of a query on any subject in the form of a keyword, voice request, phrase or other input, and returns results in any format in which information related to the requested content can be found. - Definition according Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council’ means an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council (32);

(30) ‘cloud computing serviceCloud computing service Means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations;

(31) ‘data centre serviceData centre service Means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control;

(32) ‘content delivery networkContent delivery network Means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service providers;

(33) ‘social networking services platformSocial networking services platform Means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices, in particular via chats, posts, videos and recommendations;

(34) ‘representativeRepresentative Means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider, or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a natural or legal person established in the Union explicitly designated to act on behalf of a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service providerManaged service provider Means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive), a managed security service providerManaged security service provider Means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive), or a provider of an online marketplace, of an online search engine or of a social networking services platform that is not established in the Union, which may be addressed by a competent authority or a CSIRT in the place of the entity itself with regard to the obligations of that entity under this Directive;

(35) ‘public administration entityPublic Administration Entity Means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: (a) it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; (b) it has legal personality or is entitled by law to act on behalf of another entity with legal personality; (c) it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law; (d) it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria:

(a) it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character;

(b) it has legal personality or is entitled by law to act on behalf of another entity with legal personality;

(c) it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law;

(d) it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital;

(36) ‘public electronic communications networkPublic electronic communications network Means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services which support the transfer of information between network termination points. - Definition according Article 2, point (8), of Directive (EU) 2018/1972’ means a public electronic communications network as defined in Article 2, point (8), of Directive (EU) 2018/1972;

(37) ‘electronic communications serviceElectronic communications service Means a service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services: (a) ‘internet access service’ as defined in point (2) of the second paragraph of Article 2 of Regulation (EU) 2015/2120; (b) interpersonal communications service; and (c) services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting. - Definition according Article 2, point (4), of Directive (EU) 2018/1972’ means an electronic communications service as defined in Article 2, point (4), of Directive (EU) 2018/1972;

(38) ‘entity’ means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;

(39) ‘managed service provider’ means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely;

(40) ‘managed security service provider’ means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management;

(41) ‘research organisationResearch organisation Means an entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means an entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions.