{"id":584,"date":"2024-01-29T16:47:57","date_gmt":"2024-01-29T16:47:57","guid":{"rendered":"https:\/\/nis2resources.eu\/?page_id=584"},"modified":"2024-08-09T05:19:15","modified_gmt":"2024-08-09T05:19:15","slug":"preamble","status":"publish","type":"page","link":"https:\/\/nis2resources.eu\/es\/directiva-2022-2555-nis2\/preambulo\/","title":{"rendered":"Pre\u00e1mbulo"},"content":{"rendered":"<div class=\"wp-block-greenshift-blocks-container gspb_container gspb_container-gsbp-b565ac4\" id=\"gspb_container-id-gsbp-b565ac4\">\n<h2 id=\"gspb_heading-id-gsbp-d1b4c76\" class=\"gspb_heading gspb_heading-id-gsbp-d1b4c76\">EL PARLAMENTO EUROPEO Y EL CONSEJO DE LA UNI\u00d3N EUROPEA,<\/h2>\n\n\n\n<div id=\"gspb_text-id-gsbp-2c13756\" class=\"gspb_text gspb_text-id-gsbp-2c13756\">Visto el Tratado de Funcionamiento de la Uni\u00f3n Europea y, en particular, su art\u00edculo 114,<br>Vista la propuesta de la Comisi\u00f3n Europea,<br>Tras la transmisi\u00f3n del proyecto de acto legislativo a los parlamentos nacionales,<br>Visto el dictamen del Banco Central Europeo,<br>Visto el dictamen del Comit\u00e9 Econ\u00f3mico y Social Europeo,<br>Previa consulta al Comit\u00e9 de las Regiones,<br>Actuar de acuerdo con el procedimiento legislativo ordinario,<\/div>\n<\/div>\n\n\n\n<p>Considerando que:<\/p>\n\n\n\n<p>(1) La Directiva (UE) 2016\/1148 del Parlamento Europeo y del Consejo (4) ten\u00eda por objeto construir <span tabindex='0' class='glossary-item-container'>ciberseguridad<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Ciberseguridad<\/span> <span class='glossary-item-description'>\"ciberseguridad\": la ciberseguridad definida en el art\u00edculo 2, punto 1, del Reglamento (UE) 2019\/881; - <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a>\r\r\"ciberseguridad\": las actividades necesarias para proteger las redes y los sistemas de informaci\u00f3n, a los usuarios de dichos sistemas y a otras personas afectadas por las ciberamenazas; - Definici\u00f3n seg\u00fan el art\u00edculo 2, punto (1), del Reglamento (UE) 2019\/881;<\/span><\/span><\/span> capacidades en toda la Uni\u00f3n, mitigar las amenazas a los sistemas de red e informaci\u00f3n utilizados para prestar servicios esenciales en sectores clave y garantizar la continuidad de dichos servicios cuando se enfrenten a incidentes, contribuyendo as\u00ed a la seguridad de la Uni\u00f3n y al funcionamiento eficaz de su econom\u00eda y su sociedad.<\/p>\n\n\n\n<p>(2) Desde la entrada en vigor de la Directiva (UE) 2016\/1148, se han logrado avances significativos en el aumento del nivel de ciberresiliencia de la Uni\u00f3n. La revisi\u00f3n de dicha Directiva ha puesto de manifiesto que ha servido de catalizador para el enfoque institucional y normativo de la ciberseguridad en la Uni\u00f3n, allanando el camino para un importante cambio de mentalidad.<\/p>\n\n\n\n<p>Dicha Directiva ha garantizado la finalizaci\u00f3n de los marcos nacionales sobre la <span tabindex='0' class='glossary-item-container'>seguridad de la red y de los sistemas de informaci\u00f3n<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Seguridad de redes y sistemas de informaci\u00f3n<\/span> <span class='glossary-item-description'>la capacidad de los sistemas de red y de informaci\u00f3n de resistir, con un determinado nivel de confianza, cualquier evento que pueda comprometer la disponibilidad, autenticidad, integridad o confidencialidad de los datos almacenados, transmitidos o procesados o de los servicios ofrecidos por dichos sistemas de red y de informaci\u00f3n o accesibles a trav\u00e9s de ellos <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> estableciendo estrategias nacionales sobre la seguridad de las redes y los sistemas de informaci\u00f3n y creando capacidades nacionales, y aplicando medidas reglamentarias que cubran las infraestructuras y entidades esenciales identificadas por cada Estado miembro.<\/p>\n\n\n\n<p>La Directiva (UE) 2016\/1148 tambi\u00e9n ha contribuido a la cooperaci\u00f3n a escala de la Uni\u00f3n mediante la creaci\u00f3n del Grupo de Cooperaci\u00f3n y la red de seguridad inform\u00e1tica nacional <span tabindex='0' class='glossary-item-container'>incidente<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Incidente<\/span> <span class='glossary-item-description'>Se refiere a un suceso que compromete la disponibilidad, autenticidad, integridad o confidencialidad de los datos almacenados, transmitidos o procesados, o de los servicios ofrecidos por los sistemas de red y de informaci\u00f3n o accesibles a trav\u00e9s de ellos\". <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> equipos de respuesta. A pesar de estos logros, la revisi\u00f3n de la Directiva (UE) 2016\/1148 ha puesto de manifiesto deficiencias inherentes que le impiden abordar eficazmente los retos actuales y emergentes en materia de ciberseguridad.<\/p>\n\n\n\n<p>(3) Las redes y los sistemas de informaci\u00f3n se han convertido en un elemento central de la vida cotidiana con la r\u00e1pida transformaci\u00f3n digital y la interconexi\u00f3n de la sociedad, incluidos los intercambios transfronterizos. Esta evoluci\u00f3n ha dado lugar a una expansi\u00f3n de la <span tabindex='0' class='glossary-item-container'>amenaza cibern\u00e9tica<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Ciberamenazas<\/span> <span class='glossary-item-description'>significa cualquier circunstancia, evento o acci\u00f3n potencial que pueda da\u00f1ar, interrumpir o afectar negativamente de otro modo a los sistemas de red y de informaci\u00f3n, a los usuarios de dichos sistemas y a otras personas - Definici\u00f3n seg\u00fan el art\u00edculo 2, punto (8), Reglamento (UE) 2019\/881<\/span><\/span><\/span> que plantean nuevos retos que requieren respuestas adaptadas, coordinadas e innovadoras en todos los Estados miembros.<\/p>\n\n\n\n<p>El n\u00famero, la magnitud, la sofisticaci\u00f3n, la frecuencia y el impacto de los incidentes van en aumento y representan una amenaza importante para el funcionamiento de las redes y los sistemas de informaci\u00f3n. Como consecuencia, los incidentes pueden obstaculizar el desarrollo de las actividades econ\u00f3micas en el mercado interior, generar p\u00e9rdidas financieras, socavar la confianza de los usuarios y causar da\u00f1os importantes a la econom\u00eda y la sociedad de la Uni\u00f3n.<\/p>\n\n\n\n<p>Por lo tanto, la preparaci\u00f3n y la eficacia de la ciberseguridad son ahora m\u00e1s esenciales que nunca para el correcto funcionamiento del mercado interior. Adem\u00e1s, la ciberseguridad es un factor clave para que muchos sectores cr\u00edticos adopten con \u00e9xito la transformaci\u00f3n digital y aprovechen plenamente los beneficios econ\u00f3micos, sociales y sostenibles de la digitalizaci\u00f3n.<\/p>\n\n\n\n<p>(4) La base jur\u00eddica de la Directiva (UE) 2016\/1148 era el art\u00edculo 114 del Tratado de Funcionamiento de la Uni\u00f3n Europea (TFUE), cuyo objetivo es el establecimiento y el funcionamiento del mercado interior mediante la intensificaci\u00f3n de las medidas de aproximaci\u00f3n de las legislaciones nacionales. Los requisitos de ciberseguridad impuestos a las entidades que prestan servicios o realizan actividades econ\u00f3micamente significativas var\u00edan considerablemente entre los Estados miembros en cuanto al tipo de requisito, su nivel de detalle y el m\u00e9todo de supervisi\u00f3n. Estas disparidades suponen costes adicionales y crean dificultades para las entidades que ofrecen bienes o servicios transfronterizos.<\/p>\n\n\n\n<p>Los requisitos impuestos por un Estado miembro que sean diferentes de los impuestos por otro Estado miembro, o que incluso entren en conflicto con ellos, pueden afectar sustancialmente a dichas actividades transfronterizas. Adem\u00e1s, es probable que la posibilidad de un dise\u00f1o o aplicaci\u00f3n inadecuados de los requisitos de ciberseguridad en un Estado miembro repercuta en el nivel de ciberseguridad de otros Estados miembros, en particular dada la intensidad de los intercambios transfronterizos.<\/p>\n\n\n\n<p>El examen de la Directiva (UE) 2016\/1148 ha puesto de manifiesto una gran divergencia en su aplicaci\u00f3n por los Estados miembros, incluso en relaci\u00f3n con su \u00e1mbito de aplicaci\u00f3n, cuya delimitaci\u00f3n se dej\u00f3 en gran medida a la discreci\u00f3n de los Estados miembros. La Directiva (UE) 2016\/1148 tambi\u00e9n otorg\u00f3 a los Estados miembros una discrecionalidad muy amplia en lo que respecta a la aplicaci\u00f3n de las obligaciones de seguridad y de notificaci\u00f3n de incidentes establecidas en ella. Por lo tanto, dichas obligaciones se aplicaron de maneras significativamente diferentes a nivel nacional. Existen divergencias similares en la aplicaci\u00f3n de las disposiciones de la Directiva (UE) 2016\/1148 en materia de supervisi\u00f3n y ejecuci\u00f3n.<\/p>\n\n\n\n<p>(5) Todas esas divergencias suponen una fragmentaci\u00f3n del mercado interior y pueden tener un efecto perjudicial en su funcionamiento, afectando en particular a la prestaci\u00f3n transfronteriza de servicios y al nivel de ciberresiliencia debido a la aplicaci\u00f3n de diversas medidas. En \u00faltima instancia, esas divergencias podr\u00edan dar lugar a un mayor <span tabindex='0' class='glossary-item-container'>vulnerabilidad<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Vulnerabilidad<\/span> <span class='glossary-item-description'>Se refiere a una debilidad, susceptibilidad o defecto de los productos o servicios de las TIC que puede ser explotado por una ciberamenaza -. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> de algunos Estados miembros a las ciberamenazas, con posibles efectos indirectos en toda la Uni\u00f3n.<\/p>\n\n\n\n<p>La presente Directiva tiene por objeto eliminar esas grandes divergencias entre los Estados miembros, en particular mediante el establecimiento de normas m\u00ednimas relativas al funcionamiento de un marco regulador coordinado, el establecimiento de mecanismos para una cooperaci\u00f3n eficaz entre las autoridades responsables de cada Estado miembro, la actualizaci\u00f3n de la lista de sectores y actividades sujetos a obligaciones en materia de ciberseguridad y el establecimiento de recursos efectivos y medidas coercitivas que son fundamentales para el cumplimiento efectivo de dichas obligaciones. Por consiguiente, la Directiva (UE) 2016\/1148 debe derogarse y sustituirse por la presente Directiva.<\/p>\n\n\n\n<p>(6) Con la derogaci\u00f3n de la Directiva (UE) 2016\/1148, el \u00e1mbito de aplicaci\u00f3n por sectores debe ampliarse a una mayor parte de la econom\u00eda para proporcionar una cobertura completa de los sectores y servicios de vital importancia para las actividades sociales y econ\u00f3micas clave en el mercado interior. En particular, la presente Directiva pretende superar las deficiencias de la diferenciaci\u00f3n entre operadores de servicios esenciales y <span tabindex='0' class='glossary-item-container'>servicio digital<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Servicio digital<\/span> <span class='glossary-item-description'>todo servicio de la sociedad de la informaci\u00f3n, es decir, todo servicio prestado normalmente a cambio de una remuneraci\u00f3n, a distancia, por v\u00eda electr\u00f3nica y a petici\u00f3n individual de un destinatario de servicios.\r\rA efectos de esta definici\u00f3n: (i) \"a distancia\" significa que el servicio se presta sin que las partes est\u00e9n presentes simult\u00e1neamente; (ii) \"por v\u00eda electr\u00f3nica\" significa que el servicio se env\u00eda inicialmente y se recibe en su destino mediante equipos electr\u00f3nicos de tratamiento (incluida la compresi\u00f3n digital) y almacenamiento de datos, y se transmite, conduce y recibe \u00edntegramente por cable, radio, medios \u00f3pticos u otros medios electromagn\u00e9ticos; (iii) \"a petici\u00f3n individual de un destinatario de servicios\" significa que el servicio se presta mediante la transmisi\u00f3n de datos a petici\u00f3n individual.\r\r- Definici\u00f3n con arreglo al art\u00edculo 1, apartado 1, letra b), de la Directiva (UE) 2015\/1535 del Parlamento Europeo y del Consejo.<\/span><\/span><\/span> proveedores, que se ha demostrado obsoleta, ya que no refleja la importancia de los sectores o servicios para las actividades sociales y econ\u00f3micas en el mercado interior.<\/p>\n\n\n\n<p>(7) En virtud de la Directiva (UE) 2016\/1148, los Estados miembros eran responsables de determinar las entidades que cumpl\u00edan los criterios para ser consideradas operadores de servicios esenciales. Con el fin de eliminar las grandes divergencias entre los Estados miembros a este respecto y garantizar la seguridad jur\u00eddica en lo que respecta a la ciberseguridad <span tabindex='0' class='glossary-item-container'>riesgo<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Riesgo<\/span> <span class='glossary-item-description'>Se refiere al potencial de p\u00e9rdida o perturbaci\u00f3n causado por un incidente y debe expresarse como una combinaci\u00f3n de la magnitud de dicha p\u00e9rdida o perturbaci\u00f3n y la probabilidad de que se produzca el incidente. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span>-medidas de gesti\u00f3n y obligaciones de informaci\u00f3n para todas las entidades pertinentes, debe establecerse un criterio uniforme que determine las entidades que entran en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva.<\/p>\n\n\n\n<p>Dicho criterio debe consistir en la aplicaci\u00f3n de una norma de limitaci\u00f3n del tama\u00f1o, en virtud de la cual entren en su \u00e1mbito de aplicaci\u00f3n todas las entidades que re\u00fanan las condiciones para ser consideradas medianas empresas con arreglo al art\u00edculo 2 del anexo de la Recomendaci\u00f3n 2003\/361\/CE de la Comisi\u00f3n, o superen los l\u00edmites m\u00e1ximos para las medianas empresas previstos en el apartado 1 de dicho art\u00edculo, y que operen en los sectores y presten los tipos de servicios o realicen las actividades a que se refiere la presente Directiva. Los Estados miembros tambi\u00e9n deben prever que determinadas peque\u00f1as empresas y microempresas, tal como se definen en los apartados 2 y 3 del art\u00edculo 2 de dicho anexo, que cumplan criterios espec\u00edficos que indiquen un papel clave para la sociedad, la econom\u00eda o para determinados sectores o tipos de servicios, entren en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva.<\/p>\n\n\n\n<p>(8) La exclusi\u00f3n de las entidades de la administraci\u00f3n p\u00fablica del \u00e1mbito de aplicaci\u00f3n de la presente Directiva debe aplicarse a las entidades cuyas actividades se desarrollen predominantemente en los \u00e1mbitos de la seguridad nacional, la seguridad p\u00fablica, la defensa o la aplicaci\u00f3n de la ley, incluidas la prevenci\u00f3n, investigaci\u00f3n, detecci\u00f3n y enjuiciamiento de delitos. Sin embargo, las entidades de la administraci\u00f3n p\u00fablica cuyas actividades est\u00e9n s\u00f3lo marginalmente relacionadas con esos \u00e1mbitos no deben quedar excluidas del \u00e1mbito de aplicaci\u00f3n de la presente Directiva.<\/p>\n\n\n\n<p>A efectos de la presente Directiva, no se considera que las entidades con competencias reguladoras lleven a cabo actividades en el \u00e1mbito de la aplicaci\u00f3n de la ley y, por lo tanto, no quedan excluidas por ese motivo del \u00e1mbito de aplicaci\u00f3n de la presente Directiva. Las entidades de la administraci\u00f3n p\u00fablica establecidas conjuntamente con un tercer pa\u00eds en virtud de un acuerdo internacional quedan excluidas del \u00e1mbito de aplicaci\u00f3n de la presente Directiva. La presente Directiva no se aplica a las misiones diplom\u00e1ticas y consulares de los Estados miembros en terceros pa\u00edses ni a sus redes y sistemas de informaci\u00f3n, en la medida en que dichos sistemas est\u00e9n situados en los locales de la misi\u00f3n o sean explotados para usuarios en un tercer pa\u00eds.<\/p>\n\n\n\n<p>(9) Los Estados miembros deben poder adoptar las medidas necesarias para garantizar la protecci\u00f3n de los intereses esenciales de la seguridad nacional, salvaguardar el orden p\u00fablico y la seguridad p\u00fablica y permitir la prevenci\u00f3n, investigaci\u00f3n, detecci\u00f3n y enjuiciamiento de delitos.<\/p>\n\n\n\n<p>A tal fin, los Estados miembros deben poder eximir a entidades espec\u00edficas que lleven a cabo actividades en los \u00e1mbitos de la seguridad nacional, la seguridad p\u00fablica, la defensa o la aplicaci\u00f3n de la ley, incluidas la prevenci\u00f3n, la investigaci\u00f3n, la detecci\u00f3n y el enjuiciamiento de delitos, de determinadas obligaciones establecidas en la presente Directiva en relaci\u00f3n con dichas actividades.<\/p>\n\n\n\n<p>Cuando un <span tabindex='0' class='glossary-item-container'>entidad<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Entidad<\/span> <span class='glossary-item-description'>Persona f\u00edsica o jur\u00eddica creada y reconocida como tal en virtud de la legislaci\u00f3n nacional de su lugar de establecimiento, que puede, actuando en nombre propio, ejercer derechos y estar sujeta a obligaciones -. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> presta servicios exclusivamente a un <span tabindex='0' class='glossary-item-container'>entidad de la administraci\u00f3n p\u00fablica<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Entidad de la Administraci\u00f3n P\u00fablica<\/span> <span class='glossary-item-description'>Se trata de una entidad reconocida como tal en un Estado miembro de conformidad con la legislaci\u00f3n nacional, sin incluir el poder judicial, los parlamentos ni los bancos centrales, que cumple los siguientes criterios\r(a) se crea para satisfacer necesidades de inter\u00e9s general y no tiene car\u00e1cter industrial o comercial; (b) tiene personalidad jur\u00eddica o est\u00e1 facultada por ley para actuar en nombre de otra entidad con personalidad jur\u00eddica;\r(c) est\u00e1 financiada mayoritariamente por el Estado, los entes territoriales u otros organismos de Derecho p\u00fablico, est\u00e1 sometida a un control de gesti\u00f3n por parte de dichos entes u organismos, o dispone de un consejo de administraci\u00f3n, de direcci\u00f3n o de vigilancia, m\u00e1s de la mitad de cuyos miembros son nombrados por el Estado, los entes territoriales u otros organismos de Derecho p\u00fablico; (d) est\u00e1 facultada para dirigir a personas f\u00edsicas o jur\u00eddicas decisiones administrativas o reglamentarias que afecten a sus derechos en materia de circulaci\u00f3n transfronteriza de personas, bienes, servicios o capitales.\r- <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> que est\u00e9 excluida del \u00e1mbito de aplicaci\u00f3n de la presente Directiva, los Estados miembros deben poder eximir a dicha entidad de determinadas obligaciones establecidas en la presente Directiva en relaci\u00f3n con dichos servicios. Adem\u00e1s, no debe exigirse a ning\u00fan Estado miembro que facilite informaci\u00f3n cuya divulgaci\u00f3n sea contraria a los intereses esenciales de su seguridad nacional, seguridad p\u00fablica o defensa.<\/p>\n\n\n\n<p>En este contexto, deber\u00e1n tenerse en cuenta las normas nacionales o de la Uni\u00f3n para la protecci\u00f3n de la informaci\u00f3n clasificada, los acuerdos de no divulgaci\u00f3n y los acuerdos informales de no divulgaci\u00f3n, como el protocolo del sem\u00e1foro. El protocolo del sem\u00e1foro debe entenderse como un medio para proporcionar informaci\u00f3n sobre cualquier limitaci\u00f3n con respecto a la difusi\u00f3n ulterior de la informaci\u00f3n. Se utiliza en casi todos los equipos de respuesta a incidentes de seguridad inform\u00e1tica (CSIRT) y en algunos centros de an\u00e1lisis e intercambio de informaci\u00f3n.<\/p>\n\n\n\n<p>(10) Aunque la presente Directiva se aplica a las entidades que realizan actividades de producci\u00f3n de electricidad a partir de centrales nucleares, algunas de esas actividades pueden estar relacionadas con la seguridad nacional. En tal caso, un Estado miembro debe poder ejercer su responsabilidad de salvaguardar la seguridad nacional con respecto a dichas actividades, incluidas las actividades dentro de la cadena de valor nuclear, de conformidad con los Tratados.<\/p>\n\n\n\n<p>(11) Algunas entidades llevan a cabo actividades en los \u00e1mbitos de la seguridad nacional, la seguridad p\u00fablica, la defensa o la aplicaci\u00f3n de la ley, incluidas la prevenci\u00f3n, investigaci\u00f3n, detecci\u00f3n y persecuci\u00f3n de delitos penales, al tiempo que prestan servicios de confianza. <span tabindex='0' class='glossary-item-container'>Servicio de confianza<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Servicio de confianza<\/span> <span class='glossary-item-description'>Significa un servicio electr\u00f3nico prestado normalmente a cambio de una remuneraci\u00f3n que consiste en: a) la creaci\u00f3n, verificaci\u00f3n y validaci\u00f3n de firmas electr\u00f3nicas, sellos electr\u00f3nicos o sellos de tiempo electr\u00f3nicos, servicios de entrega electr\u00f3nica certificada y certificados relacionados con dichos servicios, o b) la creaci\u00f3n, verificaci\u00f3n y validaci\u00f3n de certificados para la autenticaci\u00f3n de sitios web, o c) la conservaci\u00f3n de firmas electr\u00f3nicas, sellos o certificados relacionados con dichos servicios - Definici\u00f3n seg\u00fan el art\u00edculo 3, punto (16), del Reglamento (UE) n\u00ba 910\/2014.<\/span><\/span><\/span> que entran en el \u00e1mbito de aplicaci\u00f3n del Reglamento (UE) n.\u00ba 910\/2014 del Parlamento Europeo y del Consejo (6) deben entrar en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva a fin de garantizar el mismo nivel de requisitos de seguridad y supervisi\u00f3n que el establecido anteriormente en dicho Reglamento con respecto a los proveedores de servicios de confianza. En consonancia con la exclusi\u00f3n de determinados servicios espec\u00edficos del Reglamento (UE) no 910\/2014, la presente Directiva no debe aplicarse a la prestaci\u00f3n de servicios de confianza que se utilicen exclusivamente dentro de sistemas cerrados resultantes de la legislaci\u00f3n nacional o de acuerdos entre un conjunto definido de participantes.<\/p>\n\n\n\n<p>(12) Los proveedores de servicios postales, tal como se definen en la Directiva 97\/67\/CE del Parlamento Europeo y del Consejo, incluidos los proveedores de servicios de mensajer\u00eda, deben estar sujetos a la presente Directiva si prestan al menos uno de los pasos de la cadena de distribuci\u00f3n postal, en particular la recogida, clasificaci\u00f3n, transporte o distribuci\u00f3n de env\u00edos postales, incluidos los servicios de recogida, teniendo en cuenta su grado de dependencia de los sistemas de redes y de informaci\u00f3n. Los servicios de transporte que no se realicen en relaci\u00f3n con una de esas fases deben excluirse del \u00e1mbito de los servicios postales.<\/p>\n\n\n\n<p>(13) Habida cuenta de la intensificaci\u00f3n y la creciente sofisticaci\u00f3n de las ciberamenazas, los Estados miembros deben esforzarse por garantizar que las entidades excluidas del \u00e1mbito de aplicaci\u00f3n de la presente Directiva alcancen un elevado nivel de ciberseguridad y por apoyar la aplicaci\u00f3n de medidas equivalentes de gesti\u00f3n de los riesgos de ciberseguridad que reflejen el car\u00e1cter sensible de dichas entidades.<\/p>\n\n\n\n<p>(14) El Derecho de la Uni\u00f3n en materia de protecci\u00f3n de datos y el Derecho de la Uni\u00f3n en materia de privacidad se aplican a todo tratamiento de datos personales con arreglo a la presente Directiva. En particular, la presente Directiva se entiende sin perjuicio del Reglamento (UE) 2016\/679 del Parlamento Europeo y del Consejo y de la Directiva 2002\/58\/CE del Parlamento Europeo y del Consejo. Por consiguiente, la presente Directiva no debe afectar, entre otras cosas, a las funciones y competencias de las autoridades competentes para supervisar el cumplimiento del Derecho de la Uni\u00f3n aplicable en materia de protecci\u00f3n de datos y del Derecho de la Uni\u00f3n aplicable en materia de privacidad.<\/p>\n\n\n\n<p>(15) Las entidades incluidas en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva a efectos del cumplimiento de las medidas de gesti\u00f3n de riesgos en materia de ciberseguridad y de las obligaciones de informaci\u00f3n deben clasificarse en dos categor\u00edas, entidades esenciales y entidades importantes, que reflejen el grado en que son cr\u00edticas en relaci\u00f3n con su sector o el tipo de servicio que prestan, as\u00ed como su tama\u00f1o. A este respecto, deben tenerse debidamente en cuenta las evaluaciones de riesgos sectoriales pertinentes o las orientaciones de las autoridades competentes, en su caso. Los reg\u00edmenes de supervisi\u00f3n y ejecuci\u00f3n para esas dos categor\u00edas de entidades deben diferenciarse para garantizar un equilibrio justo entre los requisitos y obligaciones basados en el riesgo, por una parte, y la carga administrativa derivada de la supervisi\u00f3n del cumplimiento, por otra.<\/p>\n\n\n\n<p>(16) Para evitar que las entidades que tienen empresas asociadas o vinculadas sean consideradas entidades esenciales o importantes cuando ello resulte desproporcionado, los Estados miembros pueden tener en cuenta el grado de independencia de una entidad con respecto a sus empresas asociadas o vinculadas al aplicar el art\u00edculo 6, apartado 2, del anexo de la Recomendaci\u00f3n 2003\/361\/CE. En particular, los Estados miembros pueden tener en cuenta el hecho de que una entidad sea independiente de sus empresas asociadas o vinculadas por lo que respecta a la red y los sistemas de informaci\u00f3n que dicha entidad utiliza en la prestaci\u00f3n de sus servicios y por lo que respecta a los servicios que la entidad presta.<\/p>\n\n\n\n<p>Sobre esta base, cuando proceda, los Estados miembros pueden considerar que tal entidad no re\u00fane las condiciones para ser considerada mediana empresa con arreglo al art\u00edculo 2 del anexo de la Recomendaci\u00f3n 2003\/361\/CE, o no supera los l\u00edmites m\u00e1ximos para una mediana empresa previstos en el apartado 1 de dicho art\u00edculo, si, tras tener en cuenta el grado de independencia de dicha entidad, se hubiera considerado que \u00e9sta no re\u00fane las condiciones para ser considerada mediana empresa o no supera dichos l\u00edmites m\u00e1ximos en caso de que s\u00f3lo se hubieran tenido en cuenta sus propios datos. Ello no afecta a las obligaciones establecidas en la presente Directiva de las empresas asociadas y vinculadas que entren en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva.<\/p>\n\n\n\n<p>(17) Los Estados miembros deben poder decidir que las entidades identificadas antes de la entrada en vigor de la presente Directiva como operadores de servicios esenciales de conformidad con la Directiva (UE) 2016\/1148 sean consideradas entidades esenciales.<\/p>\n\n\n\n<p>(18) A fin de garantizar una visi\u00f3n clara de las entidades que entran en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva, los Estados miembros deben establecer una lista de entidades esenciales e importantes, as\u00ed como de entidades que presten servicios de registro de nombres de dominio. A tal fin, los Estados miembros deben exigir a las entidades que presenten como m\u00ednimo la siguiente informaci\u00f3n a las autoridades competentes, a saber, el nombre, la direcci\u00f3n y los datos de contacto actualizados, incluidas las direcciones de correo electr\u00f3nico, los rangos IP y los n\u00fameros de tel\u00e9fono de la entidad, y, en su caso, el sector y subsector pertinentes a que se refieren los anexos, as\u00ed como, en su caso, una lista de los Estados miembros en los que prestan servicios que entran en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva.<\/p>\n\n\n\n<p>A tal fin, la Comisi\u00f3n, con la asistencia de la Agencia de Ciberseguridad de la Uni\u00f3n Europea (ENISA), debe proporcionar, sin demora injustificada, directrices y plantillas relativas a la obligaci\u00f3n de presentar informaci\u00f3n. Para facilitar el establecimiento y la actualizaci\u00f3n de la lista de entidades esenciales e importantes, as\u00ed como de las entidades que prestan servicios de registro de nombres de dominio, los Estados miembros deben poder establecer mecanismos nacionales para que las entidades se registren. Cuando existan registros a nivel nacional, los Estados miembros podr\u00e1n decidir los mecanismos adecuados que permitan la identificaci\u00f3n de las entidades incluidas en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva.<\/p>\n\n\n\n<p>(19) Los Estados miembros deben encargarse de presentar a la Comisi\u00f3n al menos el n\u00famero de entidades esenciales e importantes para cada sector y subsector a que se refieren los anexos, as\u00ed como la informaci\u00f3n pertinente sobre el n\u00famero de entidades identificadas y la disposici\u00f3n, de entre las establecidas en la presente Directiva, sobre cuya base fueron identificadas, y el tipo de servicio que prestan. Se anima a los Estados miembros a intercambiar con la Comisi\u00f3n informaci\u00f3n sobre las entidades esenciales e importantes y, en el caso de un <span tabindex='0' class='glossary-item-container'>incidente de ciberseguridad a gran escala<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Incidente de ciberseguridad a gran escala<\/span> <span class='glossary-item-description'>Incidente que causa un nivel de perturbaci\u00f3n que supera la capacidad de respuesta de un Estado miembro o que tiene un impacto significativo en al menos dos Estados miembros. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span>informaci\u00f3n pertinente, como el nombre de la entidad en cuesti\u00f3n.<\/p>\n\n\n\n<p>(20) La Comisi\u00f3n, en cooperaci\u00f3n con el Grupo de cooperaci\u00f3n y previa consulta a las partes interesadas pertinentes, debe proporcionar directrices sobre la aplicaci\u00f3n de los criterios aplicables a las microempresas y las peque\u00f1as empresas para evaluar si entran en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva. La Comisi\u00f3n tambi\u00e9n debe velar por que se ofrezca una orientaci\u00f3n adecuada a las microempresas y peque\u00f1as empresas que entren en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva. La Comisi\u00f3n, con la asistencia de los Estados miembros, debe poner a disposici\u00f3n de las microempresas y las peque\u00f1as empresas informaci\u00f3n a este respecto.<\/p>\n\n\n\n<p>(21) La Comisi\u00f3n podr\u00eda proporcionar orientaciones para ayudar a los Estados miembros a aplicar las disposiciones de la presente Directiva sobre el \u00e1mbito de aplicaci\u00f3n y a evaluar la proporcionalidad de las medidas que deben adoptarse en virtud de la presente Directiva, en particular en lo que respecta a las entidades con modelos empresariales o entornos operativos complejos, en los que una entidad puede cumplir simult\u00e1neamente los criterios asignados tanto a las entidades esenciales como a las importantes o puede llevar a cabo simult\u00e1neamente actividades, algunas de las cuales entran en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva y otras quedan excluidas de \u00e9l.<\/p>\n\n\n\n<p>(22) La presente Directiva establece la base para las medidas de gesti\u00f3n de riesgos en materia de ciberseguridad y las obligaciones de informaci\u00f3n en todos los sectores incluidos en su \u00e1mbito de aplicaci\u00f3n. A fin de evitar la fragmentaci\u00f3n de las disposiciones sobre ciberseguridad de los actos jur\u00eddicos de la Uni\u00f3n, cuando se considere necesario adoptar otros actos jur\u00eddicos sectoriales espec\u00edficos de la Uni\u00f3n relativos a las medidas de gesti\u00f3n de riesgos en materia de ciberseguridad y a las obligaciones de informaci\u00f3n para garantizar un elevado nivel de ciberseguridad en toda la Uni\u00f3n, la Comisi\u00f3n debe evaluar si tales disposiciones adicionales podr\u00edan estipularse en un acto de ejecuci\u00f3n en virtud de la presente Directiva.<\/p>\n\n\n\n<p>En caso de que dicho acto de ejecuci\u00f3n no fuera adecuado a tal efecto, los actos jur\u00eddicos sectoriales de la Uni\u00f3n podr\u00edan contribuir a garantizar un alto nivel de ciberseguridad en toda la Uni\u00f3n, teniendo plenamente en cuenta las especificidades y complejidades de los sectores afectados. A tal fin, la presente Directiva no excluye la adopci\u00f3n de otros actos jur\u00eddicos sectoriales de la Uni\u00f3n que aborden medidas de gesti\u00f3n de los riesgos de ciberseguridad y obligaciones de informaci\u00f3n que tengan debidamente en cuenta la necesidad de un marco de ciberseguridad global y coherente. La presente Directiva se entiende sin perjuicio de las competencias de ejecuci\u00f3n existentes que se han conferido a la Comisi\u00f3n en una serie de sectores, incluidos el transporte y la energ\u00eda.<\/p>\n\n\n\n<p>(23) Cuando un acto jur\u00eddico sectorial de la Uni\u00f3n contenga disposiciones que obliguen a las entidades esenciales o importantes a adoptar medidas de gesti\u00f3n de riesgos en materia de ciberseguridad o a notificar incidentes significativos, y cuando dichos requisitos sean al menos de efecto equivalente a las obligaciones establecidas en la presente Directiva, dichas disposiciones, incluidas las relativas a la supervisi\u00f3n y la ejecuci\u00f3n, deben aplicarse a dichas entidades. Si un acto jur\u00eddico sectorial de la Uni\u00f3n no abarca a todas las entidades de un sector espec\u00edfico incluidas en el \u00e1mbito de aplicaci\u00f3n de la presente Directiva, las disposiciones pertinentes de la presente Directiva deben seguir aplic\u00e1ndose a las entidades no cubiertas por dicho acto.<\/p>\n\n\n\n<p>(24) Cuando las disposiciones de un acto jur\u00eddico sectorial de la Uni\u00f3n exijan a las entidades esenciales o importantes el cumplimiento de obligaciones de notificaci\u00f3n de efectos al menos equivalentes a las obligaciones de notificaci\u00f3n establecidas en la presente Directiva, debe garantizarse la coherencia y la eficacia de la gesti\u00f3n de las notificaciones de incidentes. A tal fin, las disposiciones relativas a las notificaciones de incidentes del acto jur\u00eddico sectorial de la Uni\u00f3n deben proporcionar a los CSIRT, las autoridades competentes o los puntos de contacto \u00fanicos en materia de ciberseguridad (puntos de contacto \u00fanicos) con arreglo a la presente Directiva un acceso inmediato a las notificaciones de incidentes presentadas de conformidad con el acto jur\u00eddico sectorial de la Uni\u00f3n.<\/p>\n\n\n\n<p>En particular, dicho acceso inmediato puede garantizarse si las notificaciones de incidentes se remiten sin demora injustificada al CSIRT, a la autoridad competente o al punto de contacto \u00fanico con arreglo a la presente Directiva. Cuando proceda, los Estados miembros deben establecer un mecanismo de notificaci\u00f3n autom\u00e1tica y directa que garantice el intercambio sistem\u00e1tico e inmediato de informaci\u00f3n con los CSIRT, las autoridades competentes o los puntos de contacto \u00fanicos en relaci\u00f3n con la tramitaci\u00f3n de dichas notificaciones de incidentes. Con el fin de simplificar la notificaci\u00f3n y de aplicar el mecanismo de notificaci\u00f3n autom\u00e1tica y directa, los Estados miembros podr\u00edan, de conformidad con el acto jur\u00eddico sectorial espec\u00edfico de la Uni\u00f3n, utilizar un punto de entrada \u00fanico.<\/p>\n\n\n\n<p>(25) Los actos jur\u00eddicos sectoriales de la Uni\u00f3n que prevean medidas de gesti\u00f3n de riesgos en materia de ciberseguridad u obligaciones de informaci\u00f3n de efecto al menos equivalente a las establecidas en la presente Directiva podr\u00edan disponer que las autoridades competentes en virtud de dichos actos ejerzan sus facultades de supervisi\u00f3n y ejecuci\u00f3n en relaci\u00f3n con tales medidas u obligaciones con la asistencia de las autoridades competentes en virtud de la presente Directiva.<\/p>\n\n\n\n<p>Las autoridades competentes afectadas podr\u00edan establecer acuerdos de cooperaci\u00f3n a tal efecto. Dichos acuerdos de cooperaci\u00f3n podr\u00edan especificar, entre otras cosas, los procedimientos relativos a la coordinaci\u00f3n de las actividades de supervisi\u00f3n, incluidos los procedimientos de investigaci\u00f3n y las inspecciones in situ de conformidad con la legislaci\u00f3n nacional, y un mecanismo para el intercambio de informaci\u00f3n pertinente sobre supervisi\u00f3n y ejecuci\u00f3n entre las autoridades competentes, incluido el acceso a la informaci\u00f3n relacionada con la ciberdelincuencia solicitada por las autoridades competentes en virtud de la presente Directiva.<\/p>\n\n\n\n<p>(26) Cuando los actos jur\u00eddicos sectoriales espec\u00edficos de la Uni\u00f3n exijan o incentiven a las entidades a notificar las ciberamenazas significativas, los Estados miembros tambi\u00e9n deben fomentar la puesta en com\u00fan de las ciberamenazas significativas con los CSIRT, las autoridades competentes o las ventanillas \u00fanicas con arreglo a la presente Directiva, a fin de garantizar un mayor nivel de conocimiento de dichos organismos sobre el panorama de las ciberamenazas y permitirles responder de manera eficaz y oportuna en caso de que se materialicen las ciberamenazas significativas.<\/p>\n\n\n\n<p>(27) Los futuros actos jur\u00eddicos sectoriales de la Uni\u00f3n deben tener debidamente en cuenta las definiciones y el marco de supervisi\u00f3n y ejecuci\u00f3n establecidos en la presente Directiva.<\/p>\n\n\n\n<p>(28) El Reglamento (UE) 2022\/2554 del Parlamento Europeo y del Consejo (10) debe considerarse un acto jur\u00eddico sectorial espec\u00edfico de la Uni\u00f3n en relaci\u00f3n con la presente Directiva por lo que respecta a las entidades financieras. Las disposiciones del Reglamento (UE) 2022\/2554 relativas a la gesti\u00f3n de riesgos en el \u00e1mbito de las tecnolog\u00edas de la informaci\u00f3n y la comunicaci\u00f3n (TIC), la gesti\u00f3n de incidentes relacionados con las TIC y, en particular, la notificaci\u00f3n de incidentes graves relacionados con las TIC, as\u00ed como sobre las pruebas de resistencia operativa digital, los acuerdos de intercambio de informaci\u00f3n y el riesgo de terceros en el \u00e1mbito de las TIC deben aplicarse en lugar de las previstas en la presente Directiva. Por consiguiente, los Estados miembros no deben aplicar las disposiciones de la presente Directiva sobre gesti\u00f3n de riesgos de ciberseguridad y obligaciones de informaci\u00f3n, supervisi\u00f3n y ejecuci\u00f3n a las entidades financieras cubiertas por el Reglamento (UE) 2022\/2554. Al mismo tiempo, es importante mantener una relaci\u00f3n s\u00f3lida y el intercambio de informaci\u00f3n con el sector financiero en virtud de la presente Directiva.<\/p>\n\n\n\n<p>A tal fin, el Reglamento (UE) 2022\/2554 permite a las Autoridades Europeas de Supervisi\u00f3n (AES) y a las autoridades competentes en virtud de dicho Reglamento participar en las actividades del Grupo de Cooperaci\u00f3n e intercambiar informaci\u00f3n y cooperar con los puntos de contacto \u00fanicos, as\u00ed como con los CSIRT y las autoridades competentes en virtud de la presente Directiva. Las autoridades competentes con arreglo al Reglamento (UE) 2022\/2554 tambi\u00e9n deben transmitir detalles de los incidentes importantes relacionados con las TIC y, en su caso, de las ciberamenazas significativas a los CSIRT, las autoridades competentes o los puntos de contacto \u00fanicos con arreglo a la presente Directiva. Esto puede lograrse proporcionando acceso inmediato a las notificaciones de incidentes y transmiti\u00e9ndolas directamente o a trav\u00e9s de un punto de entrada \u00fanico. Adem\u00e1s, los Estados miembros deben seguir incluyendo al sector financiero en sus estrategias de ciberseguridad y los CSIRT pueden incluir al sector financiero en sus actividades.<\/p>\n\n\n\n<p>(29) A fin de evitar lagunas o duplicaciones en las obligaciones de ciberseguridad impuestas a las entidades del sector de la aviaci\u00f3n, las autoridades nacionales en virtud de los Reglamentos (CE) n\u00ba 300\/2008 y (UE) 2018\/1139 del Parlamento Europeo y del Consejo y las autoridades competentes en virtud de la presente Directiva deben cooperar en relaci\u00f3n con la aplicaci\u00f3n de medidas de gesti\u00f3n de riesgos en materia de ciberseguridad y la supervisi\u00f3n del cumplimiento de dichas medidas a nivel nacional. Las autoridades competentes en virtud de la presente Directiva podr\u00edan considerar que el cumplimiento por parte de una entidad de los requisitos de seguridad establecidos en los Reglamentos (CE) n.\u00ba 300\/2008 y (UE) 2018\/1139 y en los actos delegados y de ejecuci\u00f3n pertinentes adoptados de conformidad con dichos Reglamentos constituye el cumplimiento de los requisitos correspondientes establecidos en la presente Directiva.<\/p>\n\n\n\n<p>(30) Habida cuenta de las interrelaciones entre la ciberseguridad y la seguridad f\u00edsica de las entidades, debe garantizarse un enfoque coherente entre la Directiva (UE) 2022\/2557 del Parlamento Europeo y del Consejo y la presente Directiva. Para ello, las entidades identificadas como entidades cr\u00edticas con arreglo a la Directiva (UE) 2022\/2557 deben considerarse entidades esenciales con arreglo a la presente Directiva.<\/p>\n\n\n\n<p>Adem\u00e1s, cada Estado miembro debe garantizar que su <span tabindex='0' class='glossary-item-container'>estrategia nacional de ciberseguridad<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Estrategia Nacional de Ciberseguridad<\/span> <span class='glossary-item-description'>Se refiere a un marco coherente de un Estado miembro que establece objetivos y prioridades estrat\u00e9gicos en el \u00e1mbito de la ciberseguridad y la gobernanza para alcanzarlos en dicho Estado miembro. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> establezca un marco pol\u00edtico para mejorar la coordinaci\u00f3n dentro de ese Estado miembro entre sus autoridades competentes con arreglo a la presente Directiva y a la Directiva (UE) 2022\/2557, en el contexto del intercambio de informaci\u00f3n sobre riesgos, amenazas cibern\u00e9ticas e incidentes, as\u00ed como sobre riesgos, amenazas e incidentes no cibern\u00e9ticos, y del ejercicio de las tareas de supervisi\u00f3n. Las autoridades competentes en virtud de la presente Directiva y de la Directiva (UE) 2022\/2557 deben cooperar e intercambiar informaci\u00f3n sin demoras indebidas, en particular en relaci\u00f3n con la identificaci\u00f3n de entidades cr\u00edticas, riesgos, ciberamenazas e incidentes, as\u00ed como en relaci\u00f3n con riesgos, amenazas e incidentes no cibern\u00e9ticos que afecten a entidades cr\u00edticas, incluidas las medidas f\u00edsicas y de ciberseguridad adoptadas por las entidades cr\u00edticas, as\u00ed como los resultados de las actividades de supervisi\u00f3n llevadas a cabo en relaci\u00f3n con dichas entidades.<\/p>\n\n\n\n<p>Adem\u00e1s, con el fin de racionalizar las actividades de supervisi\u00f3n entre las autoridades competentes en virtud de la presente Directiva y las de la Directiva (UE) 2022\/2557 y de minimizar la carga administrativa para las entidades afectadas, dichas autoridades competentes deben esforzarse por armonizar los modelos de notificaci\u00f3n de incidentes y los procesos de supervisi\u00f3n. Cuando proceda, las autoridades competentes con arreglo a la Directiva (UE) 2022\/2557 deben poder solicitar a las autoridades competentes con arreglo a la presente Directiva que ejerzan sus facultades de supervisi\u00f3n y ejecuci\u00f3n en relaci\u00f3n con una entidad identificada como entidad cr\u00edtica con arreglo a la Directiva (UE) 2022\/2557. Las autoridades competentes en virtud de la presente Directiva y las autoridades competentes en virtud de la Directiva (UE) 2022\/2557 deben, siempre que sea posible en tiempo real, cooperar e intercambiar informaci\u00f3n a tal efecto.<\/p>\n\n\n\n<p>(31) Las entidades pertenecientes al sector de las infraestructuras digitales se basan esencialmente en sistemas de red y de informaci\u00f3n y, por lo tanto, las obligaciones impuestas a dichas entidades en virtud de la presente Directiva deben abordar de manera exhaustiva la seguridad f\u00edsica de tales sistemas como parte de sus medidas de gesti\u00f3n de riesgos en materia de ciberseguridad y de sus obligaciones de informaci\u00f3n. Dado que estas cuestiones est\u00e1n cubiertas por la presente Directiva, las obligaciones establecidas en los cap\u00edtulos III, IV y VI de la Directiva (UE) 2022\/2557 no se aplican a dichas entidades.<br><br><\/p>\n\n\n\n<p>(32) Mantener y preservar un sistema de nombres de dominio (DNS) fiable, resistente y seguro son factores clave para mantener la integridad de Internet y resultan esenciales para su funcionamiento continuo y estable, del que dependen la econom\u00eda y la sociedad digitales. Por consiguiente, la presente Directiva debe aplicarse a los registros de nombres de dominio de primer nivel (TLD) y a los proveedores de servicios de DNS, entendidos como entidades que prestan servicios de resoluci\u00f3n recursiva de nombres de dominio a disposici\u00f3n del p\u00fablico para los usuarios finales de Internet o servicios de resoluci\u00f3n autoritativa de nombres de dominio para uso de terceros. La presente Directiva no debe aplicarse a los servidores de nombres ra\u00edz.<br><br><\/p>\n\n\n\n<p>(33) Los servicios de computaci\u00f3n en nube deben abarcar los servicios digitales que permiten la administraci\u00f3n a petici\u00f3n y un amplio acceso a distancia a un conjunto escalable y el\u00e1stico de recursos inform\u00e1ticos compartibles, incluso cuando dichos recursos est\u00e9n distribuidos en varias ubicaciones. Los recursos inform\u00e1ticos incluyen recursos como redes, servidores u otras infraestructuras, sistemas operativos, software, almacenamiento, aplicaciones y servicios. Los modelos de servicio de la computaci\u00f3n en nube incluyen, entre otros, la Infraestructura como Servicio (IaaS), la Plataforma como Servicio (PaaS), el Software como Servicio (SaaS) y la Red como Servicio (NaaS).<br><\/p>\n\n\n\n<p>Los modelos de despliegue de la computaci\u00f3n en nube deben incluir la nube privada, comunitaria, p\u00fablica e h\u00edbrida. El sitio <span tabindex='0' class='glossary-item-container'>servicio de computaci\u00f3n en nube<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Servicio de computaci\u00f3n en nube<\/span> <span class='glossary-item-description'>Se refiere a un servicio digital que permite la administraci\u00f3n bajo demanda y un amplio acceso remoto a un conjunto escalable y el\u00e1stico de recursos inform\u00e1ticos compartibles, incluso cuando dichos recursos est\u00e1n distribuidos en varias ubicaciones -. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> y modelos de despliegue tienen el mismo significado que los t\u00e9rminos de servicio y modelos de despliegue definidos en la norma ISO\/IEC 17788:2014 <span tabindex='0' class='glossary-item-container'>est\u00e1ndar<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Est\u00e1ndar<\/span> <span class='glossary-item-description'>Especificaci\u00f3n t\u00e9cnica, adoptada por un organismo de normalizaci\u00f3n reconocido, de aplicaci\u00f3n repetida o continua, cuyo cumplimiento no es obligatorio y que es una de las siguientes\r(a) \"norma internacional\": norma adoptada por un organismo internacional de normalizaci\u00f3n; b) \"norma europea\": norma adoptada por un organismo europeo de normalizaci\u00f3n; c) \"norma armonizada\": norma europea adoptada sobre la base de una solicitud formulada por la Comisi\u00f3n para la aplicaci\u00f3n de la legislaci\u00f3n de armonizaci\u00f3n de la Uni\u00f3n; d) \"norma nacional\": norma adoptada por un organismo nacional de normalizaci\u00f3n - Definici\u00f3n seg\u00fan el art\u00edculo 2, punto 1, delReglamento (UE) n\u00ba 1025\/2012 del Parlamento Europeo y del Consejo.<\/span><\/span><\/span>. La capacidad del usuario de computaci\u00f3n en nube para autoproveerse unilateralmente de capacidades inform\u00e1ticas, como tiempo de servidor o almacenamiento en red, sin ninguna interacci\u00f3n humana por parte del proveedor de servicios de computaci\u00f3n en nube podr\u00eda describirse como administraci\u00f3n bajo demanda.<br><\/p>\n\n\n\n<p>El t\u00e9rmino \"acceso remoto amplio\" se utiliza para describir que las capacidades de la nube se proporcionan a trav\u00e9s de la red y se accede a ellas mediante mecanismos que promueven el uso de plataformas heterog\u00e9neas de clientes ligeros o gruesos, incluidos tel\u00e9fonos m\u00f3viles, tabletas, ordenadores port\u00e1tiles y estaciones de trabajo. El t\u00e9rmino \"escalable\" se refiere a los recursos inform\u00e1ticos asignados de forma flexible por el proveedor de servicios en nube, con independencia de la ubicaci\u00f3n geogr\u00e1fica de los recursos, para hacer frente a las fluctuaciones de la demanda.<br><\/p>\n\n\n\n<p>El t\u00e9rmino \"pool el\u00e1stico\" se utiliza para describir los recursos inform\u00e1ticos que se proporcionan y liberan en funci\u00f3n de la demanda con el fin de aumentar y disminuir r\u00e1pidamente los recursos disponibles en funci\u00f3n de la carga de trabajo. El t\u00e9rmino \"compartible\" se utiliza para describir los recursos inform\u00e1ticos que se proporcionan a m\u00faltiples usuarios que comparten un acceso com\u00fan al servicio, pero en los que el procesamiento se lleva a cabo por separado para cada usuario, aunque el servicio se preste desde el mismo equipo electr\u00f3nico. El t\u00e9rmino \"distribuido\" se utiliza para describir los recursos inform\u00e1ticos que se encuentran en diferentes ordenadores o dispositivos conectados en red y que se comunican y coordinan entre s\u00ed mediante el paso de mensajes.<br><br><\/p>\n\n\n\n<p>(34) Dada la aparici\u00f3n de tecnolog\u00edas innovadoras y nuevos modelos empresariales, se espera que aparezcan en el mercado interior nuevos modelos de servicios y despliegue de computaci\u00f3n en nube en respuesta a la evoluci\u00f3n de las necesidades de los clientes. En ese contexto, los servicios de computaci\u00f3n en nube pueden prestarse de forma muy distribuida, incluso m\u00e1s cerca del lugar donde se generan o recogen los datos, pasando as\u00ed del modelo tradicional a otro muy distribuido (computaci\u00f3n de borde).<br><br><\/p>\n\n\n\n<p>(35) Servicios ofrecidos por <span tabindex='0' class='glossary-item-container'>servicio de centro de datos<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Servicio de centro de datos<\/span> <span class='glossary-item-description'><b><\/b>designa un servicio que engloba estructuras, o grupos de estructuras, dedicadas al alojamiento centralizado, la interconexi\u00f3n y el funcionamiento de equipos inform\u00e1ticos y de red que prestan servicios de almacenamiento, tratamiento y transporte de datos, junto con todas las instalaciones e infraestructuras de distribuci\u00f3n de energ\u00eda y control ambiental -. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> no siempre se prestan en forma de servicios de computaci\u00f3n en nube. Por consiguiente, los centros de datos no siempre pueden formar parte de la infraestructura de computaci\u00f3n en nube. A fin de gestionar todos los riesgos que se plantean para la seguridad de las redes y los sistemas de informaci\u00f3n, la presente Directiva debe abarcar, por tanto, a los proveedores de servicios de centros de datos que no sean servicios de computaci\u00f3n en nube.<br><\/p>\n\n\n\n<p>A efectos de la presente Directiva, el t\u00e9rmino \"servicio de centro de datos\" debe abarcar la prestaci\u00f3n de un servicio que comprenda estructuras, o grupos de estructuras, dedicadas al alojamiento centralizado, la interconexi\u00f3n y el funcionamiento de equipos de tecnolog\u00eda de la informaci\u00f3n (TI) y de red que presten servicios de almacenamiento, tratamiento y transporte de datos, junto con todas las instalaciones e infraestructuras de distribuci\u00f3n de energ\u00eda y control medioambiental. El t\u00e9rmino \"servicio de centro de datos\" no debe aplicarse a los centros de datos corporativos internos propiedad de la entidad en cuesti\u00f3n y explotados por ella, para sus propios fines.<br><br><\/p>\n\n\n\n<p>(36) Las actividades de investigaci\u00f3n desempe\u00f1an un papel fundamental en el desarrollo de nuevos productos y procesos. Muchas de esas actividades son llevadas a cabo por entidades que comparten, difunden o explotan los resultados de su investigaci\u00f3n con fines comerciales. Estas entidades pueden ser, por tanto, actores importantes en las cadenas de valor, lo que hace que la seguridad de sus redes y sistemas de informaci\u00f3n forme parte integrante de la ciberseguridad general del mercado interior.<br><\/p>\n\n\n\n<p>Debe entenderse por organismos de investigaci\u00f3n las entidades que centran la parte esencial de sus actividades en la realizaci\u00f3n de investigaci\u00f3n aplicada o desarrollo experimental, en el sentido del Manual de Frascati 2015 de la Organizaci\u00f3n de Cooperaci\u00f3n y Desarrollo Econ\u00f3micos: Directrices para la recogida y comunicaci\u00f3n de datos sobre investigaci\u00f3n y desarrollo experimental, con vistas a explotar sus resultados con fines comerciales, como la fabricaci\u00f3n o el desarrollo de un producto o proceso, la prestaci\u00f3n de un servicio o la comercializaci\u00f3n del mismo.<br><br><\/p>\n\n\n\n<p>(37) Las crecientes interdependencias son el resultado de una red cada vez m\u00e1s transfronteriza e interdependiente de prestaci\u00f3n de servicios que utiliza infraestructuras clave en toda la Uni\u00f3n en sectores como la energ\u00eda, el transporte, las infraestructuras digitales, el agua potable y las aguas residuales, la sanidad, determinados aspectos de la administraci\u00f3n p\u00fablica, as\u00ed como el espacio en la medida en que se refiere a la prestaci\u00f3n de determinados servicios que dependen de infraestructuras terrestres que son propiedad de los Estados miembros o de partes privadas, o que son gestionadas y explotadas por ellos, por lo que no incluye las infraestructuras que son propiedad de la Uni\u00f3n o son gestionadas o explotadas por ella o en su nombre como parte de su programa espacial.<br><\/p>\n\n\n\n<p>Estas interdependencias significan que cualquier perturbaci\u00f3n, aunque inicialmente se limite a una entidad o un sector, puede tener efectos en cascada m\u00e1s amplios, lo que puede provocar repercusiones negativas de gran alcance y duraderas en la prestaci\u00f3n de servicios en todo el mercado interior. La intensificaci\u00f3n de los ciberataques durante la pandemia COVID-19 ha puesto de manifiesto la vulnerabilidad de unas sociedades cada vez m\u00e1s interdependientes frente a riesgos de baja probabilidad.<br><br><\/p>\n\n\n\n<p>(38) Habida cuenta de las diferencias en las estructuras nacionales de gobernanza y con el fin de salvaguardar los acuerdos sectoriales ya existentes o los organismos de supervisi\u00f3n y regulaci\u00f3n de la Uni\u00f3n, los Estados miembros deben poder designar o establecer una o varias autoridades competentes responsables de la ciberseguridad y de las tareas de supervisi\u00f3n previstas en la presente Directiva.<br><br><\/p>\n\n\n\n<p>(39) Para facilitar la cooperaci\u00f3n y la comunicaci\u00f3n transfronterizas entre las autoridades y permitir una aplicaci\u00f3n eficaz de la presente Directiva, es necesario que cada Estado miembro designe un punto de contacto \u00fanico responsable de coordinar las cuestiones relacionadas con la seguridad de las redes y sistemas de informaci\u00f3n y la cooperaci\u00f3n transfronteriza a escala de la Uni\u00f3n.<br><br><\/p>\n\n\n\n<p>(40) Los puntos de contacto \u00fanicos deben garantizar una cooperaci\u00f3n transfronteriza eficaz con las autoridades pertinentes de otros Estados miembros y, en su caso, con la Comisi\u00f3n y la ENISA. Por consiguiente, los puntos de contacto \u00fanicos deben encargarse de transmitir las notificaciones de incidentes significativos con repercusi\u00f3n transfronteriza a los puntos de contacto \u00fanicos de otros Estados miembros afectados a petici\u00f3n del CSIRT o de la autoridad competente. A escala nacional, los puntos de contacto \u00fanicos deben permitir una cooperaci\u00f3n intersectorial fluida con otras autoridades competentes. Los puntos de contacto \u00fanicos tambi\u00e9n podr\u00edan ser los destinatarios de la informaci\u00f3n pertinente sobre incidentes relativos a entidades financieras procedente de las autoridades competentes en virtud del Reglamento (UE) 2022\/2554 , que deber\u00edan poder transmitir, seg\u00fan proceda, a los CSIRT o a las autoridades competentes en virtud de la presente Directiva.<br><\/p>\n\n\n\n<p>(41) Los Estados miembros deben estar adecuadamente equipados, tanto en t\u00e9rminos de capacidades t\u00e9cnicas como organizativas, para prevenir, detectar, responder y mitigar incidentes y riesgos. Por consiguiente, los Estados miembros deben crear o designar uno o varios CSIRT con arreglo a la presente Directiva y velar por que dispongan de los recursos y capacidades t\u00e9cnicas adecuados. Los CSIRT deben cumplir los requisitos establecidos en la presente Directiva a fin de garantizar unas capacidades eficaces y compatibles para hacer frente a incidentes y riesgos y asegurar una cooperaci\u00f3n eficaz a escala de la Uni\u00f3n.<\/p>\n\n\n\n<p>Los Estados miembros deben poder designar como CSIRT a los equipos de respuesta a emergencias inform\u00e1ticas (CERT) existentes. Con el fin de reforzar la relaci\u00f3n de confianza entre las entidades y los CSIRT, cuando un CSIRT forme parte de una autoridad competente, los Estados miembros deben poder considerar la separaci\u00f3n funcional entre las tareas operativas proporcionadas por los CSIRT, en particular en relaci\u00f3n con el intercambio de informaci\u00f3n y la asistencia proporcionada a las entidades, y las actividades de supervisi\u00f3n de las autoridades competentes.<\/p>\n\n\n\n<p>(42) Los CSIRT tienen la misi\u00f3n de <span tabindex='0' class='glossary-item-container'>gesti\u00f3n de incidentes<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Gesti\u00f3n de incidentes<\/span> <span class='glossary-item-description'>Se refiere a todas las acciones y procedimientos destinados a prevenir, detectar, analizar y contener un incidente, o a responder a \u00e9l y recuperarse de \u00e9l. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span>. Esto incluye el tratamiento de grandes vol\u00famenes de datos, a veces sensibles. Los Estados miembros deben velar por que los CSIRT dispongan de una infraestructura de intercambio y tratamiento de la informaci\u00f3n, as\u00ed como de personal bien equipado, que garantice la confidencialidad y fiabilidad de sus operaciones. Los CSIRT tambi\u00e9n podr\u00edan adoptar c\u00f3digos de conducta al respecto.<\/p>\n\n\n\n<p>(43) Por lo que respecta a los datos personales, los CSIRT deben poder proporcionar, de conformidad con el Reglamento (UE) 2016\/679, a petici\u00f3n de una entidad esencial o importante, un escaneado proactivo de la red y de los sistemas de informaci\u00f3n utilizados para la prestaci\u00f3n de los servicios de la entidad. Cuando proceda, los Estados miembros deben tratar de garantizar un mismo nivel de capacidades t\u00e9cnicas para todos los CSIRT sectoriales. Los Estados miembros deben poder solicitar la asistencia de la ENISA para desarrollar sus CSIRT.<\/p>\n\n\n\n<p>(44) Los CSIRT deben tener la capacidad, a petici\u00f3n de una entidad esencial o importante, de supervisar los activos de la entidad conectados a Internet, tanto dentro como fuera de las instalaciones, con el fin de identificar, comprender y gestionar los riesgos organizativos generales de la entidad en lo que respecta a los compromisos o vulnerabilidades cr\u00edticas recientemente identificados en la cadena de suministro. Debe animarse a la entidad a que comunique al CSIRT si utiliza una interfaz de gesti\u00f3n privilegiada, ya que esto podr\u00eda afectar a la rapidez de la adopci\u00f3n de medidas de mitigaci\u00f3n.<\/p>\n\n\n\n<p>(45) Dada la importancia de la cooperaci\u00f3n internacional en materia de ciberseguridad, los CSIRT deben poder participar en redes de cooperaci\u00f3n internacional, adem\u00e1s de en la red de CSIRT establecida por la presente Directiva. Por consiguiente, a efectos del desempe\u00f1o de sus funciones, los CSIRT y las autoridades competentes deben poder intercambiar informaci\u00f3n, incluidos datos personales, con los equipos nacionales de respuesta a incidentes de seguridad inform\u00e1tica o las autoridades competentes de terceros pa\u00edses, siempre que se cumplan las condiciones previstas en el Derecho de la Uni\u00f3n en materia de protecci\u00f3n de datos para las transferencias de datos personales a terceros pa\u00edses, entre otras las del art\u00edculo 49 del Reglamento (UE) 2016\/679.<\/p>\n\n\n\n<p>(46) Es esencial garantizar los recursos adecuados para cumplir los objetivos de la presente Directiva y permitir que las autoridades competentes y los CSIRT lleven a cabo las tareas que en ella se establecen. Los Estados miembros pueden introducir a nivel nacional un mecanismo de financiaci\u00f3n para cubrir los gastos necesarios en relaci\u00f3n con la realizaci\u00f3n de las tareas de las entidades p\u00fablicas responsables de la ciberseguridad en el Estado miembro con arreglo a la presente Directiva. Dicho mecanismo debe ajustarse al Derecho de la Uni\u00f3n, ser proporcionado y no discriminatorio y tener en cuenta los distintos enfoques de la prestaci\u00f3n de servicios seguros.<\/p>\n\n\n\n<p>(47) La red de CSIRT debe seguir contribuyendo a reforzar la confianza y promover una cooperaci\u00f3n operativa r\u00e1pida y eficaz entre los Estados miembros. Con el fin de reforzar la cooperaci\u00f3n operativa a escala de la Uni\u00f3n, la red de CSIRT debe considerar la posibilidad de invitar a participar en sus trabajos a los organismos y agencias de la Uni\u00f3n que intervienen en la pol\u00edtica de ciberseguridad, como Europol.<\/p>\n\n\n\n<p>(48) Con el fin de alcanzar y mantener un alto nivel de ciberseguridad, las estrategias nacionales de ciberseguridad exigidas en virtud de la presente Directiva deben consistir en marcos coherentes que proporcionen objetivos y prioridades estrat\u00e9gicos en el \u00e1mbito de la ciberseguridad y la gobernanza para alcanzarlos. Dichas estrategias pueden estar compuestas por uno o varios instrumentos legislativos o no legislativos.<\/p>\n\n\n\n<p>(49) Las pol\u00edticas de ciberhigiene sientan las bases para proteger <span tabindex='0' class='glossary-item-container'>red y sistema de informaci\u00f3n<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Redes y sistemas de informaci\u00f3n<\/span> <span class='glossary-item-description'>(a) una red de comunicaciones electr\u00f3nicas, tal como se define en el art\u00edculo 2, punto 1, de la Directiva (UE) 2018\/1972; b) cualquier dispositivo o grupo de dispositivos interconectados o relacionados entre s\u00ed, uno o varios de los cuales, con arreglo a un programa, lleven a cabo un tratamiento autom\u00e1tico de datos digitales; o c) datos digitales almacenados, tratados, recuperados o transmitidos por elementos contemplados en las letras a) y b) a efectos de su funcionamiento, uso, protecci\u00f3n y mantenimiento; - <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> infrastructures, hardware, software and online application security, and business or end-user data upon which entities rely. Cyber hygiene policies comprising a common baseline set of practices, including software and hardware updates, password changes, the management of new installs, the limitation of administrator-level access accounts, and the backing-up of data, enable a proactive framework of preparedness and overall safety and security in the event of incidents or cyber threats. ENISA should monitor and analyse Member States\u2019 cyber hygiene policies.<\/p>\n\n\n\n<p>(50) Cybersecurity awareness and cyber hygiene are essential to enhance the level of cybersecurity within the Union, in particular in light of the growing number of connected devices that are increasingly used in cyberattacks. Efforts should be made to enhance the overall awareness of risks related to such devices, while assessments at Union level could help ensure a common understanding of such risks within the internal market.<\/p>\n\n\n\n<p>(51) Member States should encourage the use of any innovative technology, including artificial intelligence, the use of which could improve the detection and prevention of cyberattacks, enabling resources to be diverted towards cyberattacks more effectively. Member States should therefore encourage in their national cybersecurity strategy activities in research and development to facilitate the use of such technologies, in particular those relating to automated or semi-automated tools in cybersecurity, and, where relevant, the sharing of data needed for training users of such technology and for improving it.<\/p>\n\n\n\n<p>The use of any innovative technology, including artificial intelligence, should comply with Union data protection law, including the data protection principles of data accuracy, data minimisation, fairness and transparency, and data security, such as state-of-the-art encryption. The requirements of data protection by design and by default laid down in Regulation (EU) 2016\/679 should be fully exploited.<\/p>\n\n\n\n<p>(52) Open-source cybersecurity tools and applications can contribute to a higher degree of openness and can have a positive impact on the efficiency of industrial innovation. Open standards facilitate interoperability between security tools, benefitting the security of industrial stakeholders. Open-source cybersecurity tools and applications can leverage the wider developer community, enabling diversification of suppliers. Open source can lead to a more transparent verification process of cybersecurity related tools and a community-driven process of discovering vulnerabilities.<\/p>\n\n\n\n<p>Member States should therefore be able to promote the use of open-source software and open standards by pursuing policies relating to the use of open data and open-source as part of security through transparency. Policies promoting the introduction and sustainable use of open-source cybersecurity tools are of particular importance for small and medium-sized enterprises facing significant costs for implementation, which could be minimised by reducing the need for specific applications or tools.<\/p>\n\n\n\n<p>(53) Utilities are increasingly connected to digital networks in cities, for the purpose of improving urban transport networks, upgrading water supply and waste disposal facilities and increasing the efficiency of lighting and the heating of buildings. Those digitalised utilities are vulnerable to cyberattacks and run the risk, in the event of a successful cyberattack, of harming citizens at a large scale due to their interconnectedness. Member States should develop a policy that addresses the development of such connected or smart cities, and their potential effects on society, as part of their national cybersecurity strategy.<\/p>\n\n\n\n<p>(54) In recent years, the Union has faced an exponential increase in ransomware attacks, in which malware encrypts data and systems and demands a ransom payment for release. The increasing frequency and severity of ransomware attacks can be driven by several factors, such as different attack patterns, criminal business models around \u2018ransomware as a service\u2019 and cryptocurrencies, ransom demands, and the rise of supply chain attacks. Member States should develop a policy addressing the rise of ransomware attacks as part of their national cybersecurity strategy.<\/p>\n\n\n\n<p>(55) Public-private partnerships (PPPs) in the field of cybersecurity can provide an appropriate framework for knowledge exchange, the sharing of best practices and the establishment of a common level of understanding among stakeholders. Member States should promote policies underpinning the establishment of cybersecurity-specific PPPs.<\/p>\n\n\n\n<p>Those policies should clarify, inter alia, the scope and stakeholders involved, the governance model, the available funding options and the interaction among participating stakeholders with regard to PPPs. PPPs can leverage the expertise of private-sector entities to assist the competent authorities in developing state-of-the-art services and processes including information exchange, early warnings, cyber threat and incident exercises, crisis management and resilience planning.<\/p>\n\n\n\n<p>(56) Member States should, in their national cybersecurity strategies, address the specific cybersecurity needs of small and medium-sized enterprises. Small and medium-sized enterprises represent, across the Union, a large percentage of the industrial and business market and often struggle to adapt to new business practices in a more connected world and to the digital environment, with employees working from home and business increasingly being conducted online.<\/p>\n\n\n\n<p>Some small and medium-sized enterprises face specific cybersecurity challenges such as low cyber-awareness, a lack of remote IT security, the high cost of cybersecurity solutions and an increased level of threat, such as ransomware, for which they should receive guidance and assistance. Small and medium-sized enterprises are increasingly becoming the target of supply chain attacks due to their less rigorous cybersecurity risk-management measures and attack management, and the fact that they have limited security resources.<\/p>\n\n\n\n<p>Such supply chain attacks not only have an impact on small and medium-sized enterprises and their operations in isolation but can also have a cascading effect on larger attacks on entities to which they provided supplies. Member States should, through their national cybersecurity strategies, help small and medium-sized enterprises to address the challenges faced in their supply chains.<\/p>\n\n\n\n<p>Member States should have a point of contact for small and medium-sized enterprises at national or regional level, which either provides guidance and assistance to small and medium-sized enterprises or directs them to the appropriate bodies for guidance and assistance with regard to cybersecurity related issues. Member States are also encouraged to offer services such as website configuration and logging enabling to microenterprises and small enterprises that lack those capabilities.<\/p>\n\n\n\n<p>(57) As part of their national cybersecurity strategies, Member States should adopt policies on the promotion of active cyber protection as part of a wider defensive strategy. Rather than responding reactively, active cyber protection is the prevention, detection, monitoring, analysis and mitigation of network security breaches in an active manner, combined with the use of capabilities deployed within and outside the victim network.<\/p>\n\n\n\n<p>This could include Member States offering free services or tools to certain entities, including self-service checks, detection tools and takedown services. The ability to rapidly and automatically share and understand threat information and analysis, cyber activity alerts, and response action is critical to enable a unity of effort in successfully preventing, detecting, addressing and blocking attacks against network and information systems. Active cyber protection is based on a defensive strategy that excludes offensive measures.<\/p>\n\n\n\n<p>(58) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm, swiftly identifying and remedying such vulnerabilities is an important factor in reducing risk. Entities that develop or administer network and information systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered. Since vulnerabilities are often discovered and disclosed by third parties, the manufacturer or provider of ICT products or ICT services should also put in place the necessary procedures to receive vulnerability information from third parties.<\/p>\n\n\n\n<p>In that regard, international standards ISO\/IEC 30111 and ISO\/IEC 29147 provide guidance on vulnerability handling and vulnerability disclosure. Strengthening the coordination between reporting natural and legal persons and manufacturers or providers of ICT products or ICT services is particularly important for the purpose of facilitating the voluntary framework of vulnerability disclosure.<\/p>\n\n\n\n<p>Coordinated vulnerability disclosure specifies a structured process through which vulnerabilities are reported to the manufacturer or provider of the potentially vulnerable ICT products or ICT services in a manner allowing it to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. Coordinated vulnerability disclosure should also include coordination between the reporting natural or legal person and the manufacturer or provider of the potentially vulnerable ICT products or ICT services as regards the timing of remediation and publication of vulnerabilities.<\/p>\n\n\n\n<p>(59) The Commission, ENISA and the Member States should continue to foster alignments with international standards and existing industry best practices in the area of cybersecurity risk management, for example in the areas of supply chain security assessments, information sharing and vulnerability disclosure.<\/p>\n\n\n\n<p>(60) Member States, in cooperation with ENISA, should take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. As part of their national policy, Member States should aim to address, to the extent possible, the challenges faced by vulnerability researchers, including their potential exposure to criminal liability, in accordance with national law. Given that natural and legal persons researching vulnerabilities could in some Member States be exposed to criminal and civil liability, Member States are encouraged to adopt guidelines as regards the non-prosecution of information security researchers and an exemption from civil liability for their activities.<\/p>\n\n\n\n<p>(61) Member States should designate one of its CSIRTs as a coordinator, acting as a trusted intermediary between the reporting natural or legal persons and the manufacturers or providers of ICT products or ICT services, which are likely to be affected by the vulnerability, where necessary.<\/p>\n\n\n\n<p>The tasks of the CSIRT designated as coordinator should include identifying and contacting the entities concerned, assisting the natural or legal persons reporting a vulnerability, negotiating disclosure timelines and managing vulnerabilities that affect multiple entities (multi-party coordinated vulnerability disclosure). Where the reported vulnerability could have significant impact on entities in more than one Member State, the CSIRTs designated as coordinators should cooperate within the CSIRTs network, where appropriate.<\/p>\n\n\n\n<p>(62) Access to correct and timely information about vulnerabilities affecting ICT products and ICT services contributes to an enhanced cybersecurity risk management. Sources of publicly available information about vulnerabilities are an important tool for the entities and for the users of their services, but also for the competent authorities and the CSIRTs. For that reason, ENISA should establish a European vulnerability database where entities, regardless of whether they fall within the scope of this Directive, and their suppliers of network and information systems, as well as the competent authorities and the CSIRTs, can disclose and register, on a voluntary basis, publicly known vulnerabilities for the purpose of allowing users to take appropriate mitigating measures.<\/p>\n\n\n\n<p>The aim of that database is to address the unique challenges posed by risks to Union entities. Furthermore, ENISA should establish an appropriate procedure regarding the publication process in order to give entities the time to take mitigating measures as regards their vulnerabilities and employ state-of-the-art cybersecurity risk-management measures as well as machine-readable datasets and corresponding interfaces. To encourage a culture of disclosure of vulnerabilities, disclosure should have no detrimental effects on the reporting natural or legal person.<\/p>\n\n\n\n<p>(63) Although similar vulnerability registries or databases exist, they are hosted and maintained by entities which are not established in the Union. A European vulnerability database maintained by ENISA would provide improved transparency regarding the publication process before the vulnerability is publicly disclosed, and resilience in the event of a disruption or an interruption of the provision of similar services.<\/p>\n\n\n\n<p>In order, to the extent possible, to avoid a duplication of efforts and to seek complementarity, ENISA should explore the possibility of entering into structured cooperation agreements with similar registries or databases that fall under third-country jurisdiction. In particular, ENISA should explore the possibility of close cooperation with the operators of the Common Vulnerabilities and Exposures (CVE) system.<\/p>\n\n\n\n<p>(64) The Cooperation Group should support and facilitate strategic cooperation and the exchange of information, as well as strengthen trust and confidence among Member States. The Cooperation Group should establish a work programme every two years. The work programme should include the actions to be undertaken by the Cooperation Group to implement its objectives and tasks. The timeframe for the establishment of the first work programme under this Directive should be aligned with the timeframe of the last work programme established under Directive (EU) 2016\/1148 in order to avoid potential disruptions in the work of the Cooperation Group.<\/p>\n\n\n\n<p>(65) When developing guidance documents, the Cooperation Group should consistently map national solutions and experiences, assess the impact of Cooperation Group deliverables on national approaches, discuss implementation challenges and formulate specific recommendations, in particular as regards facilitating an alignment of the transposition of this Directive among Member States, to be addressed through a better implementation of existing rules. The Cooperation Group could also map the national solutions in order to promote compatibility of cybersecurity solutions applied to each specific sector across the Union. This is particularly relevant to sectors that have an international or cross-border nature.<\/p>\n\n\n\n<p>(66) The Cooperation Group should remain a flexible forum and be able to react to changing and new policy priorities and challenges while taking into account the availability of resources. It could organise regular joint meetings with relevant private stakeholders from across the Union to discuss activities carried out by the Cooperation Group and gather data and input on emerging policy challenges. Additionally, the Cooperation Group should carry out a regular assessment of the state of play of cyber threats or incidents, such as ransomware.<\/p>\n\n\n\n<p>In order to enhance cooperation at Union level, the Cooperation Group should consider inviting relevant Union institutions, bodies, offices and agencies involved in cybersecurity policy, such as the European Parliament, Europol, the European Data Protection Board, the European Union Aviation Safety Agency, established by Regulation (EU) 2018\/1139, and the European Union Agency for Space Programme, established by Regulation (EU) 2021\/696 of the European Parliament and the Council (14), to participate in its work.<\/p>\n\n\n\n<p>(67) The competent authorities and the CSIRTs should be able to participate in exchange schemes for officials from other Member States, within a specific framework and, where applicable, subject to the required security clearance of officials participating in such exchange schemes, in order to improve cooperation and strengthen trust among Member States. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or the host CSIRT.<\/p>\n\n\n\n<p>(68) Member States should contribute to the establishment of the EU Cybersecurity Crisis Response Framework as set out in Commission Recommendation (EU) 2017\/1584 (15) through the existing cooperation networks, in particular the European cyber crisis liaison organisation network (EU-CyCLONe), the CSIRTs network and the Cooperation Group. EU-CyCLONe and the CSIRTs network should cooperate on the basis of procedural arrangements that specify the details of that cooperation and avoid any duplication of tasks.<\/p>\n\n\n\n<p>EU-CyCLONe\u2019s rules of procedure should further specify the arrangements through which that network should function, including the network\u2019s roles, means of cooperation, interactions with other relevant actors and templates for information sharing, as well as means of communication. For crisis management at Union level, relevant parties should rely on the EU Integrated Political Crisis Response arrangements under Council Implementing Decision (EU) 2018\/1993 (16) (IPCR arrangements). The Commission should use the ARGUS high-level cross-sectoral crisis coordination process for that purpose. If the crisis entails an important external or Common Security and Defence Policy dimension, the European External Action Service Crisis Response Mechanism should be activated.<\/p>\n\n\n\n<p>(69) In accordance with the Annex to Recommendation (EU) 2017\/1584, a large-scale cybersecurity incident should mean an incident which causes a level of disruption that exceeds a Member State\u2019s capacity to respond to it or which has a significant impact on at least two Member States. Depending on their cause and impact, large-scale cybersecurity incidents may escalate and turn into fully-fledged crises not allowing the proper functioning of the internal market or posing serious public security and safety risks for entities or citizens in several Member States or the Union as a whole.<\/p>\n\n\n\n<p>Given the wide-ranging scope and, in most cases, the cross-border nature of such incidents, Member States and the relevant Union institutions, bodies, offices and agencies should cooperate at technical, operational and political level to properly coordinate the response across the Union.<\/p>\n\n\n\n<p>(70) Large-scale cybersecurity incidents and crises at Union level require coordinated action to ensure a rapid and effective response because of the high degree of interdependence between sectors and Member States. The availability of cyber-resilient network and information systems and the availability, confidentiality and integrity of data are vital for the security of the Union and for the protection of its citizens, businesses and institutions against incidents and cyber threats, as well as for enhancing the trust of individuals and organisations in the Union\u2019s ability to promote and protect a global, open, free, stable and secure cyberspace grounded in human rights, fundamental freedoms, democracy and the rule of law.<\/p>\n\n\n\n<p>(71) EU-CyCLONe should work as an intermediary between the technical and political level during large-scale cybersecurity incidents and crises and should enhance cooperation at operational level and support decision-making at political level. In cooperation with the Commission, having regard to the Commission\u2019s competence in the area of crisis management, EU-CyCLONe should build on the CSIRTs network findings and use its own capabilities to create impact analysis of large-scale cybersecurity incidents and crises.<\/p>\n\n\n\n<p>(72) Cyberattacks are of a cross-border nature, and a significant incident can disrupt and damage critical information infrastructures on which the smooth functioning of the internal market depends. Recommendation (EU) 2017\/1584 addresses the role of all relevant actors. Furthermore, the Commission is responsible, within the framework of the Union Civil Protection Mechanism, established by Decision No 1313\/2013\/EU of the European Parliament and of the Council, for general preparedness actions including managing the Emergency Response Coordination Centre and the Common Emergency Communication and Information System, maintaining and further developing situational awareness and analysis capability, and establishing and managing the capability to mobilise and dispatch expert teams in the event of a request for assistance from a Member State or third country.<\/p>\n\n\n\n<p>The Commission is also responsible for providing analytical reports for the IPCR arrangements under Implementing Decision (EU) 2018\/1993, including in relation to cybersecurity situational awareness and preparedness, as well as for situational awareness and crisis response in the areas of agriculture, adverse weather conditions, conflict mapping and forecasts, early warning systems for natural disasters, health emergencies, infection disease surveillance, plant health, chemical incidents, food and feed safety, animal health, migration, customs, nuclear and radiological emergencies, and energy.<\/p>\n\n\n\n<p>(73) The Union can, where appropriate, conclude international agreements, in accordance with Article 218 TFEU, with third countries or international organisations, allowing and organising their participation in particular activities of the Cooperation Group, the CSIRTs network and EU-CyCLONe. Such agreements should ensure the Union\u2019s interests and the adequate protection of data. This should not preclude the right of Member States to cooperate with third countries on management of vulnerabilities and cybersecurity risk management, facilitating reporting and general information sharing in accordance with Union law.<\/p>\n\n\n\n<p>(74) In order to facilitate the effective implementation of this Directive with regard, inter alia, to the management of vulnerabilities, cybersecurity risk-management measures, reporting obligations and cybersecurity information-sharing arrangements, Member States can cooperate with third countries and undertake activities that are considered to be appropriate for that purpose, including information exchange on cyber threats, incidents, vulnerabilities, tools and methods, tactics, techniques and procedures, cybersecurity crisis management preparedness and exercises, training, trust building and structured information-sharing arrangements.<\/p>\n\n\n\n<p>(75) Peer reviews should be introduced to help learn from shared experiences, strengthen mutual trust and achieve a high common level of cybersecurity. Peer reviews can lead to valuable insights and recommendations strengthening the overall cybersecurity capabilities, creating another functional path for the sharing of best practices across Member States and contributing to enhance the Member States\u2019 levels of maturity in cybersecurity. Furthermore, peer reviews should take account of the results of similar mechanisms, such as the peer-review system of the CSIRTs network, and should add value and avoid duplication. The implementation of peer reviews should be without prejudice to Union or national law on the protection of confidential or classified information.<\/p>\n\n\n\n<p>(76) The Cooperation Group should establish a self-assessment methodology for Member States, aiming to cover factors such as the level of implementation of the cybersecurity risk-management measures and reporting obligations, the level of capabilities and the effectiveness of the exercise of the tasks of the competent authorities, the operational capabilities of the CSIRTs, the level of implementation of mutual assistance, the level of implementation of the cybersecurity information-sharing arrangements, or specific issues of cross-border or cross-sector nature. Member States should be encouraged to carry out self-assessments on a regular basis, and to present and discuss the results of their self-assessment within the Cooperation Group.<\/p>\n\n\n\n<p>(77) Responsibility for ensuring the security of network and information system lies, to a great extent, with essential and important entities. A culture of risk management, involving risk assessments and the implementation of cybersecurity risk-management measures appropriate to the risks faced, should be promoted and developed.<\/p>\n\n\n\n<p>(78) Cybersecurity risk-management measures should take into account the degree of dependence of the essential or important entity on network and information systems and include measures to identify any risks of incidents, to prevent, detect, respond to and recover from incidents and to mitigate their impact. The security of network and information systems should include the security of stored, transmitted and processed data. Cybersecurity risk-management measures should provide for systemic analysis, taking into account the human factor, in order to have a complete picture of the security of the network and information system.<\/p>\n\n\n\n<p>(79) As threats to the security of network and information systems can have different origins, cybersecurity risk-management measures should be based on an all-hazards approach, which aims to protect network and information systems and the physical environment of those systems from events such as theft, fire, flood, telecommunication or power failures, or unauthorised physical access and damage to, and interference with, an essential or important entity\u2019s information and information processing facilities, which could compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.<\/p>\n\n\n\n<p>The cybersecurity risk-management measures should therefore also address the physical and environmental security of network and information systems by including measures to protect such systems from system failures, human error, malicious acts or natural phenomena, in line with European and international standards, such as those included in the ISO\/IEC 27000 series. In that regard, essential and important entities should, as part of their cybersecurity risk-management measures, also address human resources security and have in place appropriate access control policies. Those measures should be consistent with Directive (EU) 2022\/2557.<\/p>\n\n\n\n<p>(80) For the purpose of demonstrating compliance with cybersecurity risk-management measures and in the absence of appropriate European cybersecurity certification schemes adopted in accordance with Regulation (EU) 2019\/881 of the European Parliament and of the Council (18), Member States should, in consultation with the Cooperation Group and the European Cybersecurity Certification Group, promote the use of relevant European and international standards by essential and important entities or may require entities to use certified ICT products, ICT services and ICT processes.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>(81) In order to avoid imposing a disproportionate financial and administrative burden on essential and important entities, the cybersecurity risk-management measures should be proportionate to the risks posed to the network and information system concerned, taking into account the state-of-the-art of such measures, and, where applicable, relevant European and international standards, as well as the cost for their implementation.<\/p>\n\n\n\n<p>(82) Cybersecurity risk-management measures should be proportionate to the degree of the essential or important entity\u2019s exposure to risks and to the societal and economic impact that an incident would have. When establishing cybersecurity risk-management measures adapted to essential and important entities, due account should be taken of the divergent risk exposure of essential and important entities, such as the criticality of the entity, the risks, including societal risks, to which it is exposed, the entity\u2019s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.<\/p>\n\n\n\n<p>(83) Essential and important entities should ensure the security of the network and information systems which they use in their activities. Those systems are primarily private network and information systems managed by the essential and important entities\u2019 internal IT staff or the security of which has been outsourced. The cybersecurity risk-management measures and reporting obligations laid down in this Directive should apply to the relevant essential and important entities regardless of whether those entities maintain their network and information systems internally or outsource the maintenance thereof.<\/p>\n\n\n\n<p>(84) Taking account of their cross-border nature, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, <span tabindex='0' class='glossary-item-container'>red de distribuci\u00f3n de contenidos<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Red de distribuci\u00f3n de contenidos<\/span> <span class='glossary-item-description'>Se refiere a una red de servidores distribuidos geogr\u00e1ficamente con el fin de garantizar una alta disponibilidad, accesibilidad o entrega r\u00e1pida de contenidos y servicios digitales a los usuarios de Internet en nombre de los proveedores de contenidos y servicios -. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> providers, managed service providers, managed security service providers, providers of online marketplaces, of online search engines and of social networking services platforms, and trust service providers should be subject to a high degree of harmonisation at Union level. The implementation of cybersecurity risk-management measures with regard to those entities should therefore be facilitated by an implementing act.<\/p>\n\n\n\n<p>(85) Addressing risks stemming from an entity\u2019s supply chain and its relationship with its suppliers, such as providers of data storage and processing services or managed security service providers and software editors, is particularly important given the prevalence of incidents where entities have been the victim of cyberattacks and where malicious perpetrators were able to compromise the security of an entity\u2019s network and information systems by exploiting vulnerabilities affecting third-party products and services.<\/p>\n\n\n\n<p>Essential and important entities should therefore assess and take into account the overall quality and resilience of products and services, the cybersecurity risk-management measures embedded in them, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures. Essential and important entities should in particular be encouraged to incorporate cybersecurity risk-management measures into contractual arrangements with their direct suppliers and service providers. Those entities could consider risks stemming from other levels of suppliers and service providers.<\/p>\n\n\n\n<p>(86) Among service providers, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Managed security service providers have however also themselves been the target of cyberattacks and, because of their close integration in the operations of entities pose a particular risk. Essential and important entities should therefore exercise increased diligence in selecting a <span tabindex='0' class='glossary-item-container'>proveedor de servicios de seguridad gestionados<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Proveedor de servicios de seguridad gestionados<\/span> <span class='glossary-item-description'>Se refiere a un proveedor de servicios gestionados que lleva a cabo o proporciona asistencia para actividades relacionadas con la gesti\u00f3n de riesgos de ciberseguridad -. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span>.<\/p>\n\n\n\n<p>(87) The competent authorities, in the context of their supervisory tasks, may also benefit from cybersecurity services such as security audits, penetration testing or incident responses.<\/p>\n\n\n\n<p>(88) Essential and important entities should also address risks stemming from their interactions and relationships with other stakeholders within a broader ecosystem, including with regard to countering industrial espionage and protecting trade secrets.<\/p>\n\n\n\n<p>In particular, those entities should take appropriate measures to ensure that their cooperation with academic and research institutions takes place in line with their cybersecurity policies and follows good practices as regards secure access and dissemination of information in general and the protection of intellectual property in particular. Similarly, given the importance and value of data for the activities of essential and important entities, when relying on data transformation and data analytics services from third parties, those entities should take all appropriate cybersecurity risk-management measures.<\/p>\n\n\n\n<p>(89) Essential and important entities should adopt a wide range of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness, organise training for their staff and raise awareness concerning cyber threats, phishing or social engineering techniques. Furthermore, those entities should evaluate their own cybersecurity capabilities and, where appropriate, pursue the integration of cybersecurity enhancing technologies, such as artificial intelligence or machine-learning systems to enhance their capabilities and the security of network and information systems.<\/p>\n\n\n\n<p>(90) To further address key supply chain risks and assist essential and important entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related risks, the Cooperation Group, in cooperation with the Commission and ENISA, and where appropriate after consulting relevant stakeholders including from the industry, should carry out coordinated security risk assessments of critical supply chains, as carried out for 5G networks following Commission Recommendation (EU) 2019\/534, with the aim of identifying, per sector, the critical ICT services, ICT systems or ICT products, relevant threats and vulnerabilities.<\/p>\n\n\n\n<p>Such coordinated security risk assessments should identify measures, mitigation plans and best practices to counter critical dependencies, potential single points of failure, threats, vulnerabilities and other risks associated with the supply chain and should explore ways to further encourage their wider adoption by essential and important entities. Potential non-technical risk factors, such as undue influence by a third country on suppliers and service providers, in particular in the case of alternative models of governance, include concealed vulnerabilities or backdoors and potential systemic supply disruptions, in particular in the case of technological lock-in or provider dependency.<\/p>\n\n\n\n<p>(91) The coordinated security risk assessments of critical supply chains, in light of the features of the sector concerned, should take into account both technical and, where relevant, non-technical factors including those defined in Recommendation (EU) 2019\/534, in the EU coordinated risk assessment of the cybersecurity of 5G networks and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group.<\/p>\n\n\n\n<p>To identify the supply chains that should be subject to a coordinated security risk assessment, the following criteria should be taken into account:<\/p>\n\n\n\n<p>(i) the extent to which essential and important entities use and rely on specific critical ICT services, ICT systems or ICT products;<\/p>\n\n\n\n<p>(ii) the relevance of specific critical ICT services, ICT systems or ICT products for performing critical or sensitive functions, including the processing of personal data;<\/p>\n\n\n\n<p>(iii) the availability of alternative ICT services, ICT systems or ICT products;<\/p>\n\n\n\n<p>(iv) the resilience of the overall supply chain of ICT services, ICT systems or ICT products throughout their lifecycle against disruptive events; and<\/p>\n\n\n\n<p>(v) for emerging ICT services, ICT systems or ICT products, their potential future significance for the entities\u2019 activities.<\/p>\n\n\n\n<p>Furthermore, particular emphasis should be placed on ICT services, ICT systems or ICT products that are subject to specific requirements stemming from third countries.<\/p>\n\n\n\n<p>(92) In order to streamline the obligations imposed on providers of public electronic communications networks or of publicly available electronic communications services, and trust service providers, related to the security of their network and information systems, as well as to enable those entities and the competent authorities under Directive (EU) 2018\/1972 of the European Parliament and of the Council and Regulation (EU) No 910\/2014 respectively to benefit from the legal framework established by this Directive, including the designation of a CSIRT responsible for incident handling, the participation of the competent authorities concerned in the activities of the Cooperation Group and the CSIRTs network, those entities should fall within the scope of this Directive.<\/p>\n\n\n\n<p>The corresponding provisions laid down in Regulation (EU) No 910\/2014 and Directive (EU) 2018\/1972 related to the imposition of security and notification requirements on those types of entity should therefore be deleted. The rules on reporting obligations laid down in this Directive should be without prejudice to Regulation (EU) 2016\/679 and Directive 2002\/58\/EC.<\/p>\n\n\n\n<p>(93) The cybersecurity obligations laid down in this Directive should be considered to be complementary to the requirements imposed on trust service providers under Regulation (EU) No 910\/2014. Trust service providers should be required to take all appropriate and proportionate measures to manage the risks posed to their services, including in relation to customers and relying third parties, and to report incidents under this Directive. Such cybersecurity and reporting obligations should also concern the physical protection of the services provided. The requirements for <span tabindex='0' class='glossary-item-container'>servicio fiduciario cualificado<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Servicio de fideicomiso cualificado<\/span> <span class='glossary-item-description'>Definici\u00f3n seg\u00fan el art\u00edculo 3, punto 17, del Reglamento (UE) n\u00ba 910\/2014.<\/span><\/span><\/span> providers laid down in Article 24 of Regulation (EU) No 910\/2014 continue to apply.<\/p>\n\n\n\n<p>(94) Member States can assign the role of the competent authorities for trust services to the supervisory bodies under Regulation (EU) No 910\/2014 in order to ensure the continuation of current practices and to build on the knowledge and experience gained in the application of that Regulation. In such a case, the competent authorities under this Directive should cooperate closely and in a timely manner with those supervisory bodies by exchanging relevant information in order to ensure effective supervision and compliance of trust service providers with the requirements laid down in this Directive and in Regulation (EU) No 910\/2014.<\/p>\n\n\n\n<p>Where applicable, the CSIRT or the competent authority under this Directive should immediately inform the supervisory body under Regulation (EU) No 910\/2014 about any notified <span tabindex='0' class='glossary-item-container'>importante amenaza cibern\u00e9tica<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Ciberamenazas significativas<\/span> <span class='glossary-item-description'>Se trata de una ciberamenaza que, en funci\u00f3n de sus caracter\u00edsticas t\u00e9cnicas, cabe suponer que puede tener un impacto grave en la red y los sistemas de informaci\u00f3n de una entidad o en los usuarios de los servicios de la entidad, causando da\u00f1os materiales o inmateriales considerables. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> or incident affecting trust services as well as about any infringements by a <span tabindex='0' class='glossary-item-container'>proveedor de servicios fiduciarios<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Proveedor de servicios de confianza<\/span> <span class='glossary-item-description'>Persona f\u00edsica o jur\u00eddica que presta uno o varios servicios fiduciarios, ya sea como prestador de servicios fiduciarios cualificado o no cualificado - Definici\u00f3n seg\u00fan el art\u00edculo 3, punto 19, del Reglamento (UE) n\u00ba 910\/2014.<\/span><\/span><\/span> of this Directive. For the purpose of reporting, Member States can, where applicable, use the single entry point established to achieve a common and automatic incident reporting to both the supervisory body under Regulation (EU) No 910\/2014 and the CSIRT or the competent authority under this Directive.<\/p>\n\n\n\n<p>(95) Where appropriate and in order to avoid unnecessary disruption, existing national guidelines adopted for the transposition of the rules related to security measures laid down in Articles 40 and 41 of Directive (EU) 2018\/1972 should be taken into account in the transposition of this Directive, thereby building on the knowledge and skills already acquired under Directive (EU) 2018\/1972 concerning security measures and incident notifications.<\/p>\n\n\n\n<p>ENISA can also develop guidance on security requirements and on reporting obligations for providers of public electronic communications networks or of publicly available electronic communications services to facilitate harmonisation and transition and to minimise disruption. Member States can assign the role of the competent authorities for electronic communications to the national regulatory authorities under Directive (EU) 2018\/1972 in order to ensure the continuation of current practices and to build on the knowledge and experience gained as a result of the implementation of that Directive.<\/p>\n\n\n\n<p>(96) Given the growing importance of number-independent interpersonal communications services as defined in Directive (EU) 2018\/1972, it is necessary to ensure that such services are also subject to appropriate security requirements in view of their specific nature and economic importance. As the attack surface continues to expand, number-independent interpersonal communications services, such as messaging services, are becoming widespread attack vectors.<\/p>\n\n\n\n<p>Malicious perpetrators use platforms to communicate and attract victims to open compromised web pages, therefore increasing the likelihood of incidents involving the exploitation of personal data, and, by extension, the security of network and information systems. Providers of number-independent interpersonal communications services should ensure a level of security of network and information systems appropriate to the risks posed.<\/p>\n\n\n\n<p>Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risks posed to such services can be considered in some respects to be lower than for traditional electronic communications services. The same applies to interpersonal communications services as defined in Directive (EU) 2018\/1972 which make use of numbers and which do not exercise actual control over signal transmission.<\/p>\n\n\n\n<p>(97) The internal market is more reliant on the functioning of the internet than ever. The services of almost all essential and important entities are dependent on services provided over the internet. In order to ensure the smooth provision of services provided by essential and important entities, it is important that all providers of public electronic communications networks have appropriate cybersecurity risk-management measures in place and report significant incidents in relation thereto.<\/p>\n\n\n\n<p>Member States should ensure that the security of the public electronic communications networks is maintained and that their vital security interests are protected from sabotage and espionage. Since international connectivity enhances and accelerates the competitive digitalisation of the Union and its economy, incidents affecting undersea communications cables should be reported to the CSIRT or, where applicable, the competent authority. The national cybersecurity strategy should, where relevant, take into account the cybersecurity of undersea communications cables and include a mapping of potential cybersecurity risks and mitigation measures to secure the highest level of their protection.<\/p>\n\n\n\n<p>(98) In order to safeguard the security of public electronic communications networks and publicly available electronic communications services, the use of encryption technologies, in particular end-to-end encryption as well as data-centric security concepts, such as cartography, segmentation, tagging, access policy and access management, and automated access decisions, should be promoted. Where necessary, the use of encryption, in particular end-to-end encryption should be mandatory for providers of public electronic communications networks or of publicly available electronic communications services in accordance with the principles of security and privacy by default and by design for the purposes of this Directive.<\/p>\n\n\n\n<p>The use of end-to-end encryption should be reconciled with the Member States\u2019 powers to ensure the protection of their essential security interests and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences in accordance with Union law. However, this should not weaken end-to-end encryption, which is a critical technology for the effective protection of data and privacy and the security of communications.<\/p>\n\n\n\n<p>(99) In order to safeguard the security, and to prevent abuse and manipulation, of public electronic communications networks and of publicly available electronic communications services, the use of secure routing standards should be promoted to ensure the integrity and robustness of routing functions across the ecosystem of internet access service providers.<\/p>\n\n\n\n<p>(100) In order to safeguard the functionality and integrity of the internet and to promote the security and resilience of the DNS, relevant stakeholders including Union private-sector entities, providers of publicly available electronic communications services, in particular internet access service providers, and providers of online search engines should be encouraged to adopt a DNS resolution diversification strategy. Furthermore, Member States should encourage the development and use of a public and secure European DNS resolver service.<\/p>\n\n\n\n<p>(101) This Directive lays down a multiple-stage approach to the reporting of significant incidents in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of significant incidents and allows essential and important entities to seek assistance, and, on the other, in-depth reporting that draws valuable lessons from individual incidents and improves over time the cyber resilience of individual entities and entire sectors.<\/p>\n\n\n\n<p>In that regard, this Directive should include the reporting of incidents that, based on an initial assessment carried out by the entity concerned, could cause severe operational disruption of the services or financial loss for that entity or affect other natural or legal persons by causing considerable material or non-material damage.<\/p>\n\n\n\n<p>Such initial assessment should take into account, inter alia, the affected network and information systems, in particular their importance in the provision of the entity\u2019s services, the severity and technical characteristics of a cyber threat and any underlying vulnerabilities that are being exploited as well as the entity\u2019s experience with similar incidents. Indicators such as the extent to which the functioning of the service is affected, the duration of an incident or the number of affected recipients of services could play an important role in identifying whether the operational disruption of the service is severe.<\/p>\n\n\n\n<p>(102) Where essential or important entities become aware of a significant incident, they should be required to submit an early warning without undue delay and in any event within 24 hours. That early warning should be followed by an incident notification. The entities concerned should submit an incident notification without undue delay and in any event within 72 hours of becoming aware of the significant incident, with the aim, in particular, of updating information submitted through the early warning and indicating an initial assessment of the significant incident, including its severity and impact, as well as indicators of compromise, where available.<\/p>\n\n\n\n<p>A final report should be submitted not later than one month after the incident notification. The early warning should only include the information necessary to make the CSIRT, or where applicable the competent authority, aware of the significant incident and allow the entity concerned to seek assistance, if required. Such early warning, where applicable, should indicate whether the significant incident is suspected of being caused by unlawful or malicious acts, and whether it is likely to have a cross-border impact.<\/p>\n\n\n\n<p>Member States should ensure that the obligation to submit that early warning, or the subsequent incident notification, does not divert the notifying entity\u2019s resources from activities related to incident handling that should be prioritised, in order to prevent incident reporting obligations from either diverting resources from significant incident response handling or otherwise compromising the entity\u2019s efforts in that respect. In the event of an ongoing incident at the time of the submission of the final report, Member States should ensure that entities concerned provide a progress report at that time, and a final report within one month of their handling of the significant incident.<\/p>\n\n\n\n<p>(103) Where applicable, essential and important entities should communicate, without undue delay, to their service recipients any measures or remedies that they can take to mitigate the resulting risks from a significant cyber threat. Those entities should, where appropriate and in particular where the significant cyber threat is likely to materialise, also inform their service recipients of the threat itself.<\/p>\n\n\n\n<p>The requirement to inform those recipients of significant cyber threats should be met on a best efforts basis but should not discharge those entities from the obligation to take, at their own expense, appropriate and immediate measures to prevent or remedy any such threats and restore the normal security level of the service. The provision of such information about significant cyber threats to the service recipients should be free of charge and drafted in easily comprehensible language.<\/p>\n\n\n\n<p>(104) Providers of public electronic communications networks or of publicly available electronic communications services should implement security by design and by default, and inform their service recipients of significant cyber threats and of measures they can take to protect the security of their devices and communications, for example by using specific types of software or encryption technologies.<\/p>\n\n\n\n<p>(105) A proactive approach to cyber threats is a vital component of cybersecurity risk management that should enable the competent authorities to effectively prevent cyber threats from materialising into incidents that may cause considerable material or non-material damage. For that purpose, the notification of cyber threats is of key importance. To that end, entities are encouraged to report on a voluntary basis cyber threats.<\/p>\n\n\n\n<p>(106) In order to simplify the reporting of information required under this Directive as well as to decrease the administrative burden for entities, Member States should provide technical means such as a single entry point, automated systems, online forms, user-friendly interfaces, templates, dedicated platforms for the use of entities, regardless of whether they fall within the scope of this Directive, for the submission of the relevant information to be reported.<\/p>\n\n\n\n<p>Union funding supporting the implementation of this Directive, in particular within the Digital Europe programme, established by Regulation (EU) 2021\/694 of the European Parliament and of the Council (21), could include support for single entry points. Furthermore, entities are often in a situation where a particular incident, because of its features, needs to be reported to various authorities as a result of notification obligations included in various legal instruments. Such cases create additional administrative burden and could also lead to uncertainties with regard to the format and procedures of such notifications.<\/p>\n\n\n\n<p>Where a single entry point is established, Member States are encouraged also to use that single entry point for notifications of security incidents required under other Union law, such as Regulation (EU) 2016\/679 and Directive 2002\/58\/EC. The use of such single entry point for reporting of security incidents under Regulation (EU) 2016\/679 and Directive 2002\/58\/EC should not affect the application of the provisions of Regulation (EU) 2016\/679 and Directive 2002\/58\/EC, in particular those relating to the independence of the authorities referred to therein. ENISA, in cooperation with the Cooperation Group, should develop common notification templates by means of guidelines to simplify and streamline the information to be reported under Union law and decrease the administrative burden on notifying entities.<\/p>\n\n\n\n<p>(107) Where it is suspected that an incident is related to serious criminal activities under Union or national law, Member States should encourage essential and important entities, on the basis of applicable criminal proceedings rules in accordance with Union law, to report incidents of a suspected serious criminal nature to the relevant law enforcement authorities. Where appropriate, and without prejudice to the personal data protection rules applying to Europol, it is desirable that coordination between the competent authorities and the law enforcement authorities of different Member States be facilitated by the European Cybercrime Centre (EC3) and ENISA.<\/p>\n\n\n\n<p>(108) Personal data are in many cases compromised as a result of incidents. In that context, the competent authorities should cooperate and exchange information about all relevant matters with the authorities referred to in Regulation (EU) 2016\/679 and Directive 2002\/58\/EC.<\/p>\n\n\n\n<p>(109) Maintaining accurate and complete databases of domain name registration data (WHOIS data) and providing lawful access to such data is essential to ensure the security, stability and resilience of the DNS, which in turn contributes to a high common level of cybersecurity across the Union. For that specific purpose, TLD name registries and entities providing domain name registration services should be required to process certain data necessary to achieve that purpose.<\/p>\n\n\n\n<p>Such processing should constitute a legal obligation within the meaning of Article 6(1), point (c), of Regulation (EU) 2016\/679. That obligation is without prejudice to the possibility to collect domain name registration data for other purposes, for example on the basis of contractual arrangements or legal requirements established in other Union or national law. That obligation aims to achieve a complete and accurate set of registration data and should not result in collecting the same data multiple times. The TLD name registries and the entities providing domain name registration services should cooperate with each other in order to avoid the duplication of that task.<\/p>\n\n\n\n<p>(110) The availability and timely accessibility of domain name registration data to legitimate access seekers is essential for the prevention and combating of DNS abuse, and for the prevention and detection of and response to incidents. Legitimate access seekers are to be understood as any natural or legal person making a request pursuant to Union or national law.<\/p>\n\n\n\n<p>They can include authorities that are competent under this Directive and those that are competent under Union or national law for the prevention, investigation, detection or prosecution of criminal offences, and CERTs or CSIRTs. TLD name registries and entities providing domain name registration services should be required to enable lawful access to specific domain name registration data, which are necessary for the purposes of the access request, to legitimate access seekers in accordance with Union and national law. The request of legitimate access seekers should be accompanied by a statement of reasons permitting the assessment of the necessity of access to the data.<\/p>\n\n\n\n<p>(111) In order to ensure the availability of accurate and complete domain name registration data, TLD name registries and entities providing domain name registration services should collect and guarantee the integrity and availability of domain name registration data. In particular, TLD name registries and entities providing domain name registration services should establish policies and procedures to collect and maintain accurate and complete domain name registration data, as well as to prevent and correct inaccurate registration data, in accordance with Union data protection law.<\/p>\n\n\n\n<p>Those policies and procedures should take into account, to the extent possible, the standards developed by the multi-stakeholder governance structures at international level. The TLD name registries and the entities providing domain name registration services should adopt and implement proportionate procedures to verify domain name registration data.<\/p>\n\n\n\n<p>Those procedures should reflect the best practices used within the industry and, to the extent possible, the progress made in the field of electronic identification. Examples of verification procedures may include ex ante controls carried out at the time of the registration and ex post controls carried out after the registration. The TLD name registries and the entities providing domain name registration services should, in particular, verify at least one means of contact of the registrant.<\/p>\n\n\n\n<p>(112) TLD name registries and entities providing domain name registration services should be required to make publicly available domain name registration data that fall outside the scope of Union data protection law, such as data that concern legal persons, in line with the preamble of Regulation (EU) 2016\/679. For legal persons, the TLD name registries and the entities providing domain name registration services should make publicly available at least the name of the registrant and the contact telephone number.<\/p>\n\n\n\n<p>The contact email address should also be published, provided that it does not contain any personal data, such as in the case of email aliases or functional accounts. TLD name registries and entities providing domain name registration services should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. Member States should require TLD name registries and entities providing domain name registration services to respond without undue delay to requests for the disclosure of domain name registration data from legitimate access seekers.<\/p>\n\n\n\n<p>TLD name registries and entities providing domain name registration services should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. Those policies and procedures should take into account, to the extent possible, any guidance and the standards developed by the multi-stakeholder governance structures at international level. The access procedure could include the use of an interface, portal or other technical tool to provide an efficient system for requesting and accessing registration data.<\/p>\n\n\n\n<p>With a view to promoting harmonised practices across the internal market, the Commission can, without prejudice to the competences of the European Data Protection Board, provide guidelines with regard to such procedures, which take into account, to the extent possible, the standards developed by the multi-stakeholder governance structures at international level. Member States should ensure that all types of access to personal and non-personal domain name registration data are free of charge.<\/p>\n\n\n\n<p>(113) Entities falling within the scope of this Directive should be considered to fall under the jurisdiction of the Member State in which they are established. However, providers of public electronic communications networks or providers of publicly available electronic communications services should be considered to fall under the jurisdiction of the Member State in which they provide their services.<\/p>\n\n\n\n<p>DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines and of social networking services platforms should be considered to fall under the jurisdiction of the Member State in which they have their main establishment in the Union.<\/p>\n\n\n\n<p>Public administration entities should fall under the jurisdiction of the Member State which established them. If the entity provides services or is established in more than one Member State, it should fall under the separate and concurrent jurisdiction of each of those Member States. The competent authorities of those Member States should cooperate, provide mutual assistance to each other and, where appropriate, carry out joint supervisory actions. Where Member States exercise jurisdiction, they should not impose enforcement measures or penalties more than once for the same conduct, in line with the principle of ne bis in idem.<\/p>\n\n\n\n<p>(114) In order to take account of the cross-border nature of the services and operations of DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines and of social networking services platforms, only one Member State should have jurisdiction over those entities. Jurisdiction should be attributed to the Member State in which the entity concerned has its main establishment in the Union.<\/p>\n\n\n\n<p>The criterion of establishment for the purposes of this Directive implies the effective exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. Whether that criterion is fulfilled should not depend on whether the network and information systems are physically located in a given place; the presence and use of such systems do not, in themselves, constitute such main establishment and are therefore not decisive criteria for determining the main establishment.<\/p>\n\n\n\n<p>The main establishment should be considered to be in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken in the Union. This will typically correspond to the place of the entities\u2019 central administration in the Union. If such a Member State cannot be determined or if such decisions are not taken in the Union, the main establishment should be considered to be in the Member State where cybersecurity operations are carried out.<\/p>\n\n\n\n<p>If such a Member State cannot be determined, the main establishment should be considered to be in the Member State where the entity has the establishment with the highest number of employees in the Union. Where the services are carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings.<\/p>\n\n\n\n<p>(115) Where a publicly available recursive DNS service is provided by a provider of public electronic communications networks or of publicly available electronic communications services only as a part of the internet access service, the entity should be considered to fall under the jurisdiction of all the Member States where its services are provided.<\/p>\n\n\n\n<p>(116) Where a <span tabindex='0' class='glossary-item-container'>Proveedor de servicios DNS<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Proveedor de servicios DNS<\/span> <span class='glossary-item-description'><b><\/b>Se refiere a una entidad que proporciona: (a) servicios de resoluci\u00f3n de nombres de dominio recursivos disponibles p\u00fablicamente para los usuarios finales de Internet; o (b) servicios de resoluci\u00f3n de nombres de dominio autoritativos para uso de terceros, con la excepci\u00f3n de los servidores de nombres ra\u00edz -. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span>, a TLD name registry, an <span tabindex='0' class='glossary-item-container'>entidad que presta servicios de registro de nombres de dominio<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Entidad que presta servicios de registro de nombres de dominio<\/span> <span class='glossary-item-description'>Se refiere a un registrador o a un agente que act\u00faa en nombre de registradores, como un proveedor o revendedor de servicios de registro de privacidad o proxy. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span>, a cloud computing service provider, a data centre service provider, a content delivery network provider, a <span tabindex='0' class='glossary-item-container'>proveedor de servicios gestionados<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Proveedor de servicios gestionados<\/span> <span class='glossary-item-description'>Se refiere a una entidad que presta servicios relacionados con la instalaci\u00f3n, gesti\u00f3n, operaci\u00f3n o mantenimiento de productos TIC, redes, infraestructuras, aplicaciones o cualquier otra red y sistemas de informaci\u00f3n, mediante asistencia o administraci\u00f3n activa llevada a cabo en las instalaciones de los clientes o a distancia -. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span>, a managed security service provider or a provider of an online marketplace, of an <span tabindex='0' class='glossary-item-container'>motor de b\u00fasqueda en l\u00ednea<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Motor de b\u00fasqueda en l\u00ednea<\/span> <span class='glossary-item-description'>Significa un servicio digital que permite a los usuarios introducir consultas con el fin de realizar b\u00fasquedas de, en principio, todos los sitios web, o todos los sitios web en un idioma determinado, sobre la base de una consulta sobre cualquier tema en forma de palabra clave, solicitud de voz, frase u otra entrada, y devuelve resultados en cualquier formato en el que se pueda encontrar informaci\u00f3n relacionada con el contenido solicitado. - Definici\u00f3n seg\u00fan el art\u00edculo 2, punto (5), del Reglamento (UE) 2019\/1150 del Parlamento Europeo y del Consejo.<\/span><\/span><\/span> or of a <span tabindex='0' class='glossary-item-container'>plataforma de servicios de redes sociales<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Plataforma de servicios de redes sociales<\/span> <span class='glossary-item-description'>Se refiere a una plataforma que permite a los usuarios finales conectarse, compartir, descubrir y comunicarse entre s\u00ed a trav\u00e9s de m\u00faltiples dispositivos, en particular mediante chats, publicaciones, v\u00eddeos y recomendaciones -. <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span>, which is not established in the Union, offers services within the Union, it should designate a <span tabindex='0' class='glossary-item-container'>representante<span class='glossary-item-hidden-content'><span class='glossary-item-header'>Representante<\/span> <span class='glossary-item-description'>Persona f\u00edsica o jur\u00eddica establecida en la Uni\u00f3n designada expl\u00edcitamente para actuar en nombre de un proveedor de servicios DNS, un registro de nombres TLD, una entidad que preste servicios de registro de nombres de dominio, un proveedor de servicios de computaci\u00f3n en nube, un proveedor de servicios de centros de datos, un proveedor de redes de suministro de contenidos, un proveedor de servicios gestionados, un proveedor de servicios de seguridad gestionados o un proveedor de un mercado en l\u00ednea, de un motor de b\u00fasqueda en l\u00ednea o de una plataforma de servicios de redes sociales que no est\u00e9 establecido en la Uni\u00f3n, a la que pueda dirigirse una autoridad competente o un CSIRT en lugar de la propia entidad en lo que respecta a las obligaciones que incumben a dicha entidad en virtud de la presente Directiva.\r\r- <a href=\"https:\/\/nis2resources.eu\/es\/directive\/articulo-6\/\">Definici\u00f3n seg\u00fan el art\u00edculo 6 de la Directiva (UE) 2022\/2555 (Directiva NIS2)<\/a><\/span><\/span><\/span> in the Union.<\/p>\n\n\n\n<p>In order to determine whether such an entity is offering services within the Union, it should be ascertained whether the entity is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the entity\u2019s or an intermediary\u2019s website or of an email address or other contact details, or the use of a language generally used in the third country where the entity is established, should be considered to be insufficient to ascertain such an intention.<\/p>\n\n\n\n<p>However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that language, or the mentioning of customers or users who are in the Union, could make it apparent that the entity is planning to offer services within the Union. The representative should act on behalf of the entity and it should be possible for the competent authorities or the CSIRTs to address the representative. The representative should be explicitly designated by a written mandate of the entity to act on the latter\u2019s behalf with regard to the latter\u2019s obligations laid down in this Directive, including incident reporting.<\/p>\n\n\n\n<p>(117) In order to ensure a clear overview of DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines and of social networking services platforms, which provide services across the Union that fall within the scope of this Directive, ENISA should create and maintain a registry of such entities, based on the information received by Member States, where applicable through national mechanisms established for entities to register themselves.<\/p>\n\n\n\n<p>The single points of contact should forward to ENISA the information and any changes thereto. With a view to ensuring the accuracy and completeness of the information that is to be included in that registry, Member States can submit to ENISA the information available in any national registries on those entities. ENISA and the Member States should take measures to facilitate the interoperability of such registries, while ensuring protection of confidential or classified information. ENISA should establish appropriate information classification and management protocols to ensure the security and confidentiality of disclosed information and restrict the access, storage, and transmission of such information to intended users.<\/p>\n\n\n\n<p>(118) Where information which is classified in accordance with Union or national law is exchanged, reported or otherwise shared under this Directive, the corresponding rules on the handling of classified information should be applied. In addition, ENISA should have the infrastructure, procedures and rules in place to handle sensitive and classified information in accordance with the applicable security rules for protecting EU classified information.<\/p>\n\n\n\n<p>(119) With cyber threats becoming more complex and sophisticated, good detection of such threats and their prevention measures depend to a large extent on regular threat and vulnerability intelligence sharing between entities. Information sharing contributes to an increased awareness of cyber threats, which, in turn, enhances entities\u2019 capacity to prevent such threats from materialising into incidents and enables entities to better contain the effects of incidents and recover more efficiently. In the absence of guidance at Union level, various factors seem to have inhibited such intelligence sharing, in particular uncertainty over the compatibility with competition and liability rules.<\/p>\n\n\n\n<p>(120) Entities should be encouraged and assisted by Member States to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels with a view to enhancing their capabilities to adequately prevent, detect, respond to or recover from incidents or to mitigate their impact. It is thus necessary to enable the emergence at Union level of voluntary cybersecurity information-sharing arrangements.<\/p>\n\n\n\n<p>To that end, Member States should actively assist and encourage entities, such as those providing cybersecurity services and research, as well as relevant entities not falling within the scope of this Directive, to participate in such cybersecurity information-sharing arrangements. Those arrangements should be established in accordance with the Union competition rules and Union data protection law.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>(121) The processing of personal data, to the extent necessary and proportionate for the purpose of ensuring security of network and information systems by essential and important entities, could be considered to be lawful on the basis that such processing complies with a legal obligation to which the controller is subject, in accordance with the requirements of Article 6(1), point (c), and Article 6(3) of Regulation (EU) 2016\/679.<\/p>\n\n\n\n<p>Processing of personal data could also be necessary for legitimate interests pursued by essential and important entities, as well as providers of security technologies and services acting on behalf of those entities, pursuant to Article 6(1), point (f), of Regulation (EU) 2016\/679, including where such processing is necessary for cybersecurity information-sharing arrangements or the voluntary notification of relevant information in accordance with this Directive.<\/p>\n\n\n\n<p>Measures related to the prevention, detection, identification, containment, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated vulnerability disclosure, the voluntary exchange of information about those incidents, and cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools could require the processing of certain categories of personal data, such as IP addresses, uniform resources locators (URLs), domain names, email addresses and, where they reveal personal data, time stamps.<\/p>\n\n\n\n<p>Processing of personal data by the competent authorities, the single points of contact and the CSIRTs, could constitute a legal obligation or be considered to be necessary for carrying out a task in the public interest or in the exercise of official authority vested in the controller pursuant to Article 6(1), point (c) or (e), and Article 6(3) of Regulation (EU) 2016\/679, or for pursuing a legitimate interest of the essential and important entities, as referred to in Article 6(1), point (f), of that Regulation.<\/p>\n\n\n\n<p>Furthermore, national law could lay down rules allowing the competent authorities, the single points of contact and the CSIRTs, to the extent that is necessary and proportionate for the purpose of ensuring the security of network and information systems of essential and important entities, to process special categories of personal data in accordance with Article 9 of Regulation (EU) 2016\/679, in particular by providing for suitable and specific measures to safeguard the fundamental rights and interests of natural persons, including technical limitations on the re-use of such data and the use of state-of-the-art security and privacy-preserving measures, such as pseudonymisation, or encryption where anonymisation may significantly affect the purpose pursued.<\/p>\n\n\n\n<p>(122) In order to strengthen the supervisory powers and measures that help ensure effective compliance, this Directive should provide for a minimum list of supervisory measures and means through which the competent authorities can supervise essential and important entities. In addition, this Directive should establish a differentiation of supervisory regime between essential and important entities with a view to ensuring a fair balance of obligations on those entities and on the competent authorities.<\/p>\n\n\n\n<p>Therefore, essential entities should be subject to a comprehensive ex ante and ex post supervisory regime, while important entities should be subject to a light, ex post only, supervisory regime. Important entities should therefore not be required to systematically document compliance with cybersecurity risk-management measures, while the competent authorities should implement a reactive ex post approach to supervision and, hence, not have a general obligation to supervise those entities.<\/p>\n\n\n\n<p>The ex post supervision of important entities may be triggered by evidence, indication or information brought to the attention of the competent authorities considered by those authorities to suggest potential infringements of this Directive. For example, such evidence, indication or information could be of the type provided to the competent authorities by other authorities, entities, citizens, media or other sources or publicly available information, or could emerge from other activities conducted by the competent authorities in the fulfilment of their tasks.<\/p>\n\n\n\n<p>(123) The execution of supervisory tasks by the competent authorities should not unnecessarily hamper the business activities of the entity concerned. Where the competent authorities execute their supervisory tasks in relation to essential entities, including the conduct of on-site inspections and off-site supervision, the investigation of infringements of this Directive and the conduct of security audits or security scans, they should minimise the impact on the business activities of the entity concerned.<\/p>\n\n\n\n<p>(124) In the exercise of ex ante supervision, the competent authorities should be able to decide on the prioritisation of the use of supervisory measures and means at their disposal in a proportionate manner. This entails that the competent authorities can decide on such prioritisation based on supervisory methodologies which should follow a risk-based approach.<\/p>\n\n\n\n<p>More specifically, such methodologies could include criteria or benchmarks for the classification of essential entities into risk categories and corresponding supervisory measures and means recommended per risk category, such as the use, frequency or types of on-site inspections, targeted security audits or security scans, the type of information to be requested and the level of detail of that information. Such supervisory methodologies could also be accompanied by work programmes and be assessed and reviewed on a regular basis, including on aspects such as resource allocation and needs. In relation to public administration entities, the supervisory powers should be exercised in line with the national legislative and institutional frameworks.<\/p>\n\n\n\n<p>(125) Las autoridades competentes deben velar por que sus tareas de supervisi\u00f3n en relaci\u00f3n con las entidades esenciales e importantes sean llevadas a cabo por profesionales formados, que deben contar con las competencias necesarias para desempe\u00f1ar dichas tareas, en particular en lo que respecta a la realizaci\u00f3n de inspecciones in situ y a la supervisi\u00f3n a distancia, incluida la detecci\u00f3n de deficiencias en las bases de datos, el hardware, los cortafuegos, el cifrado y las redes. Esas inspecciones y esa supervisi\u00f3n deben realizarse de manera objetiva.<\/p>\n\n\n\n<p>(126) En casos debidamente justificados en los que tenga conocimiento de una ciberamenaza significativa o de un riesgo inminente, la autoridad competente debe poder adoptar decisiones coercitivas inmediatas con el fin de prevenir o responder a un incidente.<\/p>\n\n\n\n<p>(127) Para que la ejecuci\u00f3n sea efectiva, debe establecerse una lista m\u00ednima de competencias de ejecuci\u00f3n que puedan ejercerse por incumplimiento de las medidas de gesti\u00f3n de riesgos en materia de ciberseguridad y de las obligaciones de notificaci\u00f3n previstas en la presente Directiva, creando un marco claro y coherente para dicha ejecuci\u00f3n en toda la Uni\u00f3n. Deben tenerse debidamente en cuenta la naturaleza, gravedad y duraci\u00f3n de la infracci\u00f3n de la presente Directiva, el da\u00f1o material o moral causado, si la infracci\u00f3n ha sido intencionada o por negligencia, las medidas adoptadas para prevenir o mitigar el da\u00f1o material o moral, el grado de responsabilidad o cualquier infracci\u00f3n anterior pertinente, el grado de cooperaci\u00f3n con la autoridad competente y cualquier otro factor agravante o atenuante.<\/p>\n\n\n\n<p>Las medidas coercitivas, incluidas las multas administrativas, deben ser proporcionadas y su imposici\u00f3n debe estar sujeta a las garant\u00edas procesales adecuadas de conformidad con los principios generales del Derecho de la Uni\u00f3n y la Carta de los Derechos Fundamentales de la Uni\u00f3n Europea (la \"Carta\"), incluido el derecho a la tutela judicial efectiva y a un juez imparcial, la presunci\u00f3n de inocencia y los derechos de la defensa.<\/p>\n\n\n\n<p>(128) La presente Directiva no exige a los Estados miembros que establezcan la responsabilidad penal o civil de las personas f\u00edsicas responsables de garantizar que una entidad cumple la presente Directiva por los da\u00f1os sufridos por terceros como consecuencia de una infracci\u00f3n de la presente Directiva.<\/p>\n\n\n\n<p>(129) Para garantizar el cumplimiento efectivo de las obligaciones establecidas en la presente Directiva, cada autoridad competente debe estar facultada para imponer o solicitar la imposici\u00f3n de multas administrativas.<\/p>\n\n\n\n<p>(130) Cuando se imponga una multa administrativa a una entidad esencial o importante que sea una empresa, debe entenderse que se trata de una empresa de conformidad con los art\u00edculos 101 y 102 del TFUE a estos efectos. Cuando se imponga una multa administrativa a una persona que no sea una empresa, la autoridad competente debe tener en cuenta el nivel general de ingresos en el Estado miembro, as\u00ed como la situaci\u00f3n econ\u00f3mica de la persona, a la hora de considerar el importe adecuado de la multa. Debe corresponder a los Estados miembros determinar si las autoridades p\u00fablicas deben estar sujetas a multas administrativas y en qu\u00e9 medida. La imposici\u00f3n de una multa administrativa no afecta a la aplicaci\u00f3n de otros poderes de las autoridades competentes ni de otras sanciones establecidas en las normas nacionales de transposici\u00f3n de la presente Directiva.<\/p>","protected":false},"excerpt":{"rendered":"<p>Whereas: (1) Directive (EU) 2016\/1148 of the European Parliament and the Council (4) aimed to build cybersecurityCybersecurity \u2018cybersecurity\u2019 means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019\/881; &#8211; Definition according Article 6 Directive (EU) 2022\/2555 (NIS2 Directive) &#8216;cybersecurity\u2019 means the activities necessary to protect network and information systems, the users of [&hellip;]<\/p>","protected":false},"author":1,"featured_media":0,"parent":592,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_gspb_post_css":".gspb_container-id-gsbp-b565ac4{flex-direction:column;box-sizing:border-box}#gspb_container-id-gsbp-b565ac4.gspb_container>p:last-of-type{margin-bottom:0}.gspb_container{position:relative}#gspb_container-id-gsbp-b565ac4.gspb_container{display:flex;flex-direction:column;align-items:center;margin-bottom:40px}@media (max-width:991.98px){#gspb_container-id-gsbp-b565ac4.gspb_container{margin-bottom:40px}}#gspb_heading-id-gsbp-d1b4c76{font-size:30px}@media (max-width:991.98px){#gspb_heading-id-gsbp-d1b4c76{font-size:30px}}@media (max-width:575.98px){#gspb_heading-id-gsbp-d1b4c76{font-size:25px}}#gspb_heading-id-gsbp-d1b4c76,#gspb_heading-id-gsbp-d1b4c76 .gsap-g-line,.gspb_text-id-gsbp-2c13756,.gspb_text-id-gsbp-2c13756 .gsap-g-line{text-align:center!important}#gspb_heading-id-gsbp-d1b4c76{margin-top:0;margin-bottom:10px}.gspb_text-id-gsbp-2c13756{max-width:800px}","footnotes":""},"class_list":["post-584","page","type-page","status-publish","hentry"],"blocksy_meta":{"has_hero_section":"enabled","styles_descriptor":{"styles":{"desktop":"[data-prefix=\"single_page\"] .entry-header .page-title {--theme-font-size:30px;} [data-prefix=\"single_page\"] .entry-header .entry-meta {--theme-font-weight:600;--theme-text-transform:uppercase;--theme-font-size:12px;--theme-line-height:1.3;}","tablet":"","mobile":""},"google_fonts":[],"version":6},"vertical_spacing_source":"custom","content_area_spacing":"none","page_structure_type":"type-2","hero_elements":[{"id":"custom_title","enabled":true,"heading_tag":"h1","title":"Home","__id":"zUAv84-iCqwWhwHz_7eMU"},{"id":"custom_description","enabled":false,"description_visibility":{"desktop":true,"tablet":true,"mobile":false},"__id":"q0z81OBwVS1eiBNwQJZ31"},{"id":"custom_meta","enabled":false,"meta_elements":[{"id":"author","enabled":true,"label":"By","has_author_avatar":"yes","avatar_size":25},{"id":"post_date","enabled":true,"label":"On","date_format_source":"default","date_format":"M j, Y"},{"id":"updated_date","enabled":false,"label":"On","date_format_source":"default","date_format":"M j, Y"},{"id":"categories","enabled":false,"label":"In","style":"simple"},{"id":"comments","enabled":true}],"page_meta_elements":{"joined":true,"articles_count":true,"comments":true},"__id":"908KnW1IQtQMH2CkUzVag"},{"id":"breadcrumbs","enabled":true,"__id":"gyh2MB_UdPumL0ReCyfHv"},{"id":"content-block","enabled":false,"__id":"RhhTfxRztIm-fh5C63-qH"}]},"rankMath":{"parentDomain":"nis2resources.eu","noFollowDomains":[],"noFollowExcludeDomains":[],"noFollowExternalLinks":false,"featuredImageNotice":"La imagen destacada debe tener al menos 200 por 200 p\u00edxeles para que Facebook y otros sitios de redes sociales puedan escogerla.","pluginReviewed":false,"postSettings":{"linkSuggestions":true,"useFocusKeyword":false},"frontEndScore":false,"postName":"preamble","permalinkFormat":"https:\/\/nis2resources.eu\/es\/%pagename%\/","showLockModifiedDate":true,"assessor":{"focusKeywordLink":"https:\/\/nis2resources.eu\/wp-admin\/edit.php?focus_keyword=%focus_keyword%&post_type=%post_type%","hasTOCPlugin":false,"primaryTaxonomy":false,"serpData":{"title":"","description":"","focusKeywords":"","pillarContent":false,"canonicalUrl":"","breadcrumbTitle":"","advancedRobots":{"max-snippet":"-1","max-video-preview":"-1","max-image-preview":"large"},"facebookTitle":"","facebookDescription":"","facebookImage":"","facebookImageID":"","facebookHasOverlay":false,"facebookImageOverlay":"","facebookAuthor":"","twitterCardType":"","twitterUseFacebook":true,"twitterTitle":"","twitterDescription":"","twitterImage":"","twitterImageID":"","twitterHasOverlay":false,"twitterImageOverlay":"","twitterPlayerUrl":"","twitterPlayerSize":"","twitterPlayerStream":"","twitterPlayerStreamCtype":"","twitterAppDescription":"","twitterAppIphoneName":"","twitterAppIphoneID":"","twitterAppIphoneUrl":"","twitterAppIpadName":"","twitterAppIpadID":"","twitterAppIpadUrl":"","twitterAppGoogleplayName":"","twitterAppGoogleplayID":"","twitterAppGoogleplayUrl":"","twitterAppCountry":"","robots":{"index":true},"twitterAuthor":"nombre de usuario","primaryTerm":0,"authorName":"admin","titleTemplate":"%title% %sep% %sitename%","descriptionTemplate":"%excerpt%","showScoreFrontend":true,"lockModifiedDate":false},"powerWords":["incre\u00edble","asombroso","maravilloso","\u00fanico","hermoso","felicidad","brillante","cautivador","carism\u00e1tico","impactante","claro","completamente","confidencial","confianza","significativo","creativo","definitivamente","delicioso","demostrar","apres\u00farate","decidido","digno","din\u00e1mico","impresionante","esencial","inspirador","innovador","intenso","eficaz","m\u00e1gico","magn\u00edfico","hist\u00f3rico","importante","incre\u00edble","indispensable","inolvidable","irresistible","legendario","luminoso","lujo","m\u00e1gico","magn\u00edfico","majestuoso","memorable","maravilloso","milagroso","motivador","necesario","nuevo","oficial","perfecto","apasionado","persuasivo","fenomenal","placer","popular","poder","prestigioso","prodigioso","profundo","pr\u00f3spero","poderoso","calidad","radiante","r\u00e1pido","exitoso","revolucionario","satisfecho","seguridad","sensacional","sereno","suntuoso","espl\u00e9ndido","sublime","sorprendente","talentoso","terror\u00edfico","\u00fanico","valor","vibrante","victorioso","vivo","verdaderamente","celoso","aut\u00e9ntico","aventurero","espectacular","exclusivo","garantizado","extraordinario","fabuloso","fascinante","formidable","genial","grandioso","gratuito","h\u00e1bil","ilimitado","impecable","infalible","infinitamente","influyente","ingenioso","inolvidable","irremplazable","l\u00edder","maestro","notable","novedoso","pionero","poderoso","reconocido","revolucionario","sorprendente","superior","triunfante","ultra","valiente","valioso","vanguardista","vigoroso","visionario","voluntad","vital","triunfo","glorioso","imparable","inigualable","inteligente","invencible","libertad","orgullo","paz","progreso","renovado","sabidur\u00eda","satisfacci\u00f3n","seguro","serenidad","superaci\u00f3n","talento","transcendente","transformador","valent\u00eda","victoria"],"diacritics":{"A":"[\\u0041\\u24B6\\uFF21\\u00C0\\u00C1\\u00C2\\u1EA6\\u1EA4\\u1EAA\\u1EA8\\u00C3\\u0100\\u0102\\u1EB0\\u1EAE\\u1EB4\\u1EB2\\u0226\\u01E0\\u00C4\\u01DE\\u1EA2\\u00C5\\u01FA\\u01CD\\u0200\\u0202\\u1EA0\\u1EAC\\u1EB6\\u1E00\\u0104\\u023A\\u2C6F]","AA":"[\\uA732]","AE":"[\\u00C6\\u01FC\\u01E2]","AO":"[\\uA734]","AU":"[\\uA736]","AV":"[\\uA738\\uA73A]","AY":"[\\uA73C]","B":"[\\u0042\\u24B7\\uFF22\\u1E02\\u1E04\\u1E06\\u0243\\u0182\\u0181]","C":"[\\u0043\\u24B8\\uFF23\\u0106\\u0108\\u010A\\u010C\\u00C7\\u1E08\\u0187\\u023B\\uA73E]","D":"[\\u0044\\u24B9\\uFF24\\u1E0A\\u010E\\u1E0C\\u1E10\\u1E12\\u1E0E\\u0110\\u018B\\u018A\\u0189\\uA779]","DZ":"[\\u01F1\\u01C4]","Dz":"[\\u01F2\\u01C5]","E":"[\\u0045\\u24BA\\uFF25\\u00C8\\u00C9\\u00CA\\u1EC0\\u1EBE\\u1EC4\\u1EC2\\u1EBC\\u0112\\u1E14\\u1E16\\u0114\\u0116\\u00CB\\u1EBA\\u011A\\u0204\\u0206\\u1EB8\\u1EC6\\u0228\\u1E1C\\u0118\\u1E18\\u1E1A\\u0190\\u018E]","F":"[\\u0046\\u24BB\\uFF26\\u1E1E\\u0191\\uA77B]","G":"[\\u0047\\u24BC\\uFF27\\u01F4\\u011C\\u1E20\\u011E\\u0120\\u01E6\\u0122\\u01E4\\u0193\\uA7A0\\uA77D\\uA77E]","H":"[\\u0048\\u24BD\\uFF28\\u0124\\u1E22\\u1E26\\u021E\\u1E24\\u1E28\\u1E2A\\u0126\\u2C67\\u2C75\\uA78D]","I":"[\\u0049\\u24BE\\uFF29\\u00CC\\u00CD\\u00CE\\u0128\\u012A\\u012C\\u0130\\u00CF\\u1E2E\\u1EC8\\u01CF\\u0208\\u020A\\u1ECA\\u012E\\u1E2C\\u0197]","J":"[\\u004A\\u24BF\\uFF2A\\u0134\\u0248]","K":"[\\u004B\\u24C0\\uFF2B\\u1E30\\u01E8\\u1E32\\u0136\\u1E34\\u0198\\u2C69\\uA740\\uA742\\uA744\\uA7A2]","L":"[\\u004C\\u24C1\\uFF2C\\u013F\\u0139\\u013D\\u1E36\\u1E38\\u013B\\u1E3C\\u1E3A\\u0141\\u023D\\u2C62\\u2C60\\uA748\\uA746\\uA780]","LJ":"[\\u01C7]","Lj":"[\\u01C8]","M":"[\\u004D\\u24C2\\uFF2D\\u1E3E\\u1E40\\u1E42\\u2C6E\\u019C]","N":"[\\u004E\\u24C3\\uFF2E\\u01F8\\u0143\\u00D1\\u1E44\\u0147\\u1E46\\u0145\\u1E4A\\u1E48\\u0220\\u019D\\uA790\\uA7A4]","NJ":"[\\u01CA]","Nj":"[\\u01CB]","O":"[\\u004F\\u24C4\\uFF2F\\u00D2\\u00D3\\u00D4\\u1ED2\\u1ED0\\u1ED6\\u1ED4\\u00D5\\u1E4C\\u022C\\u1E4E\\u014C\\u1E50\\u1E52\\u014E\\u022E\\u0230\\u00D6\\u022A\\u1ECE\\u0150\\u01D1\\u020C\\u020E\\u01A0\\u1EDC\\u1EDA\\u1EE0\\u1EDE\\u1EE2\\u1ECC\\u1ED8\\u01EA\\u01EC\\u00D8\\u01FE\\u0186\\u019F\\uA74A\\uA74C]","OI":"[\\u01A2]","OO":"[\\uA74E]","OU":"[\\u0222]","P":"[\\u0050\\u24C5\\uFF30\\u1E54\\u1E56\\u01A4\\u2C63\\uA750\\uA752\\uA754]","Q":"[\\u0051\\u24C6\\uFF31\\uA756\\uA758\\u024A]","R":"[\\u0052\\u24C7\\uFF32\\u0154\\u1E58\\u0158\\u0210\\u0212\\u1E5A\\u1E5C\\u0156\\u1E5E\\u024C\\u2C64\\uA75A\\uA7A6\\uA782]","S":"[\\u0053\\u24C8\\uFF33\\u1E9E\\u015A\\u1E64\\u015C\\u1E60\\u0160\\u1E66\\u1E62\\u1E68\\u0218\\u015E\\u2C7E\\uA7A8\\uA784]","T":"[\\u0054\\u24C9\\uFF34\\u1E6A\\u0164\\u1E6C\\u021A\\u0162\\u1E70\\u1E6E\\u0166\\u01AC\\u01AE\\u023E\\uA786]","TZ":"[\\uA728]","U":"[\\u0055\\u24CA\\uFF35\\u00D9\\u00DA\\u00DB\\u0168\\u1E78\\u016A\\u1E7A\\u016C\\u00DC\\u01DB\\u01D7\\u01D5\\u01D9\\u1EE6\\u016E\\u0170\\u01D3\\u0214\\u0216\\u01AF\\u1EEA\\u1EE8\\u1EEE\\u1EEC\\u1EF0\\u1EE4\\u1E72\\u0172\\u1E76\\u1E74\\u0244]","V":"[\\u0056\\u24CB\\uFF36\\u1E7C\\u1E7E\\u01B2\\uA75E\\u0245]","VY":"[\\uA760]","W":"[\\u0057\\u24CC\\uFF37\\u1E80\\u1E82\\u0174\\u1E86\\u1E84\\u1E88\\u2C72]","X":"[\\u0058\\u24CD\\uFF38\\u1E8A\\u1E8C]","Y":"[\\u0059\\u24CE\\uFF39\\u1EF2\\u00DD\\u0176\\u1EF8\\u0232\\u1E8E\\u0178\\u1EF6\\u1EF4\\u01B3\\u024E\\u1EFE]","Z":"[\\u005A\\u24CF\\uFF3A\\u0179\\u1E90\\u017B\\u017D\\u1E92\\u1E94\\u01B5\\u0224\\u2C7F\\u2C6B\\uA762]","a":"[\\u0061\\u24D0\\uFF41\\u1E9A\\u00E0\\u00E1\\u00E2\\u1EA7\\u1EA5\\u1EAB\\u1EA9\\u00E3\\u0101\\u0103\\u1EB1\\u1EAF\\u1EB5\\u1EB3\\u0227\\u01E1\\u00E4\\u01DF\\u1EA3\\u00E5\\u01FB\\u01CE\\u0201\\u0203\\u1EA1\\u1EAD\\u1EB7\\u1E01\\u0105\\u2C65\\u0250]","aa":"[\\uA733]","ae":"[\\u00E6\\u01FD\\u01E3]","ao":"[\\uA735]","au":"[\\uA737]","av":"[\\uA739\\uA73B]","ay":"[\\uA73D]","b":"[\\u0062\\u24D1\\uFF42\\u1E03\\u1E05\\u1E07\\u0180\\u0183\\u0253]","c":"[\\u0063\\u24D2\\uFF43\\u0107\\u0109\\u010B\\u010D\\u00E7\\u1E09\\u0188\\u023C\\uA73F\\u2184]","d":"[\\u0064\\u24D3\\uFF44\\u1E0B\\u010F\\u1E0D\\u1E11\\u1E13\\u1E0F\\u0111\\u018C\\u0256\\u0257\\uA77A]","dz":"[\\u01F3\\u01C6]","e":"[\\u0065\\u24D4\\uFF45\\u00E8\\u00E9\\u00EA\\u1EC1\\u1EBF\\u1EC5\\u1EC3\\u1EBD\\u0113\\u1E15\\u1E17\\u0115\\u0117\\u00EB\\u1EBB\\u011B\\u0205\\u0207\\u1EB9\\u1EC7\\u0229\\u1E1D\\u0119\\u1E19\\u1E1B\\u0247\\u025B\\u01DD]","f":"[\\u0066\\u24D5\\uFF46\\u1E1F\\u0192\\uA77C]","g":"[\\u0067\\u24D6\\uFF47\\u01F5\\u011D\\u1E21\\u011F\\u0121\\u01E7\\u0123\\u01E5\\u0260\\uA7A1\\u1D79\\uA77F]","h":"[\\u0068\\u24D7\\uFF48\\u0125\\u1E23\\u1E27\\u021F\\u1E25\\u1E29\\u1E2B\\u1E96\\u0127\\u2C68\\u2C76\\u0265]","hv":"[\\u0195]","i":"[\\u0069\\u24D8\\uFF49\\u00EC\\u00ED\\u00EE\\u0129\\u012B\\u012D\\u00EF\\u1E2F\\u1EC9\\u01D0\\u0209\\u020B\\u1ECB\\u012F\\u1E2D\\u0268\\u0131]","j":"[\\u006A\\u24D9\\uFF4A\\u0135\\u01F0\\u0249]","k":"[\\u006B\\u24DA\\uFF4B\\u1E31\\u01E9\\u1E33\\u0137\\u1E35\\u0199\\u2C6A\\uA741\\uA743\\uA745\\uA7A3]","l":"[\\u006C\\u24DB\\uFF4C\\u0140\\u013A\\u013E\\u1E37\\u1E39\\u013C\\u1E3D\\u1E3B\\u017F\\u0142\\u019A\\u026B\\u2C61\\uA749\\uA781\\uA747]","lj":"[\\u01C9]","m":"[\\u006D\\u24DC\\uFF4D\\u1E3F\\u1E41\\u1E43\\u0271\\u026F]","n":"[\\u006E\\u24DD\\uFF4E\\u01F9\\u0144\\u00F1\\u1E45\\u0148\\u1E47\\u0146\\u1E4B\\u1E49\\u019E\\u0272\\u0149\\uA791\\uA7A5]","nj":"[\\u01CC]","o":"[\\u006F\\u24DE\\uFF4F\\u00F2\\u00F3\\u00F4\\u1ED3\\u1ED1\\u1ED7\\u1ED5\\u00F5\\u1E4D\\u022D\\u1E4F\\u014D\\u1E51\\u1E53\\u014F\\u022F\\u0231\\u00F6\\u022B\\u1ECF\\u0151\\u01D2\\u020D\\u020F\\u01A1\\u1EDD\\u1EDB\\u1EE1\\u1EDF\\u1EE3\\u1ECD\\u1ED9\\u01EB\\u01ED\\u00F8\\u01FF\\u0254\\uA74B\\uA74D\\u0275]","oi":"[\\u01A3]","ou":"[\\u0223]","oo":"[\\uA74F]","p":"[\\u0070\\u24DF\\uFF50\\u1E55\\u1E57\\u01A5\\u1D7D\\uA751\\uA753\\uA755]","q":"[\\u0071\\u24E0\\uFF51\\u024B\\uA757\\uA759]","r":"[\\u0072\\u24E1\\uFF52\\u0155\\u1E59\\u0159\\u0211\\u0213\\u1E5B\\u1E5D\\u0157\\u1E5F\\u024D\\u027D\\uA75B\\uA7A7\\uA783]","s":"[\\u0073\\u24E2\\uFF53\\u015B\\u1E65\\u015D\\u1E61\\u0161\\u1E67\\u1E63\\u1E69\\u0219\\u015F\\u023F\\uA7A9\\uA785\\u1E9B]","ss":"[\\u00DF]","t":"[\\u0074\\u24E3\\uFF54\\u1E6B\\u1E97\\u0165\\u1E6D\\u021B\\u0163\\u1E71\\u1E6F\\u0167\\u01AD\\u0288\\u2C66\\uA787]","tz":"[\\uA729]","u":"[\\u0075\\u24E4\\uFF55\\u00F9\\u00FA\\u00FB\\u0169\\u1E79\\u016B\\u1E7B\\u016D\\u00FC\\u01DC\\u01D8\\u01D6\\u01DA\\u1EE7\\u016F\\u0171\\u01D4\\u0215\\u0217\\u01B0\\u1EEB\\u1EE9\\u1EEF\\u1EED\\u1EF1\\u1EE5\\u1E73\\u0173\\u1E77\\u1E75\\u0289]","v":"[\\u0076\\u24E5\\uFF56\\u1E7D\\u1E7F\\u028B\\uA75F\\u028C]","vy":"[\\uA761]","w":"[\\u0077\\u24E6\\uFF57\\u1E81\\u1E83\\u0175\\u1E87\\u1E85\\u1E98\\u1E89\\u2C73]","x":"[\\u0078\\u24E7\\uFF58\\u1E8B\\u1E8D]","y":"[\\u0079\\u24E8\\uFF59\\u1EF3\\u00FD\\u0177\\u1EF9\\u0233\\u1E8F\\u00FF\\u1EF7\\u1E99\\u1EF5\\u01B4\\u024F\\u1EFF]","z":"[\\u007A\\u24E9\\uFF5A\\u017A\\u1E91\\u017C\\u017E\\u1E93\\u1E95\\u01B6\\u0225\\u0240\\u2C6C\\uA763]"},"researchesTests":["contentHasTOC","contentHasShortParagraphs","contentHasAssets","keywordInTitle","keywordInMetaDescription","keywordInPermalink","keywordIn10Percent","keywordInContent","keywordInSubheadings","keywordInImageAlt","keywordDensity","keywordNotUsed","lengthContent","lengthPermalink","linksHasInternal","linksHasExternals","linksNotAllExternals","titleStartWithKeyword","titleSentiment","titleHasPowerWords","titleHasNumber","hasContentAI"],"hasRedirection":true,"hasBreadcrumb":true},"homeUrl":"https:\/\/nis2resources.eu\/es","objectID":584,"objectType":"post","locale":"es","localeFull":"es_ES","overlayImages":{"play":{"name":"Icono de reproducci\u00f3n","url":"https:\/\/nis2resources.eu\/wp-content\/plugins\/seo-by-rank-math\/assets\/admin\/img\/icon-play.png","path":"\/var\/www\/vhosts\/nis2resources.eu\/httpdocs\/wp-content\/plugins\/seo-by-rank-math\/assets\/admin\/img\/icon-play.png","position":"middle_center"},"gif":{"name":"Icono GIF","url":"https:\/\/nis2resources.eu\/wp-content\/plugins\/seo-by-rank-math\/assets\/admin\/img\/icon-gif.png","path":"\/var\/www\/vhosts\/nis2resources.eu\/httpdocs\/wp-content\/plugins\/seo-by-rank-math\/assets\/admin\/img\/icon-gif.png","position":"middle_center"}},"defautOgImage":"https:\/\/nis2resources.eu\/wp-content\/plugins\/seo-by-rank-math\/assets\/admin\/img\/social-placeholder.jpg","customPermalinks":true,"isUserRegistered":true,"autoSuggestKeywords":true,"connectSiteUrl":"https:\/\/rankmath.com\/auth?site=https%3A%2F%2Fnis2resources.eu%2Fes&r=https%3A%2F%2Fnis2resources.eu%2Fes%2Fwp-json%2Fwp%2Fv2%2Fpages%2F584%2F%3Fnonce%3D07ece46382&pro=1","maxTags":100,"trendsIcon":"<svg viewBox=\"0 0 610 610\"><path d=\"M18.85,446,174.32,290.48l58.08,58.08L76.93,504a14.54,14.54,0,0,1-20.55,0L18.83,466.48a14.54,14.54,0,0,1,0-20.55Z\" style=\"fill:#4285f4\"\/><path d=\"M242.65,242.66,377.59,377.6l-47.75,47.75a14.54,14.54,0,0,1-20.55,0L174.37,290.43l47.75-47.75A14.52,14.52,0,0,1,242.65,242.66Z\" style=\"fill:#ea4335\"\/><polygon points=\"319.53 319.53 479.26 159.8 537.34 217.88 377.61 377.62 319.53 319.53\" style=\"fill:#fabb05\"\/><path d=\"M594.26,262.73V118.61h0a16.94,16.94,0,0,0-16.94-16.94H433.2a16.94,16.94,0,0,0-12,28.92L565.34,274.71h0a16.94,16.94,0,0,0,28.92-12Z\" style=\"fill:#34a853\"\/><rect width=\"610\" height=\"610\" style=\"fill:none\"\/><\/svg>","showScore":true,"siteFavIcon":"https:\/\/nis2resources.eu\/wp-content\/uploads\/2024\/08\/cropped-nis2resources-icon-32x32.png","canUser":{"general":false,"advanced":false,"snippet":false,"social":false,"analysis":false,"analytics":false,"content_ai":false},"isPro":true,"is_front_page":false,"trendsUpgradeLink":"https:\/\/rankmath.com\/pricing\/?utm_source=Plugin&utm_medium=CE%20General%20Tab%20Trends&utm_campaign=WP","trendsUpgradeLabel":"Actualizar","trendsPreviewImage":"https:\/\/nis2resources.eu\/wp-content\/plugins\/seo-by-rank-math\/assets\/admin\/img\/trends-preview.jpg","currentEditor":false,"homepageData":{"assessor":{"powerWords":["incre\u00edble","asombroso","maravilloso","\u00fanico","hermoso","felicidad","brillante","cautivador","carism\u00e1tico","impactante","claro","completamente","confidencial","confianza","significativo","creativo","definitivamente","delicioso","demostrar","apres\u00farate","decidido","digno","din\u00e1mico","impresionante","esencial","inspirador","innovador","intenso","eficaz","m\u00e1gico","magn\u00edfico","hist\u00f3rico","importante","incre\u00edble","indispensable","inolvidable","irresistible","legendario","luminoso","lujo","m\u00e1gico","magn\u00edfico","majestuoso","memorable","maravilloso","milagroso","motivador","necesario","nuevo","oficial","perfecto","apasionado","persuasivo","fenomenal","placer","popular","poder","prestigioso","prodigioso","profundo","pr\u00f3spero","poderoso","calidad","radiante","r\u00e1pido","exitoso","revolucionario","satisfecho","seguridad","sensacional","sereno","suntuoso","espl\u00e9ndido","sublime","sorprendente","talentoso","terror\u00edfico","\u00fanico","valor","vibrante","victorioso","vivo","verdaderamente","celoso","aut\u00e9ntico","aventurero","espectacular","exclusivo","garantizado","extraordinario","fabuloso","fascinante","formidable","genial","grandioso","gratuito","h\u00e1bil","ilimitado","impecable","infalible","infinitamente","influyente","ingenioso","inolvidable","irremplazable","l\u00edder","maestro","notable","novedoso","pionero","poderoso","reconocido","revolucionario","sorprendente","superior","triunfante","ultra","valiente","valioso","vanguardista","vigoroso","visionario","voluntad","vital","triunfo","glorioso","imparable","inigualable","inteligente","invencible","libertad","orgullo","paz","progreso","renovado","sabidur\u00eda","satisfacci\u00f3n","seguro","serenidad","superaci\u00f3n","talento","transcendente","transformador","valent\u00eda","victoria"],"diacritics":true,"researchesTests":["contentHasTOC","contentHasShortParagraphs","contentHasAssets","keywordInTitle","keywordInMetaDescription","keywordInPermalink","keywordIn10Percent","keywordInContent","keywordInSubheadings","keywordInImageAlt","keywordDensity","keywordNotUsed","lengthContent","lengthPermalink","linksHasInternal","linksHasExternals","linksNotAllExternals","titleStartWithKeyword","titleSentiment","titleHasPowerWords","titleHasNumber","hasContentAI"],"hasBreadcrumb":true,"serpData":{"title":"%sitename% %page% %sep% %sitedesc%","description":"","titleTemplate":"%sitename% %page% %sep% %sitedesc%","descriptionTemplate":"","focusKeywords":"","breadcrumbTitle":"Home","robots":{"index":true},"advancedRobots":{"max-snippet":"-1","max-video-preview":"-1","max-image-preview":"large"},"facebookTitle":"","facebookDescription":"","facebookImage":"","facebookImageID":""}}},"isAnalyticsConnected":false,"tocTitle":"Table of Contents","tocExcludeHeadings":[],"listStyle":"ul"},"_links":{"self":[{"href":"https:\/\/nis2resources.eu\/es\/wp-json\/wp\/v2\/pages\/584","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nis2resources.eu\/es\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/nis2resources.eu\/es\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/nis2resources.eu\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nis2resources.eu\/es\/wp-json\/wp\/v2\/comments?post=584"}],"version-history":[{"count":0,"href":"https:\/\/nis2resources.eu\/es\/wp-json\/wp\/v2\/pages\/584\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/nis2resources.eu\/es\/wp-json\/wp\/v2\/pages\/592"}],"wp:attachment":[{"href":"https:\/\/nis2resources.eu\/es\/wp-json\/wp\/v2\/media?parent=584"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}