Download checklistGet ready with our self assesment

Article 2 – Definitions

For the purposes of this Regulation, the following definitions apply:

  1. cybersecurityCybersecurity ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) 'cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats; - Definition according Article 2, point (1), of Regulation (EU) 2019/881;’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats;
  2. network and information systemNetwork and Information System (a) an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; (b) any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or (c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a network and information system as defined in point (1) of Article 4 of Directive (EU) 2016/1148;
  3. ‘national strategy on the security of network and information systemsSecurity of Network and Information Systems Means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means a national strategy on the security of network and information systems as defined in point (3) of Article 4 of Directive (EU) 2016/1148;
  4. ‘operator of essential services’ means an operator of essential services as defined in point (4) of Article 4 of Directive (EU) 2016/1148;
  5. digital serviceDigital service means any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. For the purposes of this definition: (i) ‘at a distance’ means that the service is provided without the parties being simultaneously present; (ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means; (iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request. - Definition according Article 1(1), point (b), of Directive (EU) 2015/1535 of the European Parliament and of the Council provider’ means a digital service provider as defined in point (6) of Article 4 of Directive (EU) 2016/1148;
  6. incidentIncident Means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means an incident as defined in point (7) of Article 4 of Directive (EU) 2016/1148;
  7. incident handlingIncident handling Means any actions and procedures aiming to prevent, detect, analyse, and contain or to respond to and recover from an incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’ means incident handling as defined in point (8) of Article 4 of Directive (EU) 2016/1148;
  8. cyber threatCyber threat means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons - Definition according Article 2, point (8), Regulation (EU) 2019/881’ means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;
  9. ‘European cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processes;
  10. ‘national cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures developed and adopted by a national public authority and that apply to the certification or conformity assessment of ICT products, ICT services and ICT processes falling under the scope of the specific scheme;
  11. ‘European cybersecurity certificate’ means a document issued by a relevant body, attesting that a given ICT productICT product Means an element or a group of elements of a network or information system. - Definition according Article 2, point (12), Regulation (EU) 2019/881, ICT serviceICT service Means a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems. - Definition according Article 2, point (13), Regulation (EU) 2019/881 or ICT processICT process Means a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service. - Definition according Article 2, point (14), Regulation (EU) 2019/881 has been evaluated for compliance with specific security requirements laid down in a European cybersecurity certification scheme;
  12. ‘ICT product’ means an element or a group of elements of a network or information system;
  13. ‘ICT service’ means a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems;
  14. ‘ICT process’ means a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service;
  15. ‘accreditation’ means accreditation as defined in point (10) of Article 2 of Regulation (EC) No 765/2008;
  16. ‘national accreditation body’ means a national accreditation body as defined in point (11) of Article 2 of Regulation (EC) No 765/2008;
  17. ‘conformity assessment’ means a conformity assessment as defined in point (12) of Article 2 of Regulation (EC) No 765/2008;
  18. ‘conformity assessment body’ means a conformity assessment body as defined in point (13) of Article 2 of Regulation (EC) No 765/2008;
  19. standardStandard Means a technical specification, adopted by a recognised standardisation body, for repeated or continuous application, with which compliance is not compulsory, and which is one of the following: (a) ‘international standard’ means a standard adopted by an international standardisation body; (b) ‘European standard’ means a standard adopted by a European standardisation organisation; (c) ‘harmonised standard’ means a European standard adopted on the basis of a request made by the Commission for the application of Union harmonisation legislation; (d) ‘national standard’ means a standard adopted by a national standardisation body - Definition according Article 2, point (1), ofRegulation (EU) No 1025/2012 of the European Parliament and of the Council.’ means a standard as defined in point (1) of Article 2 of Regulation (EU) No 1025/2012;
  20. technical specificationTechnical specification Means a document that prescribes technical requirements to be fulfilled by a product, process, service or system and which lays down one or more of the following: a) the characteristics required of a product including levels of quality, performance, interoperability, environmental protection, health, safety or dimensions, and including the requirements applicable to the product as regards the name under which the product is sold, terminology, symbols, testing and test methods, packaging, marking or labelling and conformity assessment procedures; (b) production methods and processes used in respect of agricultural products as defined in Article 38(1) TFEU, products intended for human and animal consumption, and medicinal products, as well as production methods and processes relating to other products, where these have an effect on their characteristics; (c) the characteristics required of a service including levels of quality, performance, interoperability, environmental protection, health or safety, and including the requirements applicable to the provider as regards the information to be made available to the recipient, as specified in Article 22(1) to (3) of Directive 2006/123/EC; (d) the methods and the criteria for assessing the performance of construction products, as defined in point 1 of Article 2 of Regulation (EU) No 305/2011 of the European Parliament and of the Council of 9 March 2011 laying down harmonised conditions for the marketing of construction products, in relation to their essential characteristics; - Definition according Article 2, point (1), ofRegulation (EU) No 1025/2012 of the European Parliament and of the Council.’ means a document that prescribes the technical requirements to be met by, or conformity assessment procedures relating to, an ICT product, ICT service or ICT process;
  21. ‘assurance level’ means a basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme, indicates the level at which an ICT product, ICT service or ICT process has been evaluated but as such does not measure the security of the ICT product, ICT service or ICT process concerned;
  22. ‘conformity self-assessment’ means an action carried out by a manufacturer or provider of ICT products, ICT services or ICT processes, which evaluates whether those ICT products, ICT services or ICT processes meet the requirements of a specific European cybersecurity certification scheme.