1. Member States shall ensure that the supervisory or enforcement measures imposed on essential entities in respect of the obligations laid down in this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case.<\/p>\n\n\n\n
2. Member States shall ensure that the competent authorities, when exercising their supervisory tasks in relation to essential entities, have the power to subject those entities at least to:<\/p>\n\n\n\n
(a) on-site inspections and off-site supervision, including random checks conducted by trained professionals;<\/p>\n\n\n\n
(b) regular and targeted security audits carried out by an independent body or a competent authority;<\/p>\n\n\n\n
(c) ad hoc audits, including where justified on the ground of a significant incidentIncident<\/span> Means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.\r\r- Definition according Article 6 Directive (EU) 2022\/2555 (NIS2 Directive)<\/a><\/span><\/span><\/span> or an infringement of this Directive by the essential entityEntity<\/span> Means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations.\r\r- Definition according Article 6 Directive (EU) 2022\/2555 (NIS2 Directive)<\/a><\/span><\/span><\/span>;<\/p>\n\n\n\n (d) security scans based on objective, non-discriminatory, fair and transparent riskRisk<\/span> Means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident.\r\r- Definition according Article 6 Directive (EU) 2022\/2555 (NIS2 Directive)<\/a><\/span><\/span><\/span> assessment criteria, where necessary with the cooperation of the entity concerned;<\/p>\n\n\n\n (e) requests for information necessary to assess the cybersecurityCybersecurity<\/span> \u2018cybersecurity\u2019 means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019\/881;\r\r- Definition according Article 6 Directive (EU) 2022\/2555 (NIS2 Directive)<\/a>\r\r'cybersecurity\u2019 means the activities necessary to protect network and information systems, the users of such systems,\rand other persons affected by cyber threats;\r\r- Definition according Article 2, point (1), of Regulation (EU) 2019\/881;<\/span><\/span><\/span> risk-management measures adopted by the entity concerned, including documented cybersecurity policies, as well as compliance with the obligation to submit information to the competent authorities pursuant to Article 27;<\/p>\n\n\n\n (f) requests to access data, documents and information necessary to carry out their supervisory tasks;<\/p>\n\n\n\n (g) requests for evidence of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence.<\/p>\n\n\n\n The targeted security audits referred to in the first subparagraph, point (b), shall be based on risk assessments conducted by the competent authority or the audited entity, or on other risk-related available information.<\/p>\n\n\n\n The results of any targeted security audit shall be made available to the competent authority. The costs of such targeted security audit carried out by an independent body shall be paid by the audited entity, except in duly substantiated cases when the competent authority decides otherwise.<\/p>\n\n\n\n 3. When exercising their powers under paragraph 2, point (e), (f) or (g), the competent authorities shall state the purpose of the request and specify the information requested.<\/p>\n\n\n\n 4. Member States shall ensure that their competent authorities, when exercising their enforcement powers in relation to essential entities, have the power at least to:<\/p>\n\n\n\n (a) issue warnings about infringements of this Directive by the entities concerned;<\/p>\n\n\n\n (b) adopt binding instructions, including with regard to measures necessary to prevent or remedy an incident, as well as time-limits for the implementation of such measures and for reporting on their implementation, or an order requiring the entities concerned to remedy the deficiencies identified or the infringements of this Directive;<\/p>\n\n\n\n (c) order the entities concerned to cease conduct that infringes this Directive and desist from repeating that conduct;<\/p>\n\n\n\n (d) order the entities concerned to ensure that their cybersecurity risk-management measures comply with Article 21 or to fulfil the reporting obligations laid down in Article 23, in a specified manner and within a specified period;<\/p>\n\n\n\n (e) order the entities concerned to inform the natural or legal persons with regard to which they provide services or carry out activities which are potentially affected by a significant cyber threatSignificant cyber threat<\/span> Means a cyber threat which, based on its technical characteristics, can be assumed to have the potential to have a severe impact on the network and information systems of an entity or the users of the entity\u2019s services by causing considerable material or non-material damage.\r\r- Definition according Article 6 Directive (EU) 2022\/2555 (NIS2 Directive)<\/a><\/span><\/span><\/span> of the nature of the threat, as well as of any possible protective or remedial measures which can be taken by those natural or legal persons in response to that threat;<\/p>\n\n\n\n (f) order the entities concerned to implement the recommendations provided as a result of a security audit within a reasonable deadline;<\/p>\n\n\n\n (g) designate a monitoring officer with well-defined tasks for a determined period of time to oversee the compliance of the entities concerned with Articles 21 and 23;<\/p>\n\n\n\n (h) order the entities concerned to make public aspects of infringements of this Directive in a specified manner;<\/p>\n\n\n\n (i) impose, or request the imposition by the relevant bodies, courts or tribunals, in accordance with national law, of an administrative fine pursuant to Article 34 in addition to any of the measures referred to in points (a) to (h) of this paragraph.<\/p>\n\n\n\n 5. Where enforcement measures adopted pursuant to paragraph 4, points (a) to (d) and (f), are ineffective, Member States shall ensure that their competent authorities have the power to establish a deadline by which the essential entity is requested to take the necessary action to remedy the deficiencies or to comply with the requirements of those authorities. If the requested action is not taken within the deadline set, Member States shall ensure that their competent authorities have the power to:<\/p>\n\n\n\n (a) suspend temporarily, or request a certification or authorisation body, or a court or tribunal, in accordance with national law, to suspend temporarily a certification or authorisation concerning part or all of the relevant services provided or activities carried out by the essential entity;<\/p>\n\n\n\n