Diario Oficial de la Unión Europea del 18/9/2023 - Comunicaciones e Informaciones
Versión en texto ¿Qué es?Dateas es un sitio independiente no afiliado a entidades gubernamentales. La fuente de los documentos PDF aquí publicados es la entidad gubernamental indicada en cada uno de ellos. Las versiones en texto son transcripciones no oficiales que realizamos para facilitar el acceso y la búsqueda de información, pero pueden contener errores o no estar completas.
Fuente: Diario Oficial de la Unión Europea - Comunicaciones e Informaciones
C 328/2
EN
Official Journal of the European Union
18.9.2023
COMMUNICATION FROM THE COMMISSION
Commission Guidelines on the application of Article 4 1 and 2 of Directive EU 2022/2555 NIS 2
Directive 2023/C 328/02
I. INTRODUCTION
1.
Pursuant to Article 43 of Directive EU 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union NIS 2 Directive, 1
the Commission shall, by 17 July 2023, provide guidelines clarifying the application of Article 41 and 2 of that Directive.
2.
The present Guidelines clarify the application of those provisions, which concern the relationship between Directive EU 2022/2555 and current and future sector-specific Union legal acts addressing cybersecurity risk-management measures or incident reporting requirements. The Appendix to these Guidelines lists the sector-specific Union legal acts that the Commission considers to fall within the scope of Article 4 of Directive EU 2022/2555. The fact that an act is not listed in that Appendix does not necessarily mean that it does not fall within the scope of that provision.
3.
In application of Article 43, third sentence, of Directive EU 2022/2555, the Commission took account of the observations of the NIS Cooperation Group and the European Union Agency for Cybersecurity ENISA prior to the adoption of the present Guidelines.
4.
The present Guidelines are without prejudice to the interpretation of Union law by the Court of Justice of the European Union.
II. EQUIVALENCE OF CYBERSECURITY REQUIREMENTS OF SECTOR-SPECIFIC UNION LEGAL ACTS
5.
Article 41 of Directive EU 2022/2555 provides that, where sector-specific Union legal acts require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents and where those requirements are at least equivalent in effect to the obligations laid down in that Directive, the relevant provisions of Directive EU 2022/2555, including the provisions on supervision and enforcement laid down in Chapter VII of that Directive, shall not apply to such entities. That provision further provides that where sectorspecific Union legal acts do not cover all entities in a specific sector falling within the scope of Directive EU 2022/2555, the relevant provisions of that Directive shall continue to apply to the entities not covered by those sector-specific Union legal acts.
II.1.
Cybersecurity risk-management requirements
6.
Article 42a of Directive EU 2022/2555 provides that cybersecurity risk-management measures that essential or important entities are required to adopt under sector-specific Union legal acts shall be considered to be equivalent in effect to the obligations laid down in Directive EU 2022/2555 where those measure are at least equivalent in effect to those laid down in Article 211 and 2 of that Directive. When assessing whether the requirements in a sectorspecific Union legal act on cybersecurity risk-management measures are at least equivalent in effect to those laid down in Article 211 and 2 of Directive EU 2022/2555, the requirements in that sector-specific Union legal act should, at a minimum, correspond to the requirements of those provisions or go beyond them, meaning that the sector-specific provisions may be more granular on substance compared to the corresponding provisions of Directive EU 2022/2555.
1 OJ L 333, 27.12.2022, p. 80.
