Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
CHAPTER I
GENERAL PROVISIONSArticles 1 — 6
CHAPTER II
COORDINATED CYBERSECURITY FRAMEWORKSArticles 7 — 13
CHAPTER III
COOPERATION AT UNION AND INTERNATIONAL LEVELArticles 14 — 19
CHAPTER IV
CYBERSECURITY RISK-MANAGEMENT MEASURES AND REPORTING OBLIGATIONSArticles 20 — 25
CHAPTER V
JURISDICTION AND REGISTRATIONArticles 26 — 28
CHAPTER VI
INFORMATION SHARINGArticles 29 — 30
CHAPTER VII
SUPERVISION AND ENFORCEMENTArticles 31 — 37
CHAPTER VIII
DELEGATED AND IMPLEMENTING ACTSArticles 38 — 39
CHAPTER IX
FINAL PROVISIONSArticles 40 — 46
ANNEXES
In order to streamline the obligations imposed on providers of public electronic communications networks or of publicly available electronic communications services, and trust service providers, related to the security of their network and information systems, as well as to enable those entities and the competent authorities under Directive (EU) 2018/1972 of the European Parliament and of the Council and Regulation (EU) No 910/2014 respectively to benefit from the legal framework established by this Directive, including the designation of a CSIRT responsible for incident handling, the participation of the competent authorities concerned in the activities of the Cooperation Group and the CSIRTs network, those entities should fall within the scope of this Directive. The corresponding provisions laid down in Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 related to the imposition of security and notification requirements on those types of entity should therefore be deleted. The rules on reporting obligations laid down in this Directive should be without prejudice to Regulation (EU) 2016/679 and Directive 2002/58/EC.
Where appropriate and in order to avoid unnecessary disruption, existing national guidelines adopted for the transposition of the rules related to security measures laid down in Articles 40 and 41 of Directive (EU) 2018/1972 should be taken into account in the transposition of this Directive, thereby building on the knowledge and skills already acquired under Directive (EU) 2018/1972 concerning security measures and incident notifications. ENISA can also develop guidance on security requirements and on reporting obligations for providers of public electronic communications networks or of publicly available electronic communications services to facilitate harmonisation and transition and to minimise disruption. Member States can assign the role of the competent authorities for electronic communications to the national regulatory authorities under Directive (EU) 2018/1972 in order to ensure the continuation of current practices and to build on the knowledge and experience gained as a result of the implementation of that Directive.
Entities falling within the scope of this Directive should be considered to fall under the jurisdiction of the Member State in which they are established. However, providers of public electronic communications networks or providers of publicly available electronic communications services should be considered to fall under the jurisdiction of the Member State in which they provide their services. DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines and of social networking services platforms should be considered to fall under the jurisdiction of the Member State in which they have their main establishment in the Union. Public administration entities should fall under the jurisdiction of the Member State which established them. If the entity provides services or is established in more than one Member State, it should fall under the separate and concurrent jurisdiction of each of those Member States. The competent authorities of those Member States should cooperate, provide mutual assistance to each other and, where appropriate, carry out joint supervisory actions. Where Member States exercise jurisdiction, they should not impose enforcement measures or penalties more than once for the same conduct, in line with the principle of .
In order to take account of the cross-border nature of the services and operations of DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines and of social networking services platforms, only one Member State should have jurisdiction over those entities. Jurisdiction should be attributed to the Member State in which the entity concerned has its main establishment in the Union. The criterion of establishment for the purposes of this Directive implies the effective exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. Whether that criterion is fulfilled should not depend on whether the network and information systems are physically located in a given place; the presence and use of such systems do not, in themselves, constitute such main establishment and are therefore not decisive criteria for determining the main establishment. The main establishment should be considered to be in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken in the Union. This will typically correspond to the place of the entities’ central administration in the Union. If such a Member State cannot be determined or if such decisions are not taken in the Union, the main establishment should be considered to be in the Member State where cybersecurity operations are carried out. If such a Member State cannot be determined, the main establishment should be considered to be in the Member State where the entity has the establishment with the highest number of employees in the Union. Where the services are carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings.
Where a publicly available recursive DNS service is provided by a provider of public electronic communications networks or of publicly available electronic communications services only as a part of the internet access service, the entity should be considered to fall under the jurisdiction of all the Member States where its services are provided.
Where a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider or a provider of an online marketplace, of an online search engine or of a social networking services platform, which is not established in the Union, offers services within the Union, it should designate a representative in the Union. In order to determine whether such an entity is offering services within the Union, it should be ascertained whether the entity is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the entity’s or an intermediary’s website or of an email address or other contact details, or the use of a language generally used in the third country where the entity is established, should be considered to be insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that language, or the mentioning of customers or users who are in the Union, could make it apparent that the entity is planning to offer services within the Union. The representative should act on behalf of the entity and it should be possible for the competent authorities or the CSIRTs to address the representative. The representative should be explicitly designated by a written mandate of the entity to act on the latter’s behalf with regard to the latter’s obligations laid down in this Directive, including incident reporting.