14.9.2023 |
EN |
Official Journal of the European Union |
C 324/2 |
COMMUNICATION FROM THE COMMISSION
Commission Guidelines on the application of Article 3(4) of Directive (EU) 2022/2555 (NIS 2 Directive)
(2023/C 324/02)
1.
Pursuant to Article 3(4) of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) (1), the Commission, with the assistance of the European Union Agency for Cybersecurity (ENISA), shall without undue delay provide guidelines and templates regarding the obligations laid down in that provision. Article 3(4) of Directive (EU) 2022/2555 refers to Article 3(3) of that Directive, which requires the Member States to establish a list of essential and important entities, as well as entities providing domain name registration services, by 17 April 2025. Member States must review and, where appropriate, update that list regularly and at least every two years thereafter.
2.
For the purposes of establishing the list of essential and important entities, Member States should require entities to submit at least the following information to the competent authorities: the name, address and up-to-date contact details, including the email addresses, IP ranges and telephone numbers of the entity, and, where applicable, the relevant sector and subsector referred to in the annexes, as well as, where applicable, a list of the Member States where they provide services falling within the scope of the Directive. Annex I to these Guidelines sets out a template for the collection of that information for the purposes of establishing the list.
3.
To facilitate the establishment and updating of the list of essential and important entities, as well as of entities providing domain name registration services, Article 3(4) of Directive (EU) 2022/2555 provides that Member States should be able to establish national mechanisms for entities to register themselves (2).
4.
According to Article 3(5) of Directive (EU) 2022/2555, by 17 April 2025 and every two years thereafter, Member States must notify the Commission and the Cooperation Group, at least the number of essential and important entities listed pursuant to Article 3(3) of that Directive for each sector and subsector referred to in Annexes I and II of the Directive. Member States must also notify the Commission relevant information on the number of essential and important entities identified pursuant to Article 2(2)(b) to (e) of Directive (EU) 2022/2555, the sector and subsector to which they belong, the type of service that they provide, and the provision pursuant to which they were identified. Recital 19 of the preamble to Directive (EU) 2022/2555 explains that Member States are encouraged to exchange with the Commission information about essential and important entities and, in the case of a large-scale cybersecurity incident, relevant information, such as the name of the entity concerned.
5.
In addition to the list established by the Member States pursuant to Article 3(3) of Directive (EU) 2022/2555, the Member States, in accordance with Article 27(2) of that Directive, should also require from certain types of entities referred to in Article 27(1) of the Directive to submit the following information to the competent authorities by 17 January 2025: the name of the entity; the relevant sector, subsector and type of entity referred to in Annex I or II to the Directive, where applicable; the address of the entity’s main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated pursuant to Article 26(3) of the Directive; up-to-date contact details, including email addresses and telephone numbers of the entity and, where applicable, its representative designated pursuant to Article 26(3) of the Directive; the Member States where the entity provides services; and the entity’s IP ranges. Pursuant to Article 27(3) of Directive (EU) 2022/2555, Member States shall require entities referred to in Article 27(1) of the Directive to notify the competent authority about any changes to the information they submitted under Article 27(2) of the Directive, without delay and in any event within three months of the date of change.
6.
According to Article 27(5) of Directive (EU) 2022/2555, the information referred to in Article 27(2) and (3) of that Directive shall be submitted through the national mechanism referred to in Article 3(4) of the Directive, where applicable. Therefore, to achieve greater administrative efficiencies, the template attached as Annex to these Guidelines also includes requests for information required for the purposes of both Article 3(3) and Article 27(2) of Directive (EU) 2022/2555. This template was created with the assistance of ENISA.
(1) OJ L 333, 27.12.2022, p. 80.
(2) See also recital 18 of the preamble to Directive (EU) 2022/2555.
APPENDIX
Template for the information required for the list referred to in Article 3(3) and for Article 27(2) of Directive (EU) 2022/2555
1.
Sector of activity under Directive (EU) 2022/2555
Annex I – |
sectors of high criticality
|
Annex II – |
other critical sectors
|
2.
Name of the entity
3.
In case the entity is referred to in Article 27 (1) of Directive (EU) 2022/2555 (DNS service provider, TLD name registry, entity providing domain name registration services, cloud computing service provider, data centre service provider, content delivery network provider, managed service provider, managed security service provider, as well as a provider of online marketplaces, of online search engines and of social networking services platforms), does the entity have its main EU establishment in this Member State or in case of no legal establishment in the EU, its representative in this Member State?
4.
Address of the entity’s establishment in this Member State. If the entity is referred to in Article 27(1) of Directive (EU) 2022/2555, the address of the entity’s main establishment, if it is located in this Member State, as well as its other legal establishments in the EU. In case there is no establishment, the address of the representative in the EU, designated in accordance with Article 26(3) of Directive (EU) 2022/2555, if the representative is located in this Member State.
5.
Up to date contact details including email addresses and telephone numbers in this Member State.
6.
IP ranges of the entity for this Member State
7.
If the entity is referred to in Article 27(1) of Directive (EU) 2022/2555, a list of Member States where the entity provides services in scope of that Directive.