14.9.2023   

EN

Official Journal of the European Union

C 324/2


COMMUNICATION FROM THE COMMISSION

Commission Guidelines on the application of Article 3(4) of Directive (EU) 2022/2555 (NIS 2 Directive)

(2023/C 324/02)

1.   

Pursuant to Article 3(4) of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) (1), the Commission, with the assistance of the European Union Agency for Cybersecurity (ENISA), shall without undue delay provide guidelines and templates regarding the obligations laid down in that provision. Article 3(4) of Directive (EU) 2022/2555 refers to Article 3(3) of that Directive, which requires the Member States to establish a list of essential and important entities, as well as entities providing domain name registration services, by 17 April 2025. Member States must review and, where appropriate, update that list regularly and at least every two years thereafter.

2.   

For the purposes of establishing the list of essential and important entities, Member States should require entities to submit at least the following information to the competent authorities: the name, address and up-to-date contact details, including the email addresses, IP ranges and telephone numbers of the entity, and, where applicable, the relevant sector and subsector referred to in the annexes, as well as, where applicable, a list of the Member States where they provide services falling within the scope of the Directive. Annex I to these Guidelines sets out a template for the collection of that information for the purposes of establishing the list.

3.   

To facilitate the establishment and updating of the list of essential and important entities, as well as of entities providing domain name registration services, Article 3(4) of Directive (EU) 2022/2555 provides that Member States should be able to establish national mechanisms for entities to register themselves (2).

4.   

According to Article 3(5) of Directive (EU) 2022/2555, by 17 April 2025 and every two years thereafter, Member States must notify the Commission and the Cooperation Group, at least the number of essential and important entities listed pursuant to Article 3(3) of that Directive for each sector and subsector referred to in Annexes I and II of the Directive. Member States must also notify the Commission relevant information on the number of essential and important entities identified pursuant to Article 2(2)(b) to (e) of Directive (EU) 2022/2555, the sector and subsector to which they belong, the type of service that they provide, and the provision pursuant to which they were identified. Recital 19 of the preamble to Directive (EU) 2022/2555 explains that Member States are encouraged to exchange with the Commission information about essential and important entities and, in the case of a large-scale cybersecurity incident, relevant information, such as the name of the entity concerned.

5.   

In addition to the list established by the Member States pursuant to Article 3(3) of Directive (EU) 2022/2555, the Member States, in accordance with Article 27(2) of that Directive, should also require from certain types of entities referred to in Article 27(1) of the Directive to submit the following information to the competent authorities by 17 January 2025: the name of the entity; the relevant sector, subsector and type of entity referred to in Annex I or II to the Directive, where applicable; the address of the entity’s main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated pursuant to Article 26(3) of the Directive; up-to-date contact details, including email addresses and telephone numbers of the entity and, where applicable, its representative designated pursuant to Article 26(3) of the Directive; the Member States where the entity provides services; and the entity’s IP ranges. Pursuant to Article 27(3) of Directive (EU) 2022/2555, Member States shall require entities referred to in Article 27(1) of the Directive to notify the competent authority about any changes to the information they submitted under Article 27(2) of the Directive, without delay and in any event within three months of the date of change.

6.   

According to Article 27(5) of Directive (EU) 2022/2555, the information referred to in Article 27(2) and (3) of that Directive shall be submitted through the national mechanism referred to in Article 3(4) of the Directive, where applicable. Therefore, to achieve greater administrative efficiencies, the template attached as Annex to these Guidelines also includes requests for information required for the purposes of both Article 3(3) and Article 27(2) of Directive (EU) 2022/2555. This template was created with the assistance of ENISA.


(1)   OJ L 333, 27.12.2022, p. 80.

(2)  See also recital 18 of the preamble to Directive (EU) 2022/2555.


APPENDIX

Template for the information required for the list referred to in Article 3(3) and for Article 27(2) of Directive (EU) 2022/2555

1.   

Sector of activity under Directive (EU) 2022/2555

Annex I –

sectors of high criticality

Energy

Electricity

Electricity undertaking

Distribution system operator

Transmission system operator

Producers

Nominated electricity market operators

Market participants providing aggregation, demand response or energy storage services

Operators of a recharging point that are responsible for the management and operation of a recharging point, which provides a recharging service to end users, including in the name and on behalf of a mobility service provider

Operators of district heating and cooling

Oil

Operators of transmission pipelines

Operators of oil production, refining and treatment facilities, storage and transmission

Central stockholding entities

Gas

Supply undertakings

Distribution system operators

Transmission system operators

Storage system operators

LNG system operators

Natural gas undertakings

Operators of natural gas refining and treatment facilities

Operators of hydrogen production, storage and transmission

Transport

Air

Air carriers

Airport managing bodies

Traffic management control operators providing air traffic control (ATC) services

Rail

Infrastructure managers

Railway undertakings, including operators of service facilities

Water

Inland, sea and coastal passenger and freight water transport companies, not including the vessels operated by those companies

Managing bodies including their port facilities and entities operating works and equipment contained within ports

Operators of vessel traffic services (VTS)

Road

Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity

Operators of intelligent transport systems

Health

Healthcare providers

EU reference laboratories

Entities carrying out research and development activities of medicinal products

Entities manufacturing basic pharmaceutical products and pharmaceutical preparations referred to in section C division 21 of NACE Rev. 2

Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list)

Drinking water – Suppliers and distributors of water intended for human consumption excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods

Waste water – Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity

Digital infrastructure

Internet Exchange Point Providers

DNS service providers

TLD name registries

Cloud computing service providers

Data centres service providers

Content delivery network providers

Trust service providers

Providers of public electronic communications networks

Providers of publicly available electronic communications services

ICT service management (business-to-business)

Managed service providers

Managed security service providers

Public administration

Public administration entities of central governments

Public administration entities at regional level

Space – Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications network.

Annex II –

other critical sectors

Postal and courier services

Waste management – Undertakings carrying out waste management, excluding undertakings for whom waste management is not their principal economic activity

Manufacture, production and distribution of chemicals – undertakings carrying out the manufacture of substances and undertakings carrying out the production of articles from substances or mixtures

Production, processing and distribution of food – food businesses which are engaged in wholesale distribution and industrial production and processing

Manufacturing

Manufacture of medical devices and in vitro diagnostic medical devices

Manufacture of computer, electronic and optical products

Manufacture of electrical equipment

Manufacture of machinery and equipment n.e.c.

Manufacture of motor vehicles, trailers and semi-trailers

Manufacture of other transport equipment

Digital providers

Providers of online marketplaces

Providers of online search engines

Providers of social networking services platforms

Research organisations

Entities not included in the Annexes

Entities providing domain name registration services

Other entities identified as critical entities under Directive (EU) 2022/2557

Entities identified as operators of essential services in accordance with national law

2.   

Name of the entity

3.   

In case the entity is referred to in Article 27 (1) of Directive (EU) 2022/2555 (DNS service provider, TLD name registry, entity providing domain name registration services, cloud computing service provider, data centre service provider, content delivery network provider, managed service provider, managed security service provider, as well as a provider of online marketplaces, of online search engines and of social networking services platforms), does the entity have its main EU establishment in this Member State or in case of no legal establishment in the EU, its representative in this Member State?

4.   

Address of the entity’s establishment in this Member State. If the entity is referred to in Article 27(1) of Directive (EU) 2022/2555, the address of the entity’s main establishment, if it is located in this Member State, as well as its other legal establishments in the EU. In case there is no establishment, the address of the representative in the EU, designated in accordance with Article 26(3) of Directive (EU) 2022/2555, if the representative is located in this Member State.

5.   

Up to date contact details including email addresses and telephone numbers in this Member State.

6.   

IP ranges of the entity for this Member State

7.   

If the entity is referred to in Article 27(1) of Directive (EU) 2022/2555, a list of Member States where the entity provides services in scope of that Directive.