On 17 July 2023, the Commission decided not to oppose the above notified concentration and to declare it compatible with the internal market. This decision is based on Article 6(1)(b) of Council Regulation (EC) No 139/2004 (1). The full text of the decision is available only in English and will be made public after it is cleared of any business secrets it may contain. It will be available:

—	in the merger section of the ‘Competition policy’ website of the Commission (https://competition-cases.ec.europa.eu/search). This website provides various facilities to help locate individual merger decisions, including company, case number, date and sectoral indexes,

—	in electronic form on the EUR-Lex website (http://eur-lex.europa.eu/homepage.html?locale=en) under document number 32023M11106. EUR-Lex is the online point of access to European Union law.

---

(1)   OJ L 24, 29.1.2004, p. 1.

I.   INTRODUCTION

1.

Pursuant to Article 4(3) of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive), (1) the Commission shall, by 17 July 2023, provide guidelines clarifying the application of Article 4(1) and (2) of that Directive.

2.

The present Guidelines clarify the application of those provisions, which concern the relationship between Directive (EU) 2022/2555 and current and future sector-specific Union legal acts addressing cybersecurity risk-management measures or incident reporting requirements. The Appendix to these Guidelines lists the sector-specific Union legal acts that the Commission considers to fall within the scope of Article 4 of Directive (EU) 2022/2555. The fact that an act is not listed in that Appendix does not necessarily mean that it does not fall within the scope of that provision.

3.

In application of Article 4(3), third sentence, of Directive (EU) 2022/2555, the Commission took account of the observations of the NIS Cooperation Group and the European Union Agency for Cybersecurity (ENISA) prior to the adoption of the present Guidelines.

4.

The present Guidelines are without prejudice to the interpretation of Union law by the Court of Justice of the European Union.

II.   EQUIVALENCE OF CYBERSECURITY REQUIREMENTS OF SECTOR-SPECIFIC UNION LEGAL ACTS

5.

Article 4(1) of Directive (EU) 2022/2555 provides that, where sector-specific Union legal acts require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents and where those requirements are at least equivalent in effect to the obligations laid down in that Directive, the relevant provisions of Directive (EU) 2022/2555, including the provisions on supervision and enforcement laid down in Chapter VII of that Directive, shall not apply to such entities. That provision further provides that where sector-specific Union legal acts do not cover all entities in a specific sector falling within the scope of Directive (EU) 2022/2555, the relevant provisions of that Directive shall continue to apply to the entities not covered by those sector-specific Union legal acts.

II.1.   Cybersecurity risk-management requirements

6.

Article 4(2)(a) of Directive (EU) 2022/2555 provides that cybersecurity risk-management measures that essential or important entities are required to adopt under sector-specific Union legal acts shall be considered to be equivalent in effect to the obligations laid down in Directive (EU) 2022/2555 where those measure are at least equivalent in effect to those laid down in Article 21(1) and (2) of that Directive. When assessing whether the requirements in a sector-specific Union legal act on cybersecurity risk-management measures are at least equivalent in effect to those laid down in Article 21(1) and (2) of Directive (EU) 2022/2555, the requirements in that sector-specific Union legal act should, at a minimum, correspond to the requirements of those provisions or go beyond them, meaning that the sector-specific provisions may be more granular on substance compared to the corresponding provisions of Directive (EU) 2022/2555.

7.

Pursuant to Article 21(1), first subparagraph, of Directive (EU) 2022/2555, Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services. Those measures should be risk-based and should be able to prevent or minimise the impact of incidents. Article 21(1), second subparagraph, of Directive (EU) 2022/2555 specifies how the proportionality of such measures should be assessed (2). The obligation laid down in Article 21(1) of Directive (EU) 2022/2555 requiring essential and important entities to take appropriate and proportionate cybersecurity risk-management measures refers to all operations and services of the entity concerned, not only to specific information technology (‘IT’) assets or critical services that the entity provides.

8.

When assessing the equivalence of a sector-specific Union legal act with the relevant provisions on cyber risk-management of Directive (EU) 2022/2555, particular importance should be given in that assessment to the question whether the security obligations in that legal act comprise measures aiming to ensure the security of network and information systems. The definition of ‘security of networks and information systems’ laid down in Article 6, point (2) of Directive (EU) 2022/2555 refers to the ability of information systems to resist, at a given level of confidence, any event that could compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data, or of services offered by, or accessible via, those network and information systems. The use of the terms ‘availability’, ‘authenticity’, ‘integrity’ and ‘confidentiality’ in that definition refers to all four protection goals related to the security of network and information systems. The term ‘network and information systems’, as defined in Article 6, point (1) of Directive (EU) 2022/2555, encompasses electronic communication networks (3); any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; and digital data stored, processed, retrieved or transmitted by such electronic communication networks or devices for the purposes of their operation use, protection or maintenance. Consequently, the security measures required by a sector-specific Union legal act should also cover hardware, firmware, and software used in the activities of an entity.

9.

Another important consideration when assessing the equivalence of a sector-specific Union legal act with the requirements of Article 21(1) and (2) of Directive (EU) 2022/2555 is that the cybersecurity risk-management measures required by that act should be based on an ‘all-hazard approach’. Since threats to the security of network and information systems could have different origins, any type of event can have a negative impact on the network information systems of the entity and potentially lead to an incident. Therefore, the cybersecurity risk-management measures taken by the entity should protect not only the entity’s network and information systems, but also the physical environment of those systems from any event such as sabotage, theft, fire, flood, telecommunication or power failures, or unauthorised physical access that are capable of compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems. Consequently, the cybersecurity risk-management measures required by a sector-specific Union legal act should specifically address the physical and environmental security of network and information systems from systems failure, human error, malicious acts, or natural phenomena (4).

10.

Article 21(2) of Directive (EU) 2022/2555 further requires the cybersecurity risk-management measures to include the specific security requirements listed in lit (a) to (j) of paragraph 2 of that provision. Those requirements cover measures such as policy on risk-analysis and information system security, incident handling, business continuity, crisis-management, supply chain security, policies and procedure regarding the use of cryptography, and where appropriate, encryption. Pursuant to Article 21(5), second subparagraph, of Directive (EU) 2022/2555, the Commission is empowered to adopt implementing acts laying down the technical and methodological requirements, as well as sectorial requirements, as necessary, of the security measures referred to in Article 21(2) of that Directive. With regard to Domain Name System (‘DNS’) service providers, top-level Domain (‘TLD’) name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers, the Commission shall adopt, by 17 October 2024, implementing acts on the technical and methodological requirements of the security measures referred to in Article 21(2) of Directive (EU) 2022/2555. Implementing acts specify in further detail the main conditions and criteria for implementation as laid down in the basic act, without affecting the substance of that act (5).

II.2.   Reporting requirements

11.

Article 4(2)(b) of Directive (EU) 2022/2555 provides that reporting requirements concerning the notification of significant incidents shall be considered to be equivalent in effect to the obligations of that Directive where a sector-specific Union legal act provides for immediate access, where appropriate automatic and direct, to the incident notifications by the computer security incident response teams (‘CSIRTs’), the competent authorities, or the single points of contact (‘SPOCs’), and where requirements to notify significant incidents are at least equivalent in effect to those laid down in Article 23(1) to (6) of Directive (EU) 2022/2555.

12.

Since the requirements of a sector-specific Union legal act to notify significant incidents must be at least equivalent in effect to those laid down in Article 23(1) to (6) of Directive (EU) 2022/2555 for that act to apply instead of the reporting obligations of that Directive, the requirements laid down in Article 23(1) to (6) of the Directive are of particular importance for the assessment of equivalence. Article 23(1) to (6) of Directive (EU) 2022/2555 prescribe in more detail what kind of incidents must be reported to whom, in what timeframe, and with what information content. This is explained in more detail in the following subsections:

II.2.1.   Notification of significant incidents to CSIRTs, competent authorities and recipients

13.

The first sentence of Article 23(1), first subparagraph, of Directive (EU) 2022/2555 requires essential and important entities to notify, without undue delay, its CSIRT or, where applicable, its competent authority, of any significant incident. The second sentence of Article 23(1), first subparagraph, of Directive (EU) 2022/2555 requires essential and important entities to notify, where appropriate, without undue delay, the recipients of their services of significant incidents that are likely to adversely affect the provision of those services.

14.

While Article 6, point (6), of Directive (EU) 2022/2555 defines ‘incidents’ very broadly, as any event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, Article 23(1) of that Directive only subjects significant incidents to a reporting obligation. An incident is significant if it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned (Article 23(3)(a)) or if it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage (Article 23(3)(b)).

15.

Recital (101) of the preamble to Directive (EU) 2022/2555 clarifies that the reporting of incidents should be based on an initial assessment carried out by the entity concerned. Such an initial assessment should consider, inter alia, the affected network and information systems, in particular their importance in the provision of the entity’s services, the severity and technical characteristics of a cyber threat, and any underlying vulnerabilities that are being exploited, as well as the entity’s experience with similar incidents. Indicators such as the extent to which the functioning of the service is affected, the duration of an incident, or the number of affected recipients of services may play an important role in identifying whether the operational disruption of the service is severe.

16.

Pursuant to Article 23(11), second subparagraph, of Directive (EU) 2022/2555, the Commission is empowered to adopt implementing acts further specifying the cases in which an incident shall be considered significant. With regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, of online search engines and of social networking services platforms, the Commission shall adopt, by 17 October 2024, such implementing acts. Implementing acts specify in further detail the main conditions and criteria for implementation as laid down in the basic act, without affecting the substance of that act (6).

II.2.2.   Multiple-stage approach to and time frame for reporting significant incidents

17.

Directive (EU) 2022/2555 lays down a multiple-stage approach to the reporting of significant incidents which entails an early warning, an incident notification, and a final report. These three elements may possibly be supplemented by intermediate reports and a progress report.

18.

The multiple-stage approach aims at striking the right balance between, on one hand, swift reporting that helps mitigate the potential spread of significant incidents and allows essential and important entities to seek assistance, and, on the other, in-depth reporting that draws valuable lessons from individual incidents and improves over time the cyber resilience of individual entities and entire sectors (7).

19.

According to the multiple-stage approach, essential and important entities must first submit an early warning, without undue delay and in any event within 24 hours of becoming aware of the significant incident, to the competent CSIRT or authority. Subsequently, those entities must submit an incident notification, without undue delay and in any event within 72 hours of becoming aware of the significant incident. Thereafter, an intermediate report may be requested by a competent CSIRT or authority. Finally, a final report must be provided to the competent CSIRT or authority not later than one month after the submission of the incident notification, unless the incident is still ongoing at that time, in which case a progress report must be provided and the final report within one month of the handling of the incident.

20.

A different timeframe applies for the incident notification laid down in Article 23(4), second subparagraph, of Directive (EU) 2022/2555 in relation to trust service providers. Those providers must notify significant incidents on the provision of their trust services without undue delay and in any event within 24 hours of becoming aware of the significant incident.

II.2.3.   Content of reporting obligation of significant incidents to CSIRTs or competent authorities

21.

As a general rule, the third sentence of Article 23(1), first subparagraph, of Directive (EU) 2022/2555 requires Member States to ensure that essential and important entities report, inter alia, any information enabling the competent CSIRT or, where applicable, the competent authority to determine any cross-border impact of the incident. This requirement concerning the content of the reporting obligation is further specified in Article 23(4) of Directive (EU) 2022/2555, which lays down the multiple-stage approach.

22.

According to Article 23(4)(a), the early warning must include, where applicable, an indication whether the significant incident is suspected of being caused by unlawful or malicious acts or if it could have (in terms of whether it is likely to have) a cross-border impact. According to recital (102) of the preamble to Directive (EU) 2022/2555, the early warning should only include the information necessary to make the competent CSIRT or authority aware of the significant incident and to allow the entity concerned to seek assistance, if required.

23.

The incident notification must include, where applicable, updates to the information submitted as part of the early warning. Moreover, it must include an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise.

24.

In case an intermediate report is requested, it must include relevant status updates. The final report must include a detailed description of the incident, including its severity and impact, the type of threat or root cause that is likely to have triggered the incident, the applied and ongoing mitigation measures, and, where applicable, the cross-border impact of the incident.

II.2.4.   Immediate access to incident notifications

25.

Article 4(2)(b) of Directive (EU) 2022/2555 provides that a sector-specific Union legal act, to be applicable with regard to the notification requirements instead of that Directive, needs to provide the CSIRTs, the competent authorities, or the SPOCs under Directive (EU) 2022/2555 with immediate access to the incident notifications submitted in accordance with the sector-specific Union legal act. In accordance with Recital (24) of the preamble to Directive (EU) 2022/2555, such immediate access can be ensured, in particular, if incident notifications are being forwarded without undue delay to the CSIRT, the competent authority, or the SPOC.

26.

Immediate access may be provided through automatic and direct means which Member States should put in place, where appropriate. Automatic and direct reporting mechanisms ensure systematic and immediate sharing of information with the CSIRTs, the competent authorities, or the SPOCs concerning the handling of incident notifications. Member States may also use a single entry point which needs to comply with the sector-specific Union legal act, to simplify reporting and to implement the automatic and direct reporting mechanism.

27.

When assessing whether the requirements in a sector-specific Union legal act to notify significant incidents are at least equivalent in effect to those laid down in Article 23(1) to (6) of Directive (EU) 2022/2555, the requirements in that sector-specific Union legal act should, at a minimum, correspond to the requirements of Article 23(1) to (6) or provide for greater detail than those provisions. The requirements should relate to the kind of incidents that need to be reported according to Directive (EU) 2022/2555, taking into account in particular the recipients, the content, and the applicable time frames.

III.   CONSEQUENCES OF EQUIVALENCE

III.1.   Supervision and enforcement

28.

Where sector-specific Union legal acts are at least equivalent in effect to the obligations laid down in Directive (EU) 2022/2555, it is not only the relevant provisions of that Directive concerning the obligation to adopt cybersecurity risk-management measures or to notify significant incidents that do not apply, but also the provisions on supervision and enforcement laid down in Chapter VII of Directive (EU) 2022/2555.

29.

Recital (25) of the preamble to Directive (EU) 2022/2555 explains that sector-specific Union legal acts that are at least equivalent in effect could provide that the competent authorities under those acts exercise their supervisory and enforcement powers in relation to cybersecurity risk-management or notification obligations with the assistance of the competent authorities under Directive (EU) 2022/2555. The competent authorities concerned could establish cooperation arrangements for that purpose, including procedures concerning the coordination of supervisory activities, procedures on investigations and on-site inspections in accordance with national law, and a mechanism for the exchange of relevant information on supervision and enforcement between the competent authorities. Such a mechanism for the exchange of relevant information could entail the access to cyber-related information requested by the competent authorities under Directive (EU) 2022/2555.

III.2.   National cybersecurity strategy

30.

Each Member State is required to adopt a national cybersecurity strategy pursuant to Article 7(1) of Directive (EU) 2022/2555. A national cybersecurity strategy is a coherent framework of a Member State providing strategic objectives and priorities in the area of cybersecurity and the governance to achieve those objectives and priorities in that Member State (see Article 6, point (4), of Directive (EU) 2022/2555). The cybersecurity strategy must include inter alia objectives and priorities covering in particular the sectors referred to in Annexes I and II to Directive (EU) 2022/2555. In addition, that strategy must entail a governance framework to achieve those objectives and priorities, including the policies referred to in Article 7(2) of Directive (EU) 2022/2555.

31.

Moreover, Article 7(1)(c) of Directive (EU) 2022/2555 provides that the national cybersecurity strategy must include a governance framework clarifying the roles and responsibilities of relevant stakeholders at national level, underpinning the cooperation and coordination at the national level between the competent authorities, the SPOCs and the CSIRTs under Directive (EU) 2022/2555, as well as coordination and cooperation between those bodies and competent authorities under sector-specific Union legal acts.

32.

Hence, the requirement for adopting a cybersecurity strategy pursuant to Article 7 of Directive (EU) 2022/2555 neither concerns the cybersecurity requirements imposed on essential and important entities pursuant to Articles 21 and 23 of that Directive, nor the provisions related to their supervision and enforcement laid down in Chapter VII as required by Article 4(1) and (2) of the Directive. The relevant provision of Article 7 should continue to apply with respect to sectors, subsectors and types of entities for which sector-specific Union legal acts within the meaning of Article 4 of Directive (EU) 2022/2555 exist.

III.3.   Designation of CSIRTs

33.

According to Article 10(1) of Directive (EU) 2022/2555, Member States must designate or establish one or more CSIRTs which shall cover at least the sectors, subsectors and types of entity referred to in Annexes I and II of the Directive, thus including the sectors, subsectors and types of entities for which sector-specific Union legal acts exist. CSIRTs will normally also carry out their tasks as laid down in Article 11(3) of Directive (EU) 2022/2555 in that regard, unless particular tasks are specified in the sector-specific Union legal acts.

III.4.   National cyber crisis management frameworks and EU-CyCLONe

34.

Pursuant to Article 9(1) of Directive (EU) 2022/2555, the Member States must designate or establish one or more cyber crisis management authorities who are responsible for the management of large-scale cybersecurity incidents and crises. According to Article 6, point (7), of that Directive, a large-scale cybersecurity incident is an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States. Article 9(4) of Directive (EU) 2022/2555 requires the Member States to also adopt a national large-scale cybersecurity incident and crisis response plan where the objectives of and arrangements for the management of large-scale cybersecurity incidents and crises are set out. This plan should lay down, inter alia, the cyber crisis management procedures, including their integration into the general national crisis management framework and information exchange channels, and the relevant public and private stakeholders and infrastructure involved. Such cyber crisis management procedures and relevant public and private stakeholders and infrastructure might involve sector-specific procedures and stakeholders.

35.

Article 16 of Directive (EU) 2022/2555 establishes the European cyber crisis liaison organization network (EU-CyCLONe), whose purpose is to support the coordinated management of large-scale cybersecurity incidents and crisis at operational level and to ensure the regular exchange of relevant information among Member States and Union institutions, bodies and agencies.

36.

Since Article 9 on cyber crisis management frameworks and Article 16 on EU-CyCLONe do not concern the cybersecurity requirements imposed on entities pursuant to Article 21 and 23 of Directive (EU) 2022/2555 or the supervision and enforcement laid down in Chapter VII as required by Article 4(1) and (2) of that Directive, Article 9 and 16 should apply in their entirety for sectors, despite the existence of sector-specific Union legal acts within the meaning of Article 4. As a result, Member States must designate or establish one or more cyber crisis management authorities responsible for the management of large-scale cybersecurity incidents and crises occurring in the sectors covered by sector-specific Union legal acts. Furthermore, sectors covered by sector-specific Union legal acts should not be disregarded when adopting the national large-scale cybersecurity incident and crisis response plan. Finally, EU-CyCLONe should carry out its tasks enshrined in Article 16 of Directive (EU) 2022/2555 with regard to sectors where entities are subject to sector-specific Union legal acts.

III.5.   Exclusion of the application of Articles 3 (3) and (4), 20 and 27 (2) and (3)

37.

Pursuant to Article 3(3) of Directive (EU) 2022/2555, Member States are required to establish a list of essential and important entities as well as entities providing domain name registration services falling under the scope of the Directive. Pursuant to Article 27 (2), Member States shall require entities referred to in Article 27 (1) of that Directive to submit certain information to the competent authorities. Since the purpose of these provisions is to ensure a clear overview of the entities falling within the scope of Directive (EU) 2022/2555 to support the supervision of essential and important entities falling under its scope, it follows that these provisions should not apply to entities for which a sector-specific Union legal act applies with respect to cybersecurity risk-management and reporting requirements. This does not preclude Member States from including such entities in the list. Pursuant to Article 20(1) of Directive (EU) 2022/2555, management bodies of essential and important entities are required to approve the cybersecurity risk-measures taken by those entities in order to comply with Article 21, oversee its implementation, and can be held liable for infringements by the entities of that Article. Pursuant to Article 20(2) of that Directive, Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity. Since the obligations stemming from Article 20 of Directive (EU) 2022/2555 are intrinsically linked to the requirements of Article 21 of that Directive, it follows that Article 20 should not apply in the case of sector-specific Union legal acts within the meaning of Article 4 of that Directive applying with respect to cybersecurity risk-management requirements.

---

(1)   OJ L 333, 27.12.2022, p. 80.

(2)  See also recitals 78, 81 and 82 of the preamble to Directive (EU) 2022/2555.

(3)  Article 2(1) of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (OJ L 321, 17.12.2018, p. 36).

(4)  See Recital 79 of the preamble to Directive (EU) 2022/2555.

(5)  See Chapter D Additional Rules Implementing the Basic Act, Non-Binding Criteria for the application of Articles 290 and 291 of the Treaty on the Functioning of the European Union — 18 June 2019 (OJ C 223, 3.7.2019, p. 1).

(6)  See Chapter D Additional Rules Implementing the Basic Act, Non-Binding Criteria for the application of Articles 290 and 291 of the Treaty on the Functioning of the European Union — 18 June 2019, (OJ C 223, 3.7.2019, p. 1).

(7)  See Recital 101 of the preamble to Directive (EU) 2022/2555.

The following information is brought to the attention of the persons and entities that appear in the Annex to Council Decision 2011/235/CFSP (1), as implemented by Council Implementing Decision (CFSP) 2023/1780 (2), and in Annex I to Council Regulation (EU) No 359/2011 (3), as implemented by Council Implementing Regulation (EU) 2023/1779 (4) concerning restrictive measures directed against certain persons, entities and bodies in view of the situation in Iran.

The Council of the European Union has decided that those persons and entities should be included on the list of persons and entities subject to restrictive measures provided for in Decision 2011/235/CFSP and in Regulation (EU) No 359/2011.

The attention of the persons and entities concerned is drawn to the possibility of making an application to the competent authorities of the relevant Member State(s) as indicated on the websites in Annex II to Regulation (EU) No 359/2011, in order to obtain an authorisation to use frozen funds for basic needs or specific payments (cf. Article 4 of the Regulation).

The persons and entities concerned may submit a request to the Council before 1 January 2024, together with supporting documentation that the decision to include them on the above-mentioned list should be reconsidered to the following address:

Council of the European Union

General Secretariat

RELEX.1

Rue de la Loi/Wetstraat 175

1048 Bruxelles/Brussel

BELGIQUE/BELGIË

Email: sanctions@consilium.europa.eu

The attention of the persons and entities concerned is also drawn to the possibility of challenging the Council's decision before the General Court of the European Union, in accordance with the conditions laid down in Article 275, 2nd paragraph, and Article 263, 4th and 6th paragraphs, of the Treaty on the Functioning of the European Union.

---

(1)   OJ L 100, 14.4.2011, p. 51.

(2)   OJ L 228 I, 15.9.2023, p. 6.

(3)   OJ L 100, 14.4.2011, p. 1.

(4)   OJ L 228 I, 15.9.2023, p. 1.

The attention of data subjects is drawn to the following information in accordance with Article 16 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (1).

The legal bases for this processing operation are Council Decision 2011/235/CFSP (2), as implemented by Council Implementing Decision (CFSP) 2023/1780 (3), and Council Regulation (EU) No 359/2011 (4), as implemented by Council Implementing Regulation (EU) 2023/1779 (5).

The controller of this processing operation is the Council of the European Union represented by the Director-General of Directorate-General for External Relations (RELEX) of the General Secretariat of the Council and the department entrusted with the processing operation is RELEX.1 that can be contacted at:

Council of the European Union

General Secretariat

RELEX.1

Rue de la Loi/Wetstraat 175

1048 Bruxelles/Brussel

BELGIQUE/BELGIË

Email: sanctions@consilium.europa.eu

The Data Protection Officer of the Council can be contacted at:

Data Protection Officer

data.protection@consilium.europa.eu

The purpose of the processing operation is the establishment and updating of the list of persons subject to restrictive measures in accordance with Decision 2011/235/CFSP, as implemented by Implementing Decision (CFSP) 2023/1780, and Regulation (EU) No 359/2011, as implemented by Implementing Regulation (EU) 2023/1779.

The data subjects are the natural persons who fulfil the listing criteria as laid down in Decision 2011/235/CFSP and Regulation (EU) No 359/2011.

The personal data collected includes data necessary for the correct identification of the person concerned, the statement of reasons and any other data related to the grounds for listing.

The legal bases for the handling of personal data are the Council Decisions adopted under Article 29 TEU and Council Regulations adopted under Article 215 TFEU designating natural persons (data subjects) and imposing the freezing of assets and travel restrictions.

Processing is necessary for the performance of a task carried out in the public interest in accordance with Article 5(1)(a) and for compliance with legal obligations laid down in above-mentioned legal acts to which the controller is subject in accordance with Article 5(1)(b) of Regulation (EU) 2018/1725.

Processing is necessary for reasons of substantial public interest in accordance with Article 10(2)(g) of Regulation (EU) 2018/1725.

The Council may obtain personal data of data subjects from Member States and/or the European External Action Service. The recipients of the personal data are Member States, the European Commission and the European External Action Service.

All personal data processed by the Council in the context of EU autonomous restrictive measures will be retained for 5 years from the moment the data subject has been removed from the list of persons subject to the asset freeze or the validity of the measure has expired or, if a legal action is brought before the Court of Justice, until a final judgment has been handed down. Personal data contained in documents registered by the Council are kept by the Council for archiving purposes in the public interest, within the meaning of Art. 4(1)(e) of Regulation (EU) 2018/1725.

The Council may need to exchange personal data regarding a data subject with a third country or international organisation in the context of the Council’s transposition of UN designations or in the context of international cooperation regarding the EU’s restrictive measures policy.

In the absence of an adequacy decision, or of appropriate safeguards, transfer of personal data to a third country or an international organisation is based on the following condition(s), pursuant to Article 50 of Regulation (EU) 2018/1725: the transfer is necessary for important reasons of public interest; the transfer is necessary for the establishment, exercise or defence of legal claims.

No automated decision-making is involved in the processing of the data subject's personal data.

Data subjects have the right of information and the right of access to their personal data. They also have the right to correct and complete their data. Under certain circumstances, they may have the right to obtain the erasure of their personal data, or the right to object to the processing of their personal data or to ask for it to be restricted.

Data subjects can exercise these rights by sending an e-mail to the controller with a copy to the Data Protection Officer as indicated above.

Attached to their request, the data subjects must provide a copy of an identification document to confirm their identity (ID card or passport). This document should contain an identification number, country of issue, period of validity, name, address and date of birth. Any other data contained in the copy of the identification document such as photo or any personal characteristics may be blacked out.

Data subjects have the right to lodge a complaint with the European Data Protection Supervisor in accordance with Regulation (EU) 2018/1725 (edps@edps.europa.eu).

Before doing so, it is recommended that data subjects first try to obtain a remedy by contacting the controller and/or the Data Protection Officer of the Council.

---

(1)   OJ L 295, 21.11.2018, p. 39.

(2)   OJ L 100, 14.4.2011, p. 51.

(3)   OJ L 228 I, 15.9.2023, p. 6.

(4)   OJ L 100, 14.4.2011, p. 1.

(5)   OJ L 228 I, 15.9.2023, p. 1.

Decision withdrawing an authorisation

Reference of the decision (2)	Date of decision	Substance name	Addressee of the decision	Withdrawn use	Repealed decision	Reasons for the decision
C(2023) 6014	11 September 2023	Sodium dichromate EC No 234-190-3; CAS No 10588-01-9 (anhydrous); CAS No 7789-12-0 (dihydrate)	Gruppo Colle S.r.l., Via G. Di Vittorio 3/5, 59025 Usella, Cantagallo, Prato, Italy	As mordant in wool dyeing with dark colours	C(2017) 8331	The review report did not demonstrate the absence of suitable alternatives for the applicant, in accordance with Article 60(4) of Regulation (EC) No 1907/2006.

---

(1)   OJ L 396, 30.12.2006, p. 1.

(2)  The decision is available on the European Commission website at: Authorisation (europa.eu).

1 euro =

	Currency	Exchange rate
USD	US dollar	1,0658
JPY	Japanese yen	157,50
DKK	Danish krone	7,4573
GBP	Pound sterling	0,85878
SEK	Swedish krona	11,8730
CHF	Swiss franc	0,9554
ISK	Iceland króna	145,30
NOK	Norwegian krone	11,4220
BGN	Bulgarian lev	1,9558
CZK	Czech koruna	24,496
HUF	Hungarian forint	383,75
PLN	Polish zloty	4,6308
RON	Romanian leu	4,9698
TRY	Turkish lira	28,7513
AUD	Australian dollar	1,6498
CAD	Canadian dollar	1,4409
HKD	Hong Kong dollar	8,3416
NZD	New Zealand dollar	1,8008
SGD	Singapore dollar	1,4524
KRW	South Korean won	1 415,78
ZAR	South African rand	20,2968
CNY	Chinese yuan renminbi	7,7561
IDR	Indonesian rupiah	16 379,21
MYR	Malaysian ringgit	4,9922
PHP	Philippine peso	60,612
RUB	Russian rouble
THB	Thai baht	38,145
BRL	Brazilian real	5,1860
MXN	Mexican peso	18,2275
INR	Indian rupee	88,6150

---

(1)   Source: reference exchange rate published by the ECB.

---

(1)   OJ L 24, 29.1.2004, p. 1 (the ‘Merger Regulation’).

(2)   OJ C 366, 14.12.2013, p. 5.