NIS 2 Directive Article 33 – Supervisory and Enforcement Measures In Relation To Important Entities

Introduction

The NIS 2 Directive, with its Article 33, is crucial in ensuring cybersecurity and resilience in the digital landscape. This article focuses on the supervisory and enforcement measures for important entities under this directive.

Importance of Compliance

When evidence suggests that important entities are not adhering to the NIS 2 Directive, especially Articles 21 and 23, it becomes essential for Member States to ensure that competent authorities take effective, proportionate, and dissuasive ex-post supervisory measures.

Authority Powers

Competent authorities are empowered to conduct a range of activities to oversee the cybersecurity measures of important entities. These include on-site inspections and off-site supervision by trained professionals, targeted security audits by independent bodies or authorities, and security scans based on fair risk assessments.

Information Assessment

Authorities can also request information from these entities to assess their cybersecurity measures, including policies and compliance with specific articles of the directive. They have the right to access data, documents, and evidence related to the implementation of cybersecurity policies within these entities.

Key Responsibilities

Competent authorities have several key responsibilities when it comes to supervising important entities. This includes issuing warnings for directive infringements, adopting binding instructions to address deficiencies, and ordering the cessation of any infringing conduct.

Compliance and Reporting

Authorities must ensure that these entities comply with cybersecurity measures and reporting obligations. They are also responsible for informing affected persons about significant cyber threats and the necessary protective measures to mitigate these risks.

Audit Recommendations and Fines

When targeted audits are conducted based on risk assessments, the results must be shared with competent authorities. Unless stated otherwise, the audited entities are usually responsible for covering the audit costs. Authorities must implement audit recommendations within a specified timeframe and may impose administrative fines as per Article 34 of the directive.

Cooperation and Oversight

For effective implementation, competent authorities must cooperate with relevant authorities as per Regulation (EU) 2022/2554. They must also inform the Oversight Forum when ensuring compliance with important entities designated as critical ICT third-party service providers.

Conclusion

NIS 2 Directive Article 33 outlines the necessary supervisory and enforcement measures regarding important entities. By ensuring compliance with these measures, Member States can enhance cybersecurity, protect critical infrastructure, and mitigate cyber threats effectively.