NIS 2 Directive Article 4 – Sector-Specific Union Legal Acts

Introduction

1. The NIS 2 Directive aims to strengthen cybersecurity across the European Union.

2. Article 4 of the Directive specifically addresses sector-specific Union legal acts.

Scope Of Sector - Specific Union Legal Acts

1. Essential or important entities in specific sectors must adopt cybersecurity risk-management measures or notify significant incidents.

2. Entities covered by sector-specific Union legal acts may be exempt from specific provisions of the NIS 2 Directive.

3. If sector-specific legal acts do not cover all entities within a sector, the NIS 2 Directive provisions remain applicable to those not covered.

Equivalent Effect Of Requirements

1. To be considered equivalent, cybersecurity risk-management measures must meet the standards outlined in Article 21(1) and (2) of the Directive.

2. Sector-specific legal acts must provide immediate access to incident notifications by CSIRTs, authorities, or single contact points.

3. Notification requirements for significant incidents must be comparable to those in Article 23(1) to (6) of the NIS 2 Directive.

Guidelines By The Commission

1. The European Commission will issue guidelines to clarify the application of Article 4 by July 17, 2023.

2. These guidelines will help ensure consistency in the implementation of sector-specific Union legal acts within the framework of the NIS 2 Directive.

Conclusion

Sector-specific Union legal acts play a crucial role in enhancing cybersecurity measures for essential entities in specific sectors. The NIS 2 Directive provides a framework for harmonizing cybersecurity regulations across the EU while allowing for tailored approaches in certain sectors. Clear guidelines from the Commission will facilitate the effective implementation of these sector-specific legal acts in alignment with the Directive's objectives.