My favourites

Chapter IV – Cybersecurity risk-management measures and reporting obligations (Art. 20-25)

Art. 20 NIS2 - Governance arrow_right_alt

  1. Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.

The application of this paragraph shall be without prejudice to national law as regards the liability rules applicable to public institutions, as well as the liability of public servants and elected or appointed officials.

  1. Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
Close tabsclose
  • 83
  • 89

Recital 83

Essential and important entities should ensure the security of the network and information systems which they use in their activities. Those systems are primarily private network and information systems managed by the essential and important entities’ internal IT staff or the security of which has been outsourced. The cybersecurity risk-management measures and reporting obligations laid down in this Directive should apply to the relevant essential and important entities regardless of whether those entities maintain their network and information systems internally or outsource the maintenance thereof.

Recital 89

Essential and important entities should adopt a wide range of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness, organise training for their staff and raise awareness concerning cyber threats, phishing or social engineering techniques. Furthermore, those entities should evaluate their own cybersecurity capabilities and, where appropriate, pursue the integration of cybersecurity enhancing technologies, such as artificial intelligence or machine-learning systems to enhance their capabilities and the security of network and information systems.

Art. 21 NIS2 - Cybersecurity risk-management measures arrow_right_alt

Art. 22 NIS2 - Union level coordinated security risk assessments of critical supply chains arrow_right_alt

Art. 23 NIS2 - Reporting obligations arrow_right_alt

Art. 24 NIS2 - Use of European cybersecurity certification schemes arrow_right_alt

Art. 25 NIS2 - Standardisation arrow_right_alt