Cybersecurity Act
Table of Contents
Chapter I – GENERAL PROVISIONS
Chapter II – ENISA (THE EUROPEAN UNION AGENCY FOR CYBERSECURITY)
Chapter III – CYBERSECURITY CERTIFICATION FRAMEWORK
Chapter IV – FINAL PROVISIONS
Recitals (110)
Annexes
Chapter I – GENERAL PROVISIONS
Article 2
Definitions
For the purposes of this Regulation, the following definitions apply:
(1) ‘cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats;
(2) ‘network and information system’ means a network and information system as defined in point (1) of Article 4 of NIS Directive (Network and Information Security);
(3) ‘national strategy on the security of network and information systems’ means a national strategy on the security of network and information systems as defined in point (3) of Article 4 of NIS Directive (Network and Information Security);
(4) ‘operator of essential services’ means an operator of essential services as defined in point (4) of Article 4 of NIS Directive (Network and Information Security);
(5) ‘digital service provider’ means a digital service provider as defined in point (6) of Article 4 of NIS Directive (Network and Information Security);
(6) ‘incident’ means an incident as defined in point (7) of Article 4 of NIS Directive (Network and Information Security);
(7) ‘incident handling’ means incident handling as defined in point (8) of Article 4 of NIS Directive (Network and Information Security);
(8) ‘cyber threat’ means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;
(9) ‘European cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services, ICT processes or managed security services;
(10) ‘national cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures developed and adopted by a national public authority and that apply to the certification or conformity assessment of ICT products, ICT services, ICT processes or managed security services falling under the scope of the specific scheme;
(11) ‘European cybersecurity certificate’ means a document issued by a relevant body, attesting that a given ICT product, ICT service, ICT process or managed security service has been evaluated for compliance with specific security requirements laid down in a European cybersecurity certification scheme;
(12) ‘ICT product’ means an element or a group of elements of a network or information system;
(13) ‘ICT service’ means a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems;
(14) ‘ICT process’ means a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service;
(14a) ‘managed security service’ means a service provided to a third party consisting of carrying out, or providing assistance for, activities relating to cybersecurity risk management, such as incident handling, penetration testing, security audits and consulting, including expert advice, related to technical support;
(15) ‘accreditation’ means accreditation as defined in point (10) of Article 2 of Accreditation and Market Surveillance Regulation;
(16) ‘national accreditation body’ means a national accreditation body as defined in point (11) of Article 2 of Accreditation and Market Surveillance Regulation;
(17) ‘conformity assessment’ means a conformity assessment as defined in point (12) of Article 2 of Accreditation and Market Surveillance Regulation;
(18) ‘conformity assessment body’ means a conformity assessment body as defined in point (13) of Article 2 of Accreditation and Market Surveillance Regulation;
(19) ‘standard’ means a standard as defined in point (1) of Article 2 of European Standardisation Regulation;
(20) ‘technical specification’ means a document that prescribes the technical requirements to be met by, or conformity assessment procedures relating to, an ICT product, ICT service, ICT process or managed security service;
(21) ‘assurance level’ means a basis for confidence that an ICT product, ICT service, ICT process or managed security service meets the security requirements of a specific European cybersecurity certification scheme, and indicates the level at which an ICT product, ICT service, ICT process or managed security service has been evaluated but as such does not measure the security of the ICT product, ICT service, ICT process or managed security service concerned;
(22) ‘conformity self-assessment’ means an action carried out by a manufacturer or provider of ICT products, ICT services, ICT processes or managed security services, which evaluates whether those ICT products, ICT services, ICT processes or managed security services meet the requirements of a specific European cybersecurity certification scheme.