NIS2 Directive
Table of Contents
Chapter I – GENERAL PROVISIONS
Chapter II – COORDINATED CYBERSECURITY FRAMEWORKS
Chapter III – COOPERATION AT UNION AND INTERNATIONAL LEVEL
Chapter IV – CYBERSECURITY RISK-MANAGEMENT MEASURES AND REPORTING OBLIGATIONS
Chapter V – JURISDICTION AND REGISTRATION
Chapter VI – INFORMATION SHARING
Chapter VII – SUPERVISION AND ENFORCEMENT
Chapter VIII – DELEGATED AND IMPLEMENTING ACTS
Chapter IX – FINAL PROVISIONS
Recitals (144)
Annexes
Recital 28
(28) Digital Operational Resilience Act (DORA) of the European Parliament and of the Council should be considered to be a sector-specific Union legal act in relation to this Directive with regard to financial entities. The provisions of Digital Operational Resilience Act (DORA) relating to information and communication technology (ICT) risk management, management of ICT-related incidents and, in particular, major ICT-related incident reporting, as well as on digital operational resilience testing, information-sharing arrangements and ICT third-party risk should apply instead of those provided for in this Directive. Member States should therefore not apply the provisions of this Directive on cybersecurity risk-management and reporting obligations, and supervision and enforcement, to financial entities covered by Digital Operational Resilience Act (DORA). At the same time, it is important to maintain a strong relationship and the exchange of information with the financial sector under this Directive. To that end, Digital Operational Resilience Act (DORA) allows the European Supervisory Authorities (ESAs) and the competent authorities under that Regulation to participate in the activities of the Cooperation Group and to exchange information and cooperate with the single points of contact, as well as with the CSIRTs and the competent authorities under this Directive. The competent authorities under Digital Operational Resilience Act (DORA) should also transmit details of major ICT-related incidents and, where relevant, significant cyber threats to the CSIRTs, the competent authorities or the single points of contact under this Directive. This is achievable by providing immediate access to incident notifications and forwarding them either directly or through a single entry point. Moreover, Member States should continue to include the financial sector in their cybersecurity strategies and CSIRTs can cover the financial sector in their activities.