27.12.2022
EN
Official Journal of the European Union
L 333/81
undermine user confidence and cause major damage to the Union’s economy and society. Cybersecurity
preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal
market. Moreover, cybersecurity is a key enabler for many critical sectors to successfully embrace the digital
transformation and to fully grasp the economic, social and sustainable benefits of digitalisation.
(4)
The legal basis of Directive (EU) 2016/1148 was Article 114 of the Treaty on the Functioning of the European Union
(TFEU), the objective of which is the establishment and functioning of the internal market by enhancing measures for
the approximation of national rules. The cybersecurity requirements imposed on entities providing services or
carrying out activities which are economically significant vary considerably among Member States in terms of type
of requirement, their level of detail and the method of supervision. Those disparities entail additional costs and
create difficulties for entities that offer goods or services across borders. Requirements imposed by one Member
State that are different from, or even in conflict with, those imposed by another Member State, may substantially
affect such cross-border activities. Furthermore, the possibility of the inadequate design or implementation of
cybersecurity requirements in one Member State is likely to have repercussions at the level of cybersecurity of other
Member States, in particular given the intensity of cross-border exchanges. The review of Directive (EU) 2016/1148
has shown a wide divergence in its implementation by Member States, including in relation to its scope, the
delimitation of which was very largely left to the discretion of the Member States. Directive (EU) 2016/1148 also
provided the Member States with very wide discretion as regards the implementation of the security and incident
reporting obligations laid down therein. Those obligations were therefore implemented in significantly different
ways at national level. There are similar divergences in the implementation of the provisions of Directive (EU)
2016/1148 on supervision and enforcement.
(5)
All those divergences entail a fragmentation of the internal market and can have a prejudicial effect on its
functioning, affecting in particular the cross-border provision of services and the level of cyber resilience due to the
application of a variety of measures. Ultimately, those divergences could lead to the higher vulnerability of some
Member States to cyber threats, with potential spill-over effects across the Union. This Directive aims to remove
such wide divergences among Member States, in particular by setting out minimum rules regarding the functioning
of a coordinated regulatory framework, by laying down mechanisms for effective cooperation among the
responsible authorities in each Member State, by updating the list of sectors and activities subject to cybersecurity
obligations and by providing effective remedies and enforcement measures which are key to the effective
enforcement of those obligations. Therefore, Directive (EU) 2016/1148 should be repealed and replaced by this
Directive.
(6)
With the repeal of Directive (EU) 2016/1148, the scope of application by sectors should be extended to a larger part
of the economy to provide a comprehensive coverage of sectors and services of vital importance to key societal and
economic activities in the internal market. In particular, this Directive aims to overcome the shortcomings of the
differentiation between operators of essential services and digital service providers, which has been proven to be
obsolete, since it does not reflect the importance of the sectors or services for the societal and economic activities in
the internal market.
(7)
Under Directive (EU) 2016/1148, Member States were responsible for identifying the entities which met the criteria
to qualify as operators of essential services. In order to eliminate the wide divergences among Member States in that
regard and ensure legal certainty as regards the cybersecurity risk-management measures and reporting obligations
for all relevant entities, a uniform criterion should be established that determines the entities falling within the
scope of this Directive. That criterion should consist of the application of a size-cap rule, whereby all entities which
qualify as medium-sized enterprises under Article 2 of the Annex to Commission Recommendation
2003/361/EC (5), or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article,
and which operate within the sectors and provide the types of service or carry out the activities covered by this
(5) Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises
(OJ L 124, 20.5.2003, p. 36).