L 194/2
EN
Official Journal of the European Union
19.7.2016
facilitate strategic cooperation between the Member States regarding the security of network and information
systems. For that group to be effective and inclusive, it is essential that all Member States have minimum
capabilities and a strategy ensuring a high level of security of network and information systems in their territory.
In addition, security and notification requirements should apply to operators of essential services and to digital
service providers to promote a culture of risk management and ensure that the most serious incidents are
reported.
(5)
The existing capabilities are not sufficient to ensure a high level of security of network and information systems
within the Union. Member States have very different levels of preparedness, which has led to fragmented
approaches across the Union. This results in an unequal level of protection of consumers and businesses, and
undermines the overall level of security of network and information systems within the Union. Lack of common
requirements on operators of essential services and digital service providers in turn makes it impossible to set up
a global and effective mechanism for cooperation at Union level. Universities and research centres have a decisive
role to play in spurring research, development and innovation in those areas.
(6)
Responding effectively to the challenges of the security of network and information systems therefore requires
a global approach at Union level covering common minimum capacity building and planning requirements,
exchange of information, cooperation and common security requirements for operators of essential services and
digital service providers. However, operators of essential services and digital service providers are not precluded
from implementing security measures that are stricter than those provided for under this Directive.
(7)
To cover all relevant incidents and risks, this Directive should apply to both operators of essential services and
digital service providers. However, the obligations on operators of essential services and digital service providers
should not apply to undertakings providing public communication networks or publicly available electronic
communication services within the meaning of Directive 2002/21/EC of the European Parliament and of the
Council (1), which are subject to the specific security and integrity requirements laid down in that Directive, nor
should they apply to trust service providers within the meaning of Regulation (EU) No 910/2014 of the
European Parliament and of the Council (2), which are subject to the security requirements laid down in that
Regulation.
(8)
This Directive should be without prejudice to the possibility for each Member State to take the necessary
measures to ensure the protection of the essential interests of its security, to safeguard public policy and public
security, and to allow for the investigation, detection and prosecution of criminal offences. In accordance with
Article 346 of the Treaty on the Functioning of the European Union (TFEU), no Member State is to be obliged to
supply information the disclosure of which it considers to be contrary to the essential interests of its security. In
this context, Council Decision 2013/488/EU (3) and non-disclosure agreements, or informal non-disclosure
agreements such as the Traffic Light Protocol, are of relevance.
(9)
Certain sectors of the economy are already regulated or may be regulated in the future by sector-specific Union
legal acts that include rules related to the security of network and information systems. Whenever those Union
legal acts contain provisions imposing requirements concerning the security of network and information systems
or notifications of incidents, those provisions should apply if they contain requirements which are at least
equivalent in effect to the obligations contained in this Directive. Member States should then apply the provisions
of such sector-specific Union legal acts, including those relating to jurisdiction, and should not carry out the
identification process for operators of essential services as defined by this Directive. In this context, Member States
should provide information to the Commission on the application of such lex specialis provisions. In determining
whether the requirements on the security of network and information systems and the notification of incidents
contained in sector-specific Union legal acts are equivalent to those contained in this Directive, regard should
only be had to the provisions of relevant Union legal acts and their application in the Member States.
(10)
In the water transport sector, security requirements for companies, ships, port facilities, ports and vessel traffic
services under Union legal acts cover all operations, including radio and telecommunication systems, computer
systems and networks. Part of the mandatory procedures to be followed includes the reporting of all incidents
and should therefore be considered as lex specialis, in so far as those requirements are at least equivalent to the
corresponding provisions of this Directive.
(1) Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for
electronic communications networks and services (Framework Directive) (OJ L 108, 24.4.2002, p. 33).
(2) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust
services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).
(3) Council Decision 2013/488/EU of 23 September 2013 on the security rules for protecting EU classified information (OJ L 274,
15.10.2013, p. 1).