The European Commission has published guidelines explaining how to apply Article 4 of NIS2—specifically, when NIS2 applies directly and when it is “superseded” by cybersecurity requirements from other sector-specific EU legislation. The document helps organizations and institutions understand the principles of equivalence of obligations (risk management and incident reporting) as well as the implications for supervision and enforcement.
The guidelines explain the relationship between NIS2 and current and future EU sector-specific legal acts that introduce cybersecurity risk management measures or incident reporting obligations.
If a sector-specific EU legal act requires entities to implement risk management measures or report incidents, and these requirements are at least equivalent “in terms of effect” to NIS2, then the relevant NIS2 provisions (including those on supervision and enforcement) do not apply to those entities.
Sectoral requirements are considered equivalent if they are at least equivalent to the measures set out in Article 21(1) and (2) of NIS2 (they may also be more detailed).
The obligation to implement appropriate and proportionate measures (based on a risk analysis) applies to all of the entity’s operations and services, not just selected IT assets or individual critical services.
The guidelines remind us that security encompasses resilience against incidents compromising availability, authenticity, integrity, and confidentiality, and that “networks and information systems” also include hardware, firmware, and software used in operations.
Risk management measures are intended to protect not only against cyberattacks, but also against events such as sabotage, theft, fire, flood, communication or power failure, and unauthorized physical access (as these can also lead to incidents).
NIS2 provides for multi-stage reporting: an early warning within 24 hours, incident notification within 72 hours, and then a final report (as a rule) within one month—with the possibility of interim reports.
If sectoral requirements are equivalent, then not only do the NIS2 obligations regarding risk management/reporting not apply, but also the provisions on supervision and enforcement from Chapter VII of NIS2.
In addition, DORA, among others, is identified as the sector-specific legal act for financial entities—in this context, DORA “replaces” NIS2 with respect to the specified obligations.
