icon-grid
Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by RDSPs for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact (Assimilated Law)RecitalArticle 1 Subject matterArticle 1A InterpretationArticle 2 Security elementsArticle 3 Parameters to be taken into account to determine whether the impact of an incident is substantialArticle 4 Substantial impact of an incidentArticle 5 Entry into forceDone at
Page Overview
Document Overview
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Coming soon: Any documents - Any document vs Another document at any date
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 10th January 2025
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application
PreviousNext
Version status: | Document consolidation status: Assimilated law updated to reflect all known changes
Version date: 20 February 2020 - onwards
Version 2 of 2

Recital

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union [OJ L 194, 19.7.2016, p. 1.], and in particular Article 16(8) thereof,

Whereas:

(1) In accordance with Directive (EU) 2016/1148, RDSPs remain free to take technical and organisational measures they consider appropriate and proportionate to manage the risk posed to the security of their network and information systems, as long as those measures ensure an appropriate level of security and take into account the elements provided for in that Directive.

(2) When identifying the appropriate and proportionate technical and organisational measures, the RDSP should approach information security in a systematic way, using a risk-based approach.

(3) In order to ensure the security of systems and facilities, RDSPs should perform assessment and analysis procedures. These activities should concern the systematic management of network and information systems, the physical and environmental security, the security of supplies and the access controls.

PreviousNext