1. Member States shall ensure that, in order to implement Article 40, the competent authorities have the power to issue binding instructions, including those regarding the measures required to remedy a security incident or prevent one from occurring when a significant threat has been identified and time-limits for implementation, to providers of public electronic communications networks or publicly available electronic communications services.
2. Member States shall ensure that competent authorities have the power to require providers of public electronic communications networks or publicly available electronic communications services to:
(a) provide information needed to assess the security of their networks and services, including documented security policies; and
(b) submit to a security audit carried out by a qualified independent body or a competent authority and make the results thereof available to the competent authority; the cost of the audit shall be paid by the provider.
…