Article 3 – Significant incidents
(a) the incident has caused or is capable of causing financial loss for the relevant entity that exceeds EUR 100 000 or 5 % of the relevant entity’s annual turnover, whichever is lower;
(b) the incident has caused or is capable of causing considerable reputational damage to the relevant entity in accordance with paragraph 2.
(c) the incident has caused or is capable of causing the exfiltration of trade secrets as set out in Article 2(1), point (1), of Directive (EU) 2016/943 of the relevant entity;
(d) the incident has caused or is capable of causing the death of a natural person;
(e) the incident has caused or is capable of causing considerable damage to a natural person’s health;
(f) a successful, suspectedly malicious and unauthorised access to network and information systems occurred;
(g) the incident meets the criteria set out in Article 4;
(h) the incident meets one or more of the criteria set out in Articles 5 to 14.
2. For the purposes of determining the existence of a considerable reputational damage of an incident in accordance with paragraph 1, point (b) the relevant entities shall take into account whether one or more of the following criteria are met:(a) the incident has been reported in the media;
(b) the incident has resulted in complaints from different users or critical business relationships;
(c) the entity will not be able to or is likely not to be able to meet regulatory requirements as a result of the incident;
(d) the entity is likely to lose customers with a material impact on its business as a result of the incident.
3. Planned consequences of maintenance operations carried out by or on behalf of the relevant entities shall not be considered to be significant incidents. 4. When calculating the number of users impacted by an incident for the purpose of Articles 7 and 9 to 14, the relevant entities shall consider all of the following:(a) the number of customers that have a contract with the relevant entity which grants them access to the relevant entity’s network and information systems or services offered by, or accessible via, those network and information systems;
(b) the number of natural and legal persons associated with business customers that use the entities’ network and information systems or services offered by, or accessible via, those network and information systems.
Navigieren Sie sicher durch die NIS2-Richtlinie!
Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!