Awareness Training - Save 60% on Yearly Plan.
Start Training

Article 4

Sector-specific Union legal acts

1.   Where sector-specific Union legal acts require essential or important entities to adopt cybersecurity risk-management measures or to notify significant incidents and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provisions on supervision and enforcement laid down in Chapter VII, shall not apply to such entities. Where sector-specific Union legal acts do not cover all entities in a specific sector falling within the scope of this Directive, the relevant provisions of this Directive shall continue to apply to the entities not covered by those sector-specific Union legal acts.

2.   The requirements referred to in paragraph 1 of this Article shall be considered to be equivalent in effect to the obligations laid down in this Directive where:

(a)

cybersecurity risk-management measures are at least equivalent in effect to those laid down in Article 21(1) and (2); or

(b)

the sector-specific Union legal act provides for immediate access, where appropriate automatic and direct, to the incident notifications by the CSIRTs, the competent authorities or the single points of contact under this Directive and where requirements to notify significant incidents are at least equivalent in effect to those laid down in Article 23(1) to (6) of this Directive.

3.   The Commission shall, by 17 July 2023, provide guidelines clarifying the application of paragraphs 1 and 2. The Commission shall review those guidelines on a regular basis. When preparing those guidelines, the Commission shall take into account any observations of the Cooperation Group and ENISA.

Frequently Asked Questions

The NIS2 directive does not apply if sector-specific EU laws already exist, requiring companies to implement cybersecurity measures and report incidents, provided these legal rules have an equal or stronger effect; this prevents duplication of regulatory requirements as long as protective safeguards and notification systems are just as effective as those set by NIS2.
Equivalence is determined if sector-specific regulations have cybersecurity rules at least as strong as the NIS2 directive, meaning these rules must provide similar or better cybersecurity protections and incident notification standards, ensuring proper management and quick reporting to cybersecurity authorities and responding teams.
If EU sector-specific cybersecurity laws cover only part of a sector, entities not covered by those sector-specific laws still have to follow the requirements laid out in the NIS2 directive; this ensures comprehensive protection and incident reporting across every essential or important organization within the sector.
The European Commission must provide clear guidelines regarding equivalence criteria of sector-specific rules with NIS2 requirements by 17 July 2023; thereafter, these guidelines must be regularly reviewed, incorporating observations from relevant cybersecurity groups like the Cooperation Group and ENISA to maintain relevance and effectiveness.

NIS2 Training

Start Training

Get Started within 24 hours.

Once you have submitted your details, you’ll be our top priority!