Source: OJ L, 2024/2690, 18.10.2024

Artikel 4 Wiederholte Sicherheitsvorfälle

Summary What does Article 4 of the Cybersecurity measures and significant incidents for relevant entities say?

This article establishes an important aggregation rule that directly extends the significance thresholds set out in Article 3.

Where individual incidents would not qualify as significant on their own, Article 4 provides that they can be treated collectively as a single significant incident if certain conditions are met together.

It is essentially a safeguard against repeated low-level incidents being overlooked simply because no single occurrence crosses the reporting threshold.

Important points:

Relevant entities must treat multiple individually non-significant incidents as one significant incident if all three cumulative conditions are satisfied simultaneously.
The three conditions are: the incidents occurred at least twice within 6 months, share the same apparent root cause, and collectively meet the financial impact threshold in Article 3(1)(a).
All three criteria must be met together — this is a conjunctive test, not a disjunctive one.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

Sicherheitsvorfälle, die einzeln betrachtet nach Artikel 3 nicht als erhebliche Sicherheitsvorfälle angesehen werden, gelten zusammengenommen als ein erheblicher Sicherheitsvorfall, wenn sie alle folgenden Kriterien erfüllen:

sie sind innerhalb von sechs Monaten mindestens zwei Mal aufgetreten;
sie haben dieselbe offensichtliche Ursache;
sie erfüllen zusammengenommen die in Artikel 3 Absatz 1 Buchstabe a aufgeführten Kriterien.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.

Relevant recitals