Source: OJ L, 2024/2690, 18.10.2024

Artikel 4 Återkommande incidenter

Summary What does Article 4 of the Cybersecurity measures and significant incidents for relevant entities say?

This article establishes an important aggregation rule that directly extends the significance thresholds set out in Article 3.

Where individual incidents would not qualify as significant on their own, Article 4 provides that they can be treated collectively as a single significant incident if certain conditions are met together.

It is essentially a safeguard against repeated low-level incidents being overlooked simply because no single occurrence crosses the reporting threshold.

Important points:

Relevant entities must treat multiple individually non-significant incidents as one significant incident if all three cumulative conditions are satisfied simultaneously.
The three conditions are: the incidents occurred at least twice within 6 months, share the same apparent root cause, and collectively meet the financial impact threshold in Article 3(1)(a).
All three criteria must be met together — this is a conjunctive test, not a disjunctive one.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

Incidenter som var för sig inte anses som en betydande incident i den mening som avses i artikel 3 ska kollektivt anses som en betydande incident om samtliga följande kriterier är uppfyllda:

De har inträffat minst två gånger inom sex månader.
De verkar ha samma grundorsak.
De uppfyller kollektivt kriterierna i artikel 3.1 a.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.

Relevant recitals