Article Index (EU) 2022/2554
Chapter I – General Provisions (Art. 1–4)
| Article | Topic |
|---|---|
| Art. 1 | Subject matter |
| Art. 2 | Scope of application |
| Art. 3 | Definitions |
| Art. 4 | Relationship to NIS2 (lex specialis) |
Chapter II – ICT Risk Management (Art. 5–16)
| Article | Topic | RTS |
|---|---|---|
| Art. 5 | Governance and organisation | – |
| Art. 6 | ICT risk management framework | 2024/1774 |
| Art. 7 | ICT systems, protocols, and tools | 2024/1774 |
| Art. 8 | Identification (asset inventory) | 2024/1774 |
| Art. 9 | Protection and prevention | 2024/1774 |
| Art. 10 | Detection | 2024/1774 |
| Art. 11 | Response and recovery | 2024/1774 |
| Art. 12 | Backup policies | 2024/1774 |
| Art. 13 | Learning and evolving | – |
| Art. 14 | Communication | – |
| Art. 15 | Empowerment for RTS | 2024/1774 |
| Art. 16 | Simplified framework | – |
Chapter III – Incident Management (Art. 17–23)
| Article | Topic | RTS/ITS |
|---|---|---|
| Art. 17 | General requirements | – |
| Art. 18 | Classification | 2024/1772 |
| Art. 19 | Reporting of major incidents | 2025/301, 2025/302 |
| Art. 20 | Empowerment for RTS/ITS | 2025/301, 2025/302 |
| Art. 21–23 | Centralisation, feedback, cross-border | – |
Chapter IV – Resilience Testing (Art. 24–27)
| Article | Topic | RTS |
|---|---|---|
| Art. 24–25 | General, baseline tests | – |
| Art. 26–27 | TLPT | 2025/1190 |
Chapter V – Third-Party Risk (Art. 28–44)
| Article | Topic | RTS/ITS |
|---|---|---|
| Art. 28 | Principles, register | ITS 2024/2956 |
| Art. 29 | Concentration risk | – |
| Art. 30 | Contracts | 2024/1773, 2025/532 |
| Art. 31 | CTPP designation | Del. Reg. 2024/1502 |
| Art. 32–39 | Oversight | 2025/295 |
| Art. 40 | JET | 2025/420 |
| Art. 43 | Fees | Del. Reg. 2024/1505 |
Chapter VI – Information Sharing (Art. 45)
| Article | Topic |
|---|---|
| Art. 45 | Voluntary sharing |
Chapters VII–IX (Art. 46–64)
Authorities, transitional and final provisions.