Cybersecurity risk-management measures should be proportionate to the degree of the essential or important entity’s exposure to risks and to the societal and economic impact that an incident would have. When establishing cybersecurity risk-management measures adapted to essential and important entities, due account should be taken of the divergent risk exposure of essential and important entities, such as the criticality of the entity, the risks, including societal risks, to which it is exposed, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.
NIS2 Recital EN
Recital 82
Related across sources
News CNIL (France) - SAN-2025-015 Guidance Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 Guidance Guidelines 02/2022 on the application of Article 60 GDPR Guidance Guidelines 8/2020 on the targeting of social media users Guidance Guidelines 03/2021 on the application of Article 65(1)(a) GDPR News Complaint: Amazon doesn’t allow baseline TLS security