DECISION OF THE EEA JOINT COMMITTEE No 21/2023

of 3 February 2023

amending Annex XI (Electronic communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in Article 101) to the EEA Agreement [ 2023/2310]

THE EEA JOINT COMMITTEE,

Having regard to the Agreement on the European Economic Area (“the EEA Agreement”), and in particular Article 98 thereof,

Whereas:

(1) Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union ( 1 ) is to be incorporated into the EEA Agreement.

(2) Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact ( 2 ) is to be incorporated into the EEA Agreement.

(3) For the EEA Agreement to function well, Protocol 37 to the EEA Agreement is to be extended to include the Cooperation Group set up by Directive (EU) 2016/1148.

(4) Annex XI and Protocol 37 to the EEA Agreement should therefore be amended accordingly,

HAS ADOPTED THIS DECISION:

Article 1

The following is inserted after point 5cp (Regulation (EU) No 526/2013 of the European Parliament and of the Council) of Annex XI to the EEA Agreement:

‘5cpa.

32016 L 1148 : Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union ( OJ L 194, 19.7.2016, p. 1 ).

Modalities for association of the EFTA States in accordance with Article 101 of the Agreement:

The EFTA States shall participate fully in the Cooperation Group and shall within it have the same rights and obligations as EU Member States, except for the right to vote.

5cpaa.

32018 R 0151 : Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact ( OJ L 26, 31.1.2018, p. 48 ).’

Article 2

The following point is added in Protocol 37 to the EEA Agreement:

‘47.

The Cooperation Group (Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union).’

Article 3

The texts of Directive (EU) 2016/1148 and Implementing Regulation (EU) 2018/151 in the Icelandic and Norwegian languages, to be published in the EEA Supplement to the Official Journal of the European Union , shall be authentic.

Article 4

This Decision shall enter into force on 4 February 2023, provided that all the notifications under Article 103(1) of the EEA Agreement have been made ( *1 ) .

Article 5

This Decision shall be published in the EEA Section of, and in the EEA Supplement to, the Official Journal of the European Union .

Done at Brussels, 3 February 2023.

For the EEA Joint Committee

The President

Nicolas VON LINGEN

( 1 ) OJ L 194, 19.7.2016, p. 1 .

( 2 ) OJ L 26, 31.1.2018, p. 48 .

( *1 ) Constitutional requirements indicated.

ELI: http://data.europa.eu/eli/dec/2023/2310/oj

ISSN 1977-0677 (electronic edition)