Article 42: Amendment of Regulation (EU) No 910/2014

Article 42 requires you to stop treating eIDAS Article 19 as an active EU requirement because it is deleted effective 18 October 2024. Operationalize this by updating your compliance obligations register, control mappings, and incident/assurance playbooks that referenced Article 19, then retaining evidence that your program reflects the post-October 2024 legal baseline. (Directive (EU) 2022/2555, Article 42)

Key takeaways:

• Remove or re-map any controls, policies, or contract clauses that cite eIDAS Article 19 as a current obligation after 18 October 2024. (Directive (EU) 2022/2555, Article 42)
• Document the decision trail: what changed, who approved it, and how downstream requirements are still covered through other controls. (Directive (EU) 2022/2555, Article 42)
• Treat this as an “obligation hygiene” requirement: exam readiness depends on accurate, current legal references and ownership. (Directive (EU) 2022/2555, Article 42)

Article 42 of NIS 2 is short, but it creates a real operational obligation: your governance system must reflect that eIDAS Regulation (EU) No 910/2014 no longer contains Article 19 as of 18 October 2024. (Directive (EU) 2022/2555, Article 42) The common failure mode is not “noncompliance with deleted text”; it is running a compliance program that still cites, tests, or contractually commits to a legal provision that no longer exists. That becomes a problem during audits, supervisory reviews, and customer due diligence because it signals weak regulatory change management and poor control-to-law traceability.

This page tells a CCO, GRC lead, or Compliance Officer exactly what to change in your obligation inventory, policy library, control mappings, third-party templates, and evidence pack so your program remains current. The goal is fast operationalization: assign an owner, identify every place Article 19 appears, decide the replacement requirement (if any), update artifacts, and keep a clean audit trail that proves you handled the legal change in a controlled way. (Directive (EU) 2022/2555, Article 42)

Requirement: article 42: amendment of regulation (eu) no 910/2014 requirement (what it means in practice)

Plain-English interpretation: NIS 2 changes eIDAS by deleting eIDAS Article 19 effective 18 October 2024. (Directive (EU) 2022/2555, Article 42) For operators, the requirement is to remove reliance on a deleted legal hook and to update internal references and compliance mappings so your program accurately reflects the post-change state of EU law.

What this is not: a mandate to implement a new security control by itself. Article 42 is a legal amendment. Your operational work is governance hygiene: legal mapping, documentation updates, and assurance that nothing in your compliance stack depends on an obsolete citation. (Directive (EU) 2022/2555, Article 42)

Regulatory text

“In Regulation (EU) No 910/2014, Article 19 is deleted with effect from 18 October 2024.” (Directive (EU) 2022/2555, Article 42)

Operator translation (what you must do):

1. Identify where your organization references eIDAS Article 19 (obligation registers, policies, standards, contract templates, audit procedures, control narratives, customer assurance responses).
2. Decide what replaces that reference (another legal citation, an internal policy requirement, or a control objective) or whether it should be removed without replacement.
3. Update and approve the changed documents with proper versioning and sign-off.
4. Retain evidence that the change was managed and implemented (not just drafted). (Directive (EU) 2022/2555, Article 42)

Who it applies to (entity + operational context)

This requirement applies to any organization that maintains a compliance mapping or control framework that includes eIDAS references and is aligning to NIS 2 obligations. (Directive (EU) 2022/2555, Article 42) In practice, it shows up in:

• Regulated entities in NIS 2 scope that maintain a legal register and need accurate citations for supervisory engagement. (Directive (EU) 2022/2555)
• Trust service providers and digital identity/e-signature reliant businesses where eIDAS citations appear in security policies, assurance packs, and customer contracts.
• Organizations with third-party risk programs that impose eIDAS-linked requirements on providers (for example, identity proofing, certificate management, secure authentication) and have baked those into templates.

If your program never referenced eIDAS Article 19 anywhere, your work is still to confirm that and record the check as part of regulatory change management. (Directive (EU) 2022/2555, Article 42)

What you actually need to do (step-by-step)

Step 1: Assign ownership and open a tracked change record

• Assign a control owner (usually Legal/Compliance with GRC support).
• Create a tracked “regulatory change” ticket that cites the excerpt and effective date. (Directive (EU) 2022/2555, Article 42)
• Define scope: which business lines, jurisdictions, and document repositories are in-bounds.

Practical tip: If you run Daydream, open a single requirement record and link all affected controls, policies, and third-party templates so you can show a one-to-many impact chain during an audit.

Step 2: Locate every reference to “eIDAS Article 19”

Run a targeted search across:

• Compliance obligations register / legal inventory
• Control library (control statements and mappings)
• Policy set (security policy, identity policy, crypto/key management standard, incident handling standard)
• Audit work programs and test scripts
• Contract templates (MSA, DPA exhibits, security schedules), supplier/security addenda
• Customer assurance collateral (SOC bridge letters, security whitepapers, SIG/CAIQ responses, trust center FAQs)

Output artifact: a reference inventory listing each document, section, owner, and remediation action.

Step 3: Decide disposition for each reference (remove, replace, or map)

Use a simple decision matrix:

Reference type	Risk if left unchanged	Action	Approval needed
Legal register entry citing eIDAS Article 19	Outdated legal basis; weak change management	Replace with “Deleted effective 18 October 2024; no longer applicable” note	Compliance + Legal
Control mapped directly to Article 19	Control-to-law trace breaks	Re-map to applicable requirement (if one exists) or to internal control objective	Control owner + GRC
Contract clause requiring compliance with Article 19	Contract commits to non-existent provision; negotiation friction	Update clause to a current standard or “as amended” drafting	Legal + Procurement
Audit procedure testing “Article 19 compliance”	Wasted testing; misleading results	Update test objective to the real control intent	Audit/Assurance lead

Keep the reasoning short and explicit. Examiners care that you can explain why a change did or did not require a control change.

Step 4: Update documents with clean version control

For each impacted artifact:

• Update the citation text.
• Update cross-references (annexes, glossaries, citations lists).
• Push through your normal document governance (review, approval, publication).
• Notify stakeholders (security, procurement, third-party management, internal audit) of the update and what they must stop using. (Directive (EU) 2022/2555, Article 42)

Step 5: Validate downstream operational workflows still work

Even though Article 42 is a deletion, it can create operational gaps if you used Article 19 as the justification for real processes. Validate three areas that often depended on “legal hook” language:

1. Incident handling and evidence retention: confirm your incident triage and escalation workflow is still anchored to current obligations and internal policy requirements.
2. Third-party dependency governance: confirm critical third parties remain captured in risk assessments, remediation tracking, and assurance cycles.
3. Assurance responses: update customer and regulator Q&A templates so staff do not cite deleted law.

If you need a stable operating model, anchor the work in three controls:

• Maintain an obligation register with jurisdictional applicability, owners, and milestones.
• Codify incident triage, escalation, reporting triggers, and evidence retention.
• Integrate critical third-party dependencies into risk assessment and assurance. (Directive (EU) 2022/2555, Article 42)

Required evidence and artifacts to retain (exam-ready pack)

Keep evidence that proves change management happened and materials in use are current:

• Regulatory change record referencing Article 42 and the deletion effective date. (Directive (EU) 2022/2555, Article 42)
• Search results and reference inventory (where Article 19 was found, or documented “no hits”).
• Redlined updates to policies/standards/templates showing removal or replacement of Article 19 references.
• Approval records (Legal/Compliance sign-off; policy committee minutes; procurement template approval).
• Published versions of updated documents with effective dates and version numbers.
• Training or internal comms showing teams were told to stop using outdated templates.
• Control mapping update (old mapping → new mapping or “retired mapping” decision with rationale).

Common exam/audit questions and hangups

Expect questions like:

• “Show me where you track NIS 2 legal changes and how you implement them.” (Directive (EU) 2022/2555)
• “Where did you previously reference eIDAS Article 19, and what replaced it?”
• “How do you prevent staff from reusing old contract templates?”
• “Who approved the decision that no replacement control was required?”

Hangup that causes findings: teams update the legal register but forget contracting boilerplate and customer assurance collateral, which are the most likely places an outdated citation survives.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating the deletion as “no work required.”
   Fix: record the determination, run the search, and retain the “no references found” evidence. Supervisors test governance, not intentions. (Directive (EU) 2022/2555, Article 42)

2. Mistake: Removing the citation but leaving the control orphaned.
   Fix: if a control existed for good reasons (identity security, credential management, incident response), keep the control and re-anchor it to an internal standard or other applicable obligation.

3. Mistake: Updating policies but not procurement and third-party processes.
   Fix: include procurement templates, security schedules, and supplier onboarding questionnaires in the reference inventory.

4. Mistake: No owner, no deadline, no evidence.
   Fix: assign an accountable owner and keep a single source of truth (a tracked ticket plus linked artifacts).

Enforcement context and risk implications

No public enforcement cases were provided in the supplied sources for Article 42. (Directive (EU) 2022/2555, Article 42) Your risk is indirect but real:

• Supervisory credibility risk: outdated citations suggest weak regulatory change management, which can increase scrutiny across your NIS 2 program. (Directive (EU) 2022/2555)
• Contract and assurance risk: customers or third parties may challenge your security schedules if they cite deleted provisions.
• Operational risk: teams can waste time testing or reporting against the wrong reference, then miss the real requirement they should have been meeting.

Practical 30/60/90-day execution plan

Because the effective date is fixed in the requirement text, run this as a structured change. (Directive (EU) 2022/2555, Article 42)

First 30 days (Immediate stabilization)

• Open the regulatory change record; assign Compliance/Legal owner. (Directive (EU) 2022/2555, Article 42)
• Complete enterprise search and build the reference inventory.
• Freeze outdated templates (procurement/security schedules) in shared repositories to prevent reuse.
• Draft updates for the highest-risk artifacts: legal register entry, contract templates, customer assurance boilerplate.

Next 60 days (Implementation and governance)

• Complete approvals and publish updated policies/standards/templates.
• Update the control library mappings and test procedures (internal audit or GRC testing scripts).
• Update third-party onboarding and due diligence questionnaires that cite Article 19.
• Send targeted communications to procurement, security, sales engineering, and assurance teams.

Next 90 days (Assurance hardening)

• Run a spot-check: sample contracts and assurance responses created recently; confirm no Article 19 references remain.
• Confirm Daydream (or your GRC system) shows a closed-loop change record with linked evidence artifacts.
• Add a standing control: quarterly legal citation validation for high-risk regulatory mappings (frequency is a governance choice; document your rationale). (Directive (EU) 2022/2555)

Frequently Asked Questions

Do we need to implement new security controls because of Article 42?

Article 42 itself is a legal deletion of eIDAS Article 19, effective 18 October 2024. (Directive (EU) 2022/2555, Article 42) Your operational task is to remove or re-map references so controls are anchored to current obligations.

What if our policies cite eIDAS Article 19, but the control is still sensible?

Keep the control if it supports your risk posture, then re-anchor it to an internal policy requirement or another applicable obligation in your obligations register. Record the mapping decision and approval trail. (Directive (EU) 2022/2555, Article 42)

We don’t think we reference Article 19 anywhere. What evidence should we keep?

Retain the search scope and results (repositories checked, keywords used) and a short memo or ticket entry stating “no references found.” That demonstrates regulatory change management operation. (Directive (EU) 2022/2555, Article 42)

Does this affect third-party contracts?

It can if your security schedules or compliance clauses explicitly require compliance with “eIDAS Article 19.” Update templates and consider contract repapering only where the clause is material or actively negotiated. (Directive (EU) 2022/2555, Article 42)

How should we reflect this in our obligations register?

Add or update the entry to show that eIDAS Article 19 is deleted effective 18 October 2024, and mark it as no longer applicable after that date. Link the change record and impacted artifacts. (Directive (EU) 2022/2555, Article 42)

How can Daydream help without turning this into a big project?

Use Daydream to maintain a single obligation record, assign an owner, link impacted controls/policies/templates, and store the evidence pack (search inventory, redlines, approvals). That gives you an audit-ready chain from legal change to operational updates. (Directive (EU) 2022/2555, Article 42)