Article 43: Amendment of Directive (EU) 2018/1972

9 min readLast verified: February 2026By

Article 43: amendment of directive (eu) 2018/1972 requirement means you must update your compliance mapping for EU electronic communications rules because Articles 40 and 41 of Directive (EU) 2018/1972 are deleted effective 18 October 2024. Operationally, remove any controls, policies, or reporting obligations that rely on those deleted articles and document the change in your obligation register. (Directive (EU) 2022/2555, Article 43)

Key takeaways:

  • Treat Article 43 as a governance-and-mapping change: identify and retire dependencies on deleted Articles 40 and 41 of Directive (EU) 2018/1972. (Directive (EU) 2022/2555, Article 43)
  • Update your obligation register, control library, and legal citations so audits don’t show “orphaned” requirements past the effective date. (Directive (EU) 2022/2555, Article 43)
  • Keep evidence of the assessment, decisions, and updates, even if the outcome is “no impact,” because examiners will ask how you validated applicability. (Directive (EU) 2022/2555, Article 43)

This requirement is easy to misunderstand because it does not read like a typical security mandate. Article 43 is a legal amendment inside NIS 2 that deletes two articles (40 and 41) from Directive (EU) 2018/1972 with effect from 18 October 2024. That single sentence creates real operational work for a Compliance Officer or GRC lead: you need to find where your organization cites or implements those deleted provisions, decide what still applies under other rules, then update your compliance system so it remains accurate and defensible. (Directive (EU) 2022/2555, Article 43)

Most teams treat “amendments” as legal-only housekeeping. That is where audit findings start. If your policy references a deleted legal basis, your control could be challenged as mis-scoped, your training could teach outdated obligations, and your compliance register could mislead business owners. Article 43 is therefore a requirement about disciplined regulatory change management: track the change, assess impact, update documentation, and preserve a clean evidence trail showing you did it intentionally. (Directive (EU) 2022/2555, Article 43)

Regulatory text

Regulatory excerpt: “In Directive (EU) 2018/1972, Articles 40 and 41 are deleted with effect from 18 October 2024.” (Directive (EU) 2022/2555, Article 43)

Operator meaning (what you must do):

  1. Stop treating Articles 40 and 41 of Directive (EU) 2018/1972 as live obligations after the effective date. You cannot keep them as authoritative citations in your compliance program once deleted. (Directive (EU) 2022/2555, Article 43)
  2. Perform and document an impact assessment to determine whether any internal requirements, controls, or third-party contract clauses were anchored to those articles. (Directive (EU) 2022/2555, Article 43)
  3. Update compliance mappings and artifacts (obligation register, control narratives, policies, procedures, training references, and audit test steps) to remove or replace the deleted references. (Directive (EU) 2022/2555, Article 43)

Plain-English interpretation of the requirement

Article 43 is a “delete and clean up” requirement. It does not add new cybersecurity controls by itself; it changes the legal landscape you are mapping against. Your job is to ensure your compliance program reflects that, and that business teams are not held to requirements that no longer exist in that form. (Directive (EU) 2022/2555, Article 43)

A practical way to interpret it:

  • If you never referenced Articles 40/41: you still need evidence that you checked.
  • If you referenced them anywhere: you need to update the citation and confirm what obligation (if any) remains under another authority, then re-map controls accordingly. (Directive (EU) 2022/2555, Article 43)

Who it applies to (entity and operational context)

Applies to: organizations running an EU-facing compliance program for NIS 2 and/or EU electronic communications obligations where your internal control framework includes legal citations to Directive (EU) 2018/1972. (Directive (EU) 2022/2555, Article 43)

Operational contexts where this surfaces:

  • Regulatory obligation registers (legal basis fields, mapped-to-control tables, jurisdictional overlays).
  • Internal policies and standards that cite EU telecom/electronic communications rules.
  • Third-party governance if you require certain incident notifications, resilience commitments, or cooperation duties “per Directive (EU) 2018/1972 Articles 40/41” in contracts, DPAs, or security addenda.
  • Audit and assurance where test scripts cite laws directly.

Even if you are not a telecom provider, this can still hit you through inherited templates, boilerplate contract language, or copied legal citations in policies.

What you actually need to do (step-by-step)

1) Assign an owner and open a tracked change item

  • Create a tracked compliance change ticket titled: “Article 43: amendment of directive (eu) 2018/1972 requirement – deletion of Articles 40 and 41.” (Directive (EU) 2022/2555, Article 43)
  • Assign one accountable owner (usually Legal/Regulatory Compliance) and two operational partners (Security GRC and Procurement/Vendor Management) because references often live in controls and contracts.

Deliverable: change record with scope, stakeholders, and decision log.

2) Locate every dependency on Directive (EU) 2018/1972 Articles 40/41

Search in:

  • Obligation register (citations, notes, applicability fields)
  • Policy repository (security policy, incident response plan, regulatory appendices)
  • Control library (control statements and “authority” tags)
  • Contract templates and executed agreements (search for “2018/1972”, “Article 40”, “Article 41”)
  • Training content (slides, LMS modules, quick-reference guides)

Tip for serious operators: keep the output as a reproducible export (query results, screenshots, repository search logs). Auditors often ask how you ensured completeness.

3) Perform the impact assessment and decide the disposition

For each hit, classify it:

Item found Risk if left unchanged Required action
Citation to Articles 40/41 in obligation register Orphaned requirement; inaccurate mapping Remove or replace citation; add note “deleted effective 18 Oct 2024” with reference to Article 43. (Directive (EU) 2022/2555, Article 43)
Control objective explicitly tied to Articles 40/41 Control may be mis-scoped or untestable Re-map to correct authority (if any), or retire control and update control rationale. (Directive (EU) 2022/2555, Article 43)
Contract clause referencing Articles 40/41 Contractual ambiguity; counterpart disputes Amend template language; evaluate whether executed contracts need addenda based on materiality.
Training content quoting Articles 40/41 Staff trained on outdated obligations Update materials; log version change and re-issue guidance.

Decision rule: If you cannot clearly justify why a deleted legal reference remains in a document, remove it or replace it with the correct current basis.

4) Update core compliance artifacts (minimum set)

  • NIS 2 obligation register:

    • Mark Articles 40/41 dependencies as “retired due to deletion” and record the effective date context. (Directive (EU) 2022/2555, Article 43)
    • Add an entry for Article 43 as a governance change item linked to impacted controls. (Directive (EU) 2022/2555, Article 43)

  • Control narratives and test procedures:

    • Remove outdated legal citations from control language.
    • Update test steps so auditors do not test against deleted authorities.

  • Incident triage/escalation workflows (if referenced):

    • Confirm your incident reporting obligations are grounded in the correct, current requirements and not in the deleted articles.
    • Document the validation outcome. (Directive (EU) 2022/2555, Article 43)

  • Third-party risk management (if referenced):

    • Update standard security addenda and third-party questionnaires to avoid deleted legal anchors.
    • Ensure critical third-party dependencies remain covered via your risk assessment and assurance approach (e.g., security requirements, incident notice timelines, cooperation language), even if the legal citation changes.

5) Validate and make it “exam-ready”

Run a “red team” check on your own program:

  • Can you show an auditor the before/after for each impacted artifact?
  • Can you show who approved the change and when?
  • Can you explain how you ensured you didn’t miss contract templates or legacy policy PDFs?

Where teams get stuck: they update the obligation register but forget the evidence trail and downstream artifacts.

6) Operationalize ongoing change management

Article 43 is a prompt to tighten your regulatory change management discipline:

  • Add a standing control: “Regulatory amendments are assessed, mapped, and reflected in policies/controls within the compliance governance cycle.”
  • Keep a lightweight cadence for checking EU legal amendments relevant to your mapped obligations. (Directive (EU) 2022/2555, Article 43)

If you use Daydream, treat this requirement as a trigger to:

  • Maintain a single obligation register with jurisdictional applicability notes and named control owners.
  • Tie each legal change to concrete tasks, approvals, and evidence so your audit pack is assembled continuously, not at exam time.

Required evidence and artifacts to retain

Keep evidence that proves you found the issue, assessed it, and updated the program:

  1. Regulatory change record referencing Article 43 and the deletion effective date. (Directive (EU) 2022/2555, Article 43)
  2. Search evidence (repository searches, contract repository query outputs, obligation register exports).
  3. Impact assessment worksheet listing each impacted document/control/contract clause, owner, and disposition.
  4. Approvals (Legal sign-off, GRC approval, Procurement acknowledgement if templates changed).
  5. Version history of updated policies/standards/training and control narratives.
  6. Communication log showing who was notified (policy owners, contract template owners, incident response owners).

Common exam/audit questions and hangups

Expect auditors or supervisors to ask:

  • “Show me where your program accounts for amendments in NIS 2, including Article 43.” (Directive (EU) 2022/2555, Article 43)
  • “How did you identify all references to Directive (EU) 2018/1972 Articles 40 and 41 across policies, controls, and third-party contracts?”
  • “What did you change, and who approved it?”
  • “If you removed obligations, how did you confirm you still meet any continuing requirements under other rules?”

Hangup: teams answer “Legal handled it” but cannot show operational artifacts. Article 43 is easy to comply with and easy to fail in an audit if documentation is sloppy.

Frequent implementation mistakes and how to avoid them

  1. Mistake: Updating the obligation register only.
    Avoid it: track downstream impact to contracts, training, and audit test scripts.

  2. Mistake: Deleting references without documenting rationale.
    Avoid it: keep a decision log that explains each change and links it to Article 43. (Directive (EU) 2022/2555, Article 43)

  3. Mistake: Leaving legacy PDFs and attachments unchanged.
    Avoid it: inventory “published artifacts” (PDF policies, vendor playbooks) and refresh or retire them.

  4. Mistake: Ignoring third-party templates.
    Avoid it: run the same citation search across template libraries and clause banks, not just executed agreements.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific requirement, so you should treat it as an auditability and governance exposure rather than a standalone penalty trigger. (Directive (EU) 2022/2555, Article 43)

The practical risk is indirect but real:

  • Regulatory credibility risk: outdated citations suggest weak compliance governance.
  • Control testing risk: auditors may flag controls that cannot be traced to current obligations.
  • Contract risk: counterparties can dispute obligations written against deleted legal references.

Practical 30/60/90-day execution plan

First 30 days (stabilize and scope)

  • Open the compliance change record and assign owners. (Directive (EU) 2022/2555, Article 43)
  • Run enterprise-wide searches for “2018/1972”, “Article 40”, “Article 41” across GRC, policy, and contract repositories.
  • Build the impact assessment list and prioritize items that are externally facing (contracts, published policies).

Days 31–60 (remediate and re-map)

  • Update the obligation register entries and control mappings; remove/replace citations tied to the deleted articles. (Directive (EU) 2022/2555, Article 43)
  • Update templates (security addendum, procurement clauses) and publish new versions.
  • Refresh training and incident response documentation if any content references the deleted articles.

Days 61–90 (prove and harden)

  • Assemble an audit pack: search evidence, assessment worksheet, approvals, and version history.
  • Run an internal audit-style walkthrough with Legal + Security GRC + Procurement.
  • Add a recurring regulatory change checkpoint to your compliance governance calendar so amendments like Article 43 don’t rely on heroics.

Frequently Asked Questions

Does Article 43 require new cybersecurity controls?

Article 43 is an amendment: it deletes Articles 40 and 41 of Directive (EU) 2018/1972 effective 18 October 2024. Your operational duty is to update compliance mappings and artifacts so they no longer rely on deleted provisions. (Directive (EU) 2022/2555, Article 43)

What if we don’t operate telecom networks or services?

You can still be affected if your policies, control library, or third-party contract templates cite Directive (EU) 2018/1972 Articles 40/41. Document a “no impact” assessment if you confirm there are no dependencies. (Directive (EU) 2022/2555, Article 43)

Do we need to amend existing third-party contracts that mention Article 40 or 41?

Not always, but you must assess materiality and ambiguity. At minimum, fix templates for future contracts and document a decision on whether legacy agreements need addenda based on risk and enforceability concerns.

What evidence will an auditor expect for this requirement?

Expect to show a tracked change record, proof of your searches, an impact assessment, and version-controlled updates to affected policies/controls/templates. The key is demonstrating completeness and governance, not just editing one document. (Directive (EU) 2022/2555, Article 43)

How should we record this in an obligation register?

Add or update an entry noting that Articles 40 and 41 of Directive (EU) 2018/1972 were deleted effective 18 October 2024, and link that entry to each impacted control/policy reference you remediated. Keep the cross-reference to Article 43. (Directive (EU) 2022/2555, Article 43)

We found references, but we don’t know what replaces them. What do we do?

Escalate to Legal for a citation replacement decision, then update the control mapping based on that outcome. If no replacement obligation applies, retire the control requirement cleanly and document the rationale and approvals tied to Article 43. (Directive (EU) 2022/2555, Article 43)

Frequently Asked Questions

Does Article 43 require new cybersecurity controls?

Article 43 is an amendment: it deletes Articles 40 and 41 of Directive (EU) 2018/1972 effective 18 October 2024. Your operational duty is to update compliance mappings and artifacts so they no longer rely on deleted provisions. (Directive (EU) 2022/2555, Article 43)

What if we don’t operate telecom networks or services?

You can still be affected if your policies, control library, or third-party contract templates cite Directive (EU) 2018/1972 Articles 40/41. Document a “no impact” assessment if you confirm there are no dependencies. (Directive (EU) 2022/2555, Article 43)

Do we need to amend existing third-party contracts that mention Article 40 or 41?

Not always, but you must assess materiality and ambiguity. At minimum, fix templates for future contracts and document a decision on whether legacy agreements need addenda based on risk and enforceability concerns.

What evidence will an auditor expect for this requirement?

Expect to show a tracked change record, proof of your searches, an impact assessment, and version-controlled updates to affected policies/controls/templates. The key is demonstrating completeness and governance, not just editing one document. (Directive (EU) 2022/2555, Article 43)

How should we record this in an obligation register?

Add or update an entry noting that Articles 40 and 41 of Directive (EU) 2018/1972 were deleted effective 18 October 2024, and link that entry to each impacted control/policy reference you remediated. Keep the cross-reference to Article 43. (Directive (EU) 2022/2555, Article 43)

We found references, but we don’t know what replaces them. What do we do?

Escalate to Legal for a citation replacement decision, then update the control mapping based on that outcome. If no replacement obligation applies, retire the control requirement cleanly and document the rationale and approvals tied to Article 43. (Directive (EU) 2022/2555, Article 43)

Related Resources

Operationalize this requirement

Map requirement text to controls, owners, evidence, and review workflows inside Daydream.

See Daydream