Appropriate and proportionate technical, operational and organisational measures are necessary to manage the risks to the security of the networks and information systems used by these entities to carry out their activities or provide their services and to prevent or minimise the impact of incidents on the recipients of their services or on other services.