Article 18 refers to "Member States" in regard to geographical spread. However, this implies that the article does not include EEA members, i.e., incidents that spread to EEA and non-EU members (Iceland, Liechtenstein, Norway) are not to be considered in the classification of major ICT-related incidents and cyber threats. Can you confirm that it is correctly understood that there is no legal obligation to include Iceland, Liechtenstein, and Norway when it comes to geographical spread? And what is the reasoning behind the decision to exclude these geographies in the legal text?