The Implementing Regulation came into effect on 7 November 2024 and is binding and directly applicable in all EU Member States.
The Implementing Regulation establishes technical and methodological requirements for cybersecurity risk management measures applicable to various providers of digital services. It also specifies when incidents are considered significant for reporting purposes under the NIS2 Directive.
The Implementing Regulation applies to certain categories of digital service providers, including providers of DNS services, cloud computing, data centres, TLD name registries, content delivery networks, managed services, managed security services, providers of online marketplaces, online search engines, social networking services platforms, and trust service providers. It specifies what constitutes a significant incident that will trigger reporting obligations under Article 23 NIS2 Directive for each type of service provider.
The final version of the Implementing Regulation includes several important changes compared to the consultation version. For instance, notifiable significant incidents under the Implementing Regulation are those that fulfil one or more of the following criteria:
- an incident has caused or is capable of causing direct financial loss for the relevant entity that exceeds EUR500,000 or 5% of the organisation’s total annual turnover in the previous financial year, whichever is lower (this threshold is increased from EUR100,000, and only direct loss counts);
- the incident has caused or is capable of causing the exfiltration of relevant entity’s trade secrets;
- the incident has caused or is capable of causing the death of a natural person;
- the incident has caused or is capable of causing considerable damage to a natural person’s health;
- a successful, suspectedly malicious and unauthorised access to network and information systems occurred, which is capable of causing severe operational disruption; (the reference to causing severe disruption is new);
- the incident is recurring (i.e., recurring incidents that individually are not considered a significant incident but (i) have the same apparent root cause, and (ii) have occurred at least twice within six months should be considered collectively as one significant incident if they also (iii) collectively have caused/capable of causing direct financial loss for the relevant entity exceeding EUR 500,000 or 5% of the total annual turnover);
- the incident meets one or more of the criteria specific to different digital service providers set out in Articles 5 to 14 of the Implementing Regulation, e.g., a cloud computing service is completely unavailable for more than 30 minutes or the availability of the cloud service is limited for more than 5% or 1 million users in the EU for a duration of 1 hour. Compared to the consultation version, the thresholds have been increased for various categories of providers, e.g. a cloud service should be “completely unavailable” or the “entire service” of the online marketplace should be unavailable (rather than “parts of its functionality”).
In this context, a reference to incidents that have caused or could cause “considerable reputational damage” and criteria for determining such damage have been removed from the final text.
The Annex to the Implementing Regulation sets out further details on the cybersecurity risk management measures that must be implemented by digital providers. This includes detailed requirements for policies on the security of network and information systems, risk management, incident handling, business continuity and crisis management, supply chain security, security in acquisition, development and maintenance of network and information systems, assessment of the effectiveness of cybersecurity risk-management measures, basic cyber hygiene practices and training, cryptography, human resources security, access control, asset management, and environmental and physical security.
This list is vast and thorough, but many digital providers will be familiar with these requirements as they are generally based on European and international standards such as ISO/IEC 27001, ISO/IEC 27002, and ETSI EN 319401. However, these measures are now required to be implemented. The Implementing Regulation takes into account the divergent risk exposure of relevant entities, including their size, structure, and the likelihood and severity of incidents. Smaller entities may implement alternative measures if they cannot fully comply with certain requirements (e.g., when defining roles, responsibilities, and authorities for network and information system security within their organisation).
The final text also clarifies that the relevant entities should apply technical and methodological requirements specified in the Annex “where appropriate, where applicable, or to the extent feasible”, leaving some space to the digital providers to consider their specific situation. However, providers should document, “in a comprehensible manner”, their reasoning for not applying any of these requirements. The final text toned down various provisions outlining specific measures by adding “where appropriate”.
The list of cybersecurity risk management measures provided by the Implementing Regulation will be of great importance to entities subject to the NIS2 Directive, extending beyond just digital services providers. Although the specific measures contained in the NIS2 Directive will need to be detailed by EU Member States in their national transpositions of the Directive, the cybersecurity risk management measures in the Implementing Regulation can serve as a practical checklist for organisations to assess the maturity of their network and information security governance and practices. In addition, EU Member States that are still working on their transpositions of the NIS2 Directive may use this list for inspiration or choose to align with it their national requirements for better harmonisation of the cybersecurity landscape in the EU.
The NIS2 Directive superseded the NIS1 Directive on 18 October 2024. The EU Member States were required to transpose its provisions in national laws before that date. However, only a handful of EU Member States have completed their transpositions, and others are slowly progressing with their draft implementation laws, citing the complexity of the NIS2 Directive and difficulty in mapping obligations for a wider range of covered entities. A&O Shearman is tracking national implementations of the NIS2 Directive (reach out to the authors of this article, Nicole Wolters Ruckert and Anna van der Leeuw-Veiksha, for your copy).
The Implementing Regulation is available here and a press release from the EC here.
