Privacy & Information Security Law Blog

On November 7, 2024, the Commission Implementing Regulation 2024/2690 laying down rules for the application of the NIS2 Directive as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to certain digital service providers (the “Implementing Regulation”) entered into force.

The Implementing Regulation is applicable to the following types of digital service providers under the scope of the NIS2 Directive: (1) DNS service providers, (2) TLD name registries, (3) cloud computing service providers, (4) data center service providers, (5) content delivery network providers, (6) managed service providers, (7) managed security service providers, (8) providers of online market places, (9) providers of online search engines, (10) providers of social networking services platforms, and (11) trust service providers. Other entities in scope of the NIS2 Directive, such as manufacturers of medical devices or electrical equipment, are not directly subject to the rules in the Implementing Regulation. That said, the more detailed requirements set forth in the Implementing Regulation may influence interpretation of the NIS2 requirements more generally by national supervisory authorities.

In the Annex of the Implementing Regulation, the European Commission establishes in detail the necessary technical and methodological requirements to comply with Article 21(2) of the NIS2 Directive. This Annex is relevant for cybersecurity and IT teams of digital service providers under the scope of NIS2, who may use it as a guide to understand their current compliance level and determine any additional measures that are necessary to bring their organization into compliance with NIS2.

The Implementing Regulation also sets forth more specific requirements relating to the types of incidents that should be considered as significant and, thus, reportable under the NIS2 Directive. Notification is required if:

• the incident has caused or is capable of causing direct financial loss for the relevant entity that exceeds EUR 500K or 5% of the relevant entity’s total annual turnover in the preceding financial year, whichever is lower;
• the incident has caused or is capable of causing the exfiltration of trade secrets;
• the incident has caused or is capable of causing the death of a natural person;
• the incident has caused or is capable of causing considerable damage to a natural person’s health;
• a successful, suspectedly malicious and unauthorized access to network and information systems occurred, which is capable of causing severe operational disruption; or
• it is a recurring incident.

The Implementing Regulation further establishes additional criteria for an incident to be classified as significant that are specific to the various types of digital service providers under scope.

Read the Implementing Regulation.