Overview
WHAT HAPPENED: On June 27, 2024, the European Commission published for feedback a draft implementing act (draft implementing act) under the Network and Information Security 2 Directive (NIS2). It specifies cybersecurity risk-management measures for digital infrastructure providers, digital providers and information communication technology service managers, as well as thresholds for reportable incidents with respect to each type of provider.
WHY IT MATTERS: The draft implementing act adds considerable details to NIS2’s list of cybersecurity measures and specifies the significant incident reporting thresholds for each type of provider concerned. The draft implementing act will therefore impact providers’ cybersecurity and incident reporting practices directly. Noncompliance with NIS2 may lead to fines of up to EUR 10 million, or 2% of the total worldwide annual turnover of the undertaking, whichever is higher.
WHO NEEDS TO KNOW: Providers of cloud computing services, data center services, online marketplaces, search engines, social networking services platforms, content delivery network services, managed services, managed security services, trust services, domain name system services and top-level domain name registries (Relevant Entities).
IMMEDIATE NEXT STEP: Interested stakeholders can submit feedback to the draft implementing act via this link until July 25, 2024. The European Commission will review input and adopt a final implementing act by October 17, 2024. Once adopted, the implementing act will apply to all Relevant Entities directly, in all EU Member States.
In Depth
On June 27, 2024, the European Commission published for feedback a draft implementing act (draft implementing act) under the Network and Information Security 2 Directive (NIS2). It specifies cybersecurity risk-management measures for digital infrastructure providers, digital providers and information communication technology (ICT) service managers, as well as thresholds for reportable incidents with respect to each type of provider.
NIS2 provides a list of 10 cybersecurity risk-management measures that entities from critical sectors must apply (such as business continuity, incident handling or supply chain security). It requires such entities to report incidents that have a significant impact on their services to competent authorities and, in some instances, to service recipients. NIS2 does not provide details about these measures or what constitutes “significant impact” to trigger reporting obligations, but it requires the European Commission to do so. The draft implementing act is the result of advice and cooperation between the European Commission, the NIS Cooperation Group and the European Union Agency for Cybersecurity (ENISA).
EU Member States are required to transpose NIS2 into their national laws and start enforcing it as of October 18, 2024. However, the requirements stemming from the implementing act that the European Commission will adopt will apply to Relevant Entities directly as of October 18th, without any need for Member States to transpose them into national law, thereby underscoring the importance of this draft implementing act.
The draft implementing act adds considerable details to NIS2’s list of cybersecurity measures and specifies the significant incident reporting thresholds for each type of provider concerned. The draft implementing act will therefore impact providers’ cybersecurity and incident reporting practices directly. Noncompliance with NIS2 may lead to fines of up to EUR 10 million, or 2% of the total worldwide annual turnover of the undertaking, whichever is higher.
Below is an overview of the key aspects of the draft implementing act regarding cybersecurity risk-management measures and significant incident reporting thresholds.
CYBERSECURITY RISK-MANAGEMENT MEASURES
The draft implementing act specifies detailed cybersecurity risk-management measures based on European and international standards. It will apply to digital infrastructure providers, digital providers and ICT service managers. In terms of high-level requirements, in-scope entities should:
- Security Policy: Establish a comprehensive security policy aligned with business strategy, security objectives, risk tolerance, roles, responsibilities and documentation requirements.
- Risk Management: Develop a risk management framework to identify, assess and address risks. Perform regular risk assessments, maintain a risk treatment plan and implement compliance monitoring.
- Incident Handling: Establish policies and procedures for detecting, analyzing, responding to and reporting incidents. Implement monitoring and logging, and conduct post-incident reviews.
- Business Continuity and Crisis Management: Develop business continuity and disaster recovery plans, including key contacts, recovery objectives, resources and crisis management processes.
- Supply Chain Security: Manage supplier and service provider relations to mitigate risks. Set selection criteria, specify cybersecurity requirements and maintain a supplier directory.
- Security in Systems Acquisition and Maintenance: Manage risks in acquiring ICT services or products. Implement secure development, configuration management, change management, security testing and patch management.
- Effectiveness Assessment: Establish policies and procedures to assess the implementation and effectiveness of cybersecurity measures, including regular monitoring and evaluation.
- Cyber Hygiene and Training: Raise employee awareness of cybersecurity risks and provide targeted security training, ensuring effective application of cyber hygiene practices.
- Cryptography: Use cryptography to protect information confidentiality, integrity and authenticity, following established policies and procedures.
- Human Resources Security: Ensure employees and third parties understand and commit to security responsibilities. Conduct background checks and manage employment changes securely.
- Access Control: Implement access control policies, manage access rights and review access controls regularly.
- Asset Management: Classify and handle information and assets appropriately, maintaining an accurate asset inventory and managing removable media securely.
- Environmental and Physical Security: Protect systems from physical and environmental threats, implementing perimeter controls and monitoring premises for security breaches.
SIGNIFICANT INCIDENT REPORTING THRESHOLDS
The following sections explain the criteria the draft implementing act outlines for determining what constitutes a significant incident. First, there are general criteria that apply to all entities. Then, there are specific thresholds tailored to certain types of service providers. The general and specific criteria do not need to apply simultaneously. An incident can be deemed significant if it meets either the general criteria or the specific thresholds relevant to the provider. Providers listed with specific thresholds follow both their specific criteria and the general criteria.
- General Criteria for Significant Incidents: An incident is deemed significant if it fulfills one or more of the following criteria:
- Financial Loss: The incident causes, or is capable of causing, financial loss exceeding EUR 100,000, or 5% of the entity’s annual turnover, whichever is lower.
- Reputational Damage: The incident causes, or is capable of causing, considerable reputational damage, which may include media reports, multiple user complaints, regulatory noncompliance or significant loss of customers.
- Theft of Trade Secrets: The incident results in the theft of trade secrets.
- Death: The incident causes, or is capable of causing, the death of a natural person.
- Health Damage: The incident causes, or is capable of causing, considerable damage to a natural person’s health.
- Unauthorized Access: The incident involves successful, suspectedly malicious and unauthorized access to network and information systems.
- Recurring Incidents: Incidents that occur at least twice within six months with the same root cause are considered collectively significant.
- Specific Criteria: The incident meets one or more of the specific criteria outlined in the “Specific Thresholds” section below.
- Specific Thresholds: The following list outlines the specific thresholds for significant incidents for various service providers:
- Cloud Computing Service Providers: Service unavailability for more than 10 minutes, unmet service level agreements (SLAs) for more than 5% or 1 million users, or compromised data integrity due to suspected malicious action.
- Online Marketplaces: Service unavailability or order delays impacting more than 5% or 1 million users, or compromised data integrity.
- Online Search Engines: Service unavailability or delayed response times impacting more than 5% or 1 million users, or compromised data integrity.
- Social Networking Platforms: Service unavailability or delayed response times impacting more than 5% or 1 million users, or compromised data integrity.
- Content Delivery Network Providers: Network unavailability for more than 10 minutes, unmet performance agreements for more than 5% or 1 million users, or compromised data integrity.
Specific thresholds also exist for data center service providers, managed and managed security service providers, domain name system (DNS) service providers, top-level domain (TLD) name registries, and trust service providers, but these have been left out for brevity.
At this stage, the European Commission has not (yet) utilized Article 23(11) of NIS2 to issue a template specifying the type, format and procedure for submitting incident notifications or for communications to recipients of services potentially affected by significant cyber threats.
WHAT THIS MEANS
Entities subject to NIS2 should consider enhancing both their cybersecurity risk-management measures and incident reporting programs to comply with the proposed requirements. To prepare, they should consider, inter alia:
- Comprehensive Cybersecurity Policies: Establish detailed policies covering all aspects of cybersecurity risk management, including business continuity planning, incident handling and supply chain security. Regularly review and update these policies to address evolving threats and vulnerabilities.
- Clear Incident Reporting Procedures: Develop clear procedures for assessing and reporting incidents that meet the significance criteria.
- Automated Detection and Monitoring: Implement monitoring tools (real-time or periodic) and automated systems to detect cybersecurity incidents. Ensure these systems can identify incidents that meet defined financial, reputational and operational thresholds.
- Staff Training and Awareness: Regularly train staff on the latest cybersecurity risk-management measures and incident reporting procedures. Ensure all employees understand their roles in maintaining cybersecurity and are prepared to respond to significant incidents.
- Comprehensive Incident Logging: Maintain detailed logs of all cybersecurity incidents to identify patterns, support regulatory compliance and facilitate continuous improvement.
- Regular Risk Assessments and Audits: Conduct regular risk assessments and security audits to identify potential vulnerabilities and ensure that cybersecurity measures are effective and up to date.
- Consultation Process: Consider responding to the European Commission’s consultation on the draft implementing act via this link to provide feedback and influence the final requirements.