EU CMSN issued draft regulation and annex on (NIS2) cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers.
Follows EU CNCL May 2022 provisional agreement by Council and EP, see #137905.
Purpose of NIS2 Directive
NIS2 Directive strengthens cybersecurity risk-management measures as well as streamlining incident-reporting obligations for a number of operators across the EU.
Given the cross-border nature of some operators from the digital sectors, NIS2 requires EU CMSN to align the rules at EU level, which will be facilitated by this act.
This in addition to specifying cases when an incident must be considered significant.
Referring to proportionality, advice is provided to entities that cannot implement technical and methodological requirements of cybersecurity risk-management.
Specifically, risk-management measures that cannot be implemented due to entities' size, so compensating measures can be considered that are suitable to fit those needs.
For example, micro-sized entities might find it difficult to segregate conflicting duties and conflicting areas of responsibility and, so, can consider compensating measures.
Includes targeted oversight by management or increased monitoring and logging.
Competent authorities can decide to provide guidance to support relevant entities in the identification, analysis, and assessment of risks for implementation purposes.
Definitions and examples of significant and recurring incidents are also provided.
Effectiveness
Comments on the draft implementing regulation can be submitted by Jul. 25, 2024.
The implementing act details cybersecurity risk management measures, as well as cases in which an incident should be considered significant and companies providing digital infrastructures and services should therefore report it to national authorities.
A major step in boosting cyber resilience of Europe's critical digital infrastructure.
Applies to specific categories of companies such as cloud computing service providers, data center service providers, online marketplaces, search engines, social networks.
Adoption of the implementing regulation coincides with deadline for member states to transpose NIS2 Directive into national law, must be done from Oct. 18, 2024.
Regulation comes into force on 20th day following publication in the EU Official Journal.
On Oct. 18, 2024, EU CMSN issued final Reg 2024/2690 of Oct. 17, 2024, in EU OJ.
Regulation in force on 20th day following publication in the EU OJ, Nov. 7, 2024.