EC Cybersecurity Risk Management


On Jun. 27, EU CMSN issued draft regulation re implementing NIS2.


  • EU CMSN issued draft regulation and annex on (NIS2) cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers.
  • Follows EU CNCL May 2022 provisional agreement by Council and EP, see #137905.
  • Purpose of NIS2 Directive
  • NIS2 Directive strengthens cybersecurity risk-management measures as well as streamlining incident-reporting obligations for a number of operators across the EU.
  • Given the cross-border nature of some operators from the digital sectors, NIS2 requires EU CMSN to align the rules at EU level, which will be facilitated by this act.
  • This in addition to specifying cases when an incident must be considered significant.
  • Referring to proportionality, advice is provided to entities that cannot implement technical and methodological requirements of cybersecurity risk-management.
  • Specifically, risk-management measures that cannot be implemented due to entities' size, so compensating measures can be considered that are suitable to fit those needs.
  • For example, micro-sized entities might find it difficult to segregate conflicting duties and conflicting areas of responsibility and, so, can consider compensating measures.
  • Includes targeted oversight by management or increased monitoring and logging.
  • Competent authorities can decide to provide guidance to support relevant entities in the identification, analysis, and assessment of risks for implementation purposes.
  • Definitions and examples of significant and recurring incidents are also provided.
  • Effectiveness
  • Comments on the draft implementing regulation can be submitted by Jul. 25, 2024.
  • Oct. 17, 2024 EC Adoption, Official Journal
  • On Oct. 17, 2024, EU CMSN adopted the implementing regulation (C(2024)7151).
  • The implementing act details cybersecurity risk management measures, as well as cases in which an incident should be considered significant and companies providing digital infrastructures and services should therefore report it to national authorities.
  • A major step in boosting cyber resilience of Europe's critical digital infrastructure.
  • Applies to specific categories of companies such as cloud computing service providers, data center service providers, online marketplaces, search engines, social networks.
  • Adoption of the implementing regulation coincides with deadline for member states to transpose NIS2 Directive into national law, must be done from Oct. 18, 2024.
  • Regulation comes into force on 20th day following publication in the EU Official Journal.
  • On Oct. 18, 2024, EU CMSN issued final Reg 2024/2690 of Oct. 17, 2024, in EU OJ.
  • Regulation in force on 20th day following publication in the EU OJ, Nov. 7, 2024.

Regulators EU CMSN
Entity Types CNSM; Corp
Reference PR, OJ L, 10/18/2024; PR IP/24/5342, Reg 2024/2690, C(2024)7151, 10/17/2024; CP, Reg Ares(2024)4640447 6/27/2024; NIS Dir 2016/1148, Dir 2022/2555; Citation: C(2024)7151; Reg 2024/2690;
Functions BCS; Compliance; Cyber; Legal; Operations; Privacy; Reporting; Risk; Technology
Countries European Union
Category
State
Products Corporate
Regions EMEA
Rule Type Final
Rule Date 6/27/2024
Effective Date 11/7/2024
Rule Id 217558
Linked to Rule :137905
Reg. Last Update 10/17/2024
Report Section EU

Last substantive update on 10/22/2024