octubre 18 2024

New Eu Cyber Rules (NIS2) Take Effect; Implementing Rules Adopted

Authors:
Share

On 17 October 2024, the European Commission adopted the first Implementing Regulation under the Network and Information Security 2 Directive (EU) 2022/2555 (NIS2), focusing on digital infrastructures and services. The adoption of the Implementing Regulation coincides with the deadline for EU Member States to transpose the NIS2 Directive into national law, one day before NIS2 rules are set to take effect. NIS2 requires Member States apply national implementing legislation by 18 October; however, as of that date, only a few Member States have finalized the transposition process.

NIS2 sets cyber rules for organizations whose services are considered essential or important for maintaining critical societal and economic activities. It updates and expands the scope of the previous NIS Directive (EU) 2016/1148, which was introduced in 2016. (Read more about NIS2 in our Legal Update.)

The adopted Implementing Regulation applies to companies providing digital infrastructures and services. For each category of digital infrastructures and services (e.g., cloud computing, data center services, content delivery networks, online marketplaces), the Implementing Regulation defines what constitutes a significant incident that triggers reporting obligations under NIS2. In principle, NIS2 requires companies to report serious cybersecurity incidents within 24 hours. The national implementing legislation will specify which national authorities must receive the reports.

In addition, the Implementing Regulation contains an Annex setting out technical and methodological requirements for cybersecurity risk management. In practice, the Annex fleshes out in detail each of the main cybersecurity requirements imposed on in-scope entities by NIS2 (listed in Art. 21(2) of NIS2). Stay tuned for forthcoming thought leadership from Mayer Brown in this regard.

What is considered a significant incident?

According to Art. 3 of the Implementing Regulation, an incident shall be considered to be significant where one or more of the following criteria are met:

  • The incident has caused, or is capable of causing, direct financial loss for the relevant entity that exceeds EUR 500,000, or 5% of the relevant entity’s total annual turnover in the preceding financial year, whichever is lower;
  • The incident has caused, or is capable of causing, the exfiltration of trade secrets of the relevant entity;
  • The incident has caused, or is capable of causing, the death of a natural person;
  • The incident has caused, or is capable of causing, considerable damage to an individual’s health;
  • A successful, suspectedly malicious and unauthorized access to network and information systems occurred, which is capable of causing severe operational disruption;
  • Incidents have occurred at least twice within 6 months, have the same apparent root cause and have collectively caused, or are capable of causing, direct financial loss for the relevant entity that exceeds EUR 500,000, or 5% of the relevant entity’s total annual turnover in the preceding financial year, whichever is lower;

The above applies to all types of providers of digital infrastructure, ICT service management and digital providers within the scope of NIS2.

In addition, for individual types of service, there are other criteria that may constitute a significant security incident, even if none of the above apply. The criteria are set out below as examples for cloud computing services, data center providers and social networking service platforms.


Cloud Computing Services

Data Center Providers

Social Networking Services Platforms

According to Art. 7 of the Implementing Regulation, an incident shall be considered significant if:

  • A service is completely unavailable for more than 30 minutes;
  • The availability of a cloud computing service is limited for more than 5% of the users in the Union, or for more than 1 million of the users in the Union, whichever number is smaller, for a duration of more than one hour;
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a cloud computing service is compromised as a result of a suspectedly malicious action; or
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a cloud computing service is compromised, with an impact on more than 5 % of that cloud computing service’s users in the Union, or on more than 1 million of the users in the Union, whichever number is smaller.

According to Art. 8 of the Implementing Regulation, an incident shall be considered significant if:

  • A data center service of a data center operated by the provider is completely unavailable;
  • The availability of a data center service is limited for a duration of more than one hour;
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a data center service is compromised as a result of a suspectedly malicious action; or
  • Physical access to a data center operated by the provider is compromised.

According to Art. 13 of the Implementing Regulation, an incident shall be considered significant if:

  • A social networking service platform is completely unavailable for more than 5% of the users in the Union, or for more than 1 million of the users in the Union, whichever number is smaller;
  • More than 5% of the users in the Union, or more than 1 million of a social networking service platform’s users in the Union, whichever number is smaller, are impacted by limited availability;
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a social networking service platform is compromised as a result of a suspectedly malicious action; or
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a social networking service platform is compromised with an impact on more than 5% of the users in the Union, or on more than 1 million the users in the Union, whichever number is smaller.

In addition to the above, specific triggers to reporting obligations apply to other providers of digital infrastructure (domain name system providers, top-level domain name registries, and providers of content delivery networks and of trust service under the eIDAS Regulation), ICT service management providers (managed service providers and managed-security service providers) and other digital providers (providers of online marketplaces and search engines), as set forth in articles 9 to 12 and 14 of the Implementing Regulation.

Next Steps

The implementing regulation is expected to be published in the Official Journal of the EU soon, and will enter into force 20 days thereafter. Any incident that happens after entry into force will be subject to the new rules described above, although it may be difficult to apply the new rules in case a national authority has not yet been named by national implementing legislation. Companies should therefore become familiar with the new guidance around incident reporting requirements and work to implement them in existing or newly developed Incident Response Plans, so they are able to act quickly in the event of an incident.

Servicios e Industrias Relacionadas

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe