Skip to main content
热门主题
精选內容
查看全部服务
查看全部行业
关于我们概述
2024年10月18日

New Eu Cyber Rules (NIS2) Take Effect; Implementing Rules Adopted

作者:
下载PDF
分享

On 17 October 2024, the European Commission adopted the first Implementing Regulation under the Network and Information Security 2 Directive (EU) 2022/2555 (NIS2), focusing on digital infrastructures and services. The adoption of the Implementing Regulation coincides with the deadline for EU Member States to transpose the NIS2 Directive into national law, one day before NIS2 rules are set to take effect. NIS2 requires Member States apply national implementing legislation by 18 October; however, as of that date, only a few Member States have finalized the transposition process.

NIS2 sets cyber rules for organizations whose services are considered essential or important for maintaining critical societal and economic activities. It updates and expands the scope of the previous NIS Directive (EU) 2016/1148, which was introduced in 2016. (Read more about NIS2 in our Legal Update.)

The adopted Implementing Regulation applies to companies providing digital infrastructures and services. For each category of digital infrastructures and services (e.g., cloud computing, data center services, content delivery networks, online marketplaces), the Implementing Regulation defines what constitutes a significant incident that triggers reporting obligations under NIS2. In principle, NIS2 requires companies to report serious cybersecurity incidents within 24 hours. The national implementing legislation will specify which national authorities must receive the reports.

In addition, the Implementing Regulation contains an Annex setting out technical and methodological requirements for cybersecurity risk management. In practice, the Annex fleshes out in detail each of the main cybersecurity requirements imposed on in-scope entities by NIS2 (listed in Art. 21(2) of NIS2). Stay tuned for forthcoming thought leadership from Mayer Brown in this regard.

What is considered a significant incident?

According to Art. 3 of the Implementing Regulation, an incident shall be considered to be significant where one or more of the following criteria are met:

  • The incident has caused, or is capable of causing, direct financial loss for the relevant entity that exceeds EUR 500,000, or 5% of the relevant entity’s total annual turnover in the preceding financial year, whichever is lower;
  • The incident has caused, or is capable of causing, the exfiltration of trade secrets of the relevant entity;
  • The incident has caused, or is capable of causing, the death of a natural person;
  • The incident has caused, or is capable of causing, considerable damage to an individual’s health;
  • A successful, suspectedly malicious and unauthorized access to network and information systems occurred, which is capable of causing severe operational disruption;
  • Incidents have occurred at least twice within 6 months, have the same apparent root cause and have collectively caused, or are capable of causing, direct financial loss for the relevant entity that exceeds EUR 500,000, or 5% of the relevant entity’s total annual turnover in the preceding financial year, whichever is lower;

The above applies to all types of providers of digital infrastructure, ICT service management and digital providers within the scope of NIS2.

In addition, for individual types of service, there are other criteria that may constitute a significant security incident, even if none of the above apply. The criteria are set out below as examples for cloud computing services, data center providers and social networking service platforms.


Cloud Computing Services

Data Center Providers

Social Networking Services Platforms

According to Art. 7 of the Implementing Regulation, an incident shall be considered significant if:

  • A service is completely unavailable for more than 30 minutes;
  • The availability of a cloud computing service is limited for more than 5% of the users in the Union, or for more than 1 million of the users in the Union, whichever number is smaller, for a duration of more than one hour;
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a cloud computing service is compromised as a result of a suspectedly malicious action; or
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a cloud computing service is compromised, with an impact on more than 5 % of that cloud computing service’s users in the Union, or on more than 1 million of the users in the Union, whichever number is smaller.

According to Art. 8 of the Implementing Regulation, an incident shall be considered significant if:

  • A data center service of a data center operated by the provider is completely unavailable;
  • The availability of a data center service is limited for a duration of more than one hour;
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a data center service is compromised as a result of a suspectedly malicious action; or
  • Physical access to a data center operated by the provider is compromised.

According to Art. 13 of the Implementing Regulation, an incident shall be considered significant if:

  • A social networking service platform is completely unavailable for more than 5% of the users in the Union, or for more than 1 million of the users in the Union, whichever number is smaller;
  • More than 5% of the users in the Union, or more than 1 million of a social networking service platform’s users in the Union, whichever number is smaller, are impacted by limited availability;
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a social networking service platform is compromised as a result of a suspectedly malicious action; or
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a social networking service platform is compromised with an impact on more than 5% of the users in the Union, or on more than 1 million the users in the Union, whichever number is smaller.

In addition to the above, specific triggers to reporting obligations apply to other providers of digital infrastructure (domain name system providers, top-level domain name registries, and providers of content delivery networks and of trust service under the eIDAS Regulation), ICT service management providers (managed service providers and managed-security service providers) and other digital providers (providers of online marketplaces and search engines), as set forth in articles 9 to 12 and 14 of the Implementing Regulation.

Next Steps

The implementing regulation is expected to be published in the Official Journal of the EU soon, and will enter into force 20 days thereafter. Any incident that happens after entry into force will be subject to the new rules described above, although it may be difficult to apply the new rules in case a national authority has not yet been named by national implementing legislation. Companies should therefore become familiar with the new guidance around incident reporting requirements and work to implement them in existing or newly developed Incident Response Plans, so they are able to act quickly in the event of an incident.

作者

相关服务及行业

及时掌握我们的最新见解

见证我们如何使用跨学科的综合方法来满足客户需求
[订阅]

关注我们

© 2024 Mayer Brown

 

 

孖士打(Mayer Brown)是由各个属于独立实体的联合法律执业机构所组成的全球服务提供机构,包括 Mayer Brown LLP(美国伊利洛伊州)、Mayer Brown International LLP(英格兰及韦尔斯) 、孖士打律师行(一家香港的合伙)和Tauil & Chequer Advogados(一家巴西的合伙)以及提供顾问服务而非法律服务的服务提供机构(合称 “Mayer Brown Practices”)。Mayer Brown Practices在各司法管辖区成立,它们可以是一个法人或合伙。PK Wong & Nair LLC(“PKWN”)是组成我们在新加坡的合资律师事务所Mayer Brown PK Wong & Nair Pte. Ltd. 的新加坡律师事务所。有关个别Mayer Brown Practices 和PKWN 的详情,可在我们网站法律公告部分找到。

“Mayer Brown”和Mayer Brown标志是Mayer Brown的商标。

律师通告:以住的成功案例并不能保证取得相同的结果。