The European Commission has taken a significant step forward in ensuring robust cybersecurity across the Union with the adoption of the Commission Implementing Regulation C(2024) 7151 on October 17, 2024. This regulation delineates the technical and methodological requirements for cybersecurity risk management under the NIS2 Directive. It also specifies when incidents are to be considered significant for various critical service providers in order to enhance the Union’s digital resilience.
A Milestone for Member States: Transition to Implementation
The adoption of this implementing regulation coincides with the deadline set for EU Member States to transpose the NIS2 Directive into their national law. Since October 18, 2024, all Member States are required to enforce the necessary measures to ensure compliance with the NIS2 cybersecurity rules. These measures include supervisory and enforcement actions to guarantee adherence to the directive’s enhanced standards. This is the beginning of a unified effort across the Union to elevate cybersecurity practices and strengthen the role of NIS2 Directive as a cornerstone of Europe’s digital resilience.
Scope of the Regulation
This regulation applies to specific categories of businesses providing digital services. It sets out detailed cybersecurity requirements for entities including DNS (Domain Name System) service providers, TLD (Top-Level Domain) name registries, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, providers of online search engines, providers of social networking platforms, and trust service providers. Additionally, the annex lists 13 key aspects, such as network security, business continuity management (BCM), access controls, risk management, and cryptographic controls, among others aligning closely with the structure of ISO/IEC 27001.
Addressing Practical Challenges: Proportional Measures
In line with the principle of proportionality, the regulation acknowledges the challenges faced by smaller entities in implementing some of the cybersecurity requirements. Where such entities cannot meet certain technical and methodological standards due to their size, they are allowed to adopt compensating measures that achieve the intended cybersecurity outcomes. However, organizations are supposed to document their reasoning in a clear and comprehensible manner, explaining why a particular requirement cannot be applied.
Key Provision and Their Impact
The regulation mandates that organizations implement cybersecurity measures proportionate to their risk exposure, size, and potential societal impact. Notably, it introduces enhanced incident reporting requirements tailored to the specific nature and significance of incidents across different categories of digital service providers. This ensures a targeted yet comprehensive approach to managing cybersecurity risks.
The technical and methodological requirements of the cybersecurity risk-management measures are aligned with ISO/IEC 27001, ISO/IEC 27002 and ETSI EN 319 401, including technical specifications (CEN/TS 18026:2024) relevant to the security of network and information systems. Furthermore, the regulation encourages national competent authorities and ENISA to provide guidance on national and sectoral risk assessments as well as risk assessments specific for a certain type of entity, ensuring smaller entities can meet these strict requirements.
Addressing Supply Chain and Emerging Threats
Recognizing the growing risks posed by supply chains, the regulation insists on the inclusion of cybersecurity clauses in supplier contracts. Additionally, to ensure the effectiveness of implemented measures, organizations are encouraged to conduct security testing on specific network and systems or the entire entity. The adoption of emerging practices like zero-trust principles and multi-factor authentication, or continuous authentication mechanisms when required due to classification of information is also encouraged to enhance organization‘s resilience.
Publication and Enforcement
The regulation has been published in the Official Journal of the European Union and entered into force 20 days after its publication.
Update 12.12.2024
The article has been updated with regard to the publication.