On 17 October 2024, the European Commission adopted the first Implementing Regulation under the Network and Information Security 2 Directive (EU) 2022/2555 (NIS2), focusing on digital infrastructures and services. The adoption of the Implementing Regulation coincides with the deadline for EU Member States to transpose the NIS2 Directive into national law, one day before NIS2 rules are set to take effect. NIS2 requires Member States apply national implementing legislation by 18 October; however, as of that date, only a few Member States have finalized the transposition process.
NIS2 sets cyber rules for organizations whose services are considered essential or important for maintaining critical societal and economic activities. It updates and expands the scope of the previous NIS Directive (EU) 2016/1148, which was introduced in 2016. (Read more about NIS2 in our Legal Update.)
The adopted Implementing Regulation applies to companies providing digital infrastructures and services. For each category of digital infrastructures and services (e.g., cloud computing, data center services, content delivery networks, online marketplaces), the Implementing Regulation defines what constitutes a significant incident that triggers reporting obligations under NIS2. In principle, NIS2 requires companies to report serious cybersecurity incidents within 24 hours. The national implementing legislation will specify which national authorities must receive the reports.
In addition, the Implementing Regulation contains an Annex setting out technical and methodological requirements for cybersecurity risk management. In practice, the Annex fleshes out in detail each of the main cybersecurity requirements imposed on in-scope entities by NIS2 (listed in Art. 21(2) of NIS2). Stay tuned for forthcoming thought leadership from Mayer Brown in this regard.
What is considered a significant incident?
According to Art. 3 of the Implementing Regulation, an incident shall be considered to be significant where one or more of the following criteria are met:
- The incident has caused, or is capable of causing, direct financial loss for the relevant entity that exceeds EUR 500,000, or 5% of the relevant entity's total annual turnover in the preceding financial year, whichever is lower;
- The incident has caused, or is capable of causing, the exfiltration of trade secrets of the relevant entity;
- The incident has caused, or is capable of causing, the death of a natural person;
- The incident has caused, or is capable of causing, considerable damage to an individual's health;
- A successful, suspectedly malicious and unauthorized access to network and information systems occurred, which is capable of causing severe operational disruption;
- Incidents have occurred at least twice within 6 months, have the same apparent root cause and have collectively caused, or are capable of causing, direct financial loss for the relevant entity that exceeds EUR 500,000, or 5% of the relevant entity's total annual turnover in the preceding financial year, whichever is lower;
The above applies to all types of providers of digital infrastructure, ICT service management and digital providers within the scope of NIS2.
In addition, for individual types of service, there are other criteria that may constitute a significant security incident, even if none of the above apply. The criteria are set out below as examples for cloud computing services, data center providers and social networking service platforms.
Cloud Computing Services |
Data Center Providers |
Social Networking Services Platforms |
According to Art. 7 of the Implementing Regulation, an incident shall be considered significant if:
|
According to Art. 8 of the Implementing Regulation, an incident shall be considered significant if:
|
According to Art. 13 of the Implementing Regulation, an incident shall be considered significant if:
|
In addition to the above, specific triggers to reporting obligations apply to other providers of digital infrastructure (domain name system providers, top-level domain name registries, and providers of content delivery networks and of trust service under the eIDAS Regulation), ICT service management providers (managed service providers and managed-security service providers) and other digital providers (providers of online marketplaces and search engines), as set forth in articles 9 to 12 and 14 of the Implementing Regulation.
Next Steps
The implementing regulation is expected to be published in the Official Journal of the EU soon, and will enter into force 20 days thereafter. Any incident that happens after entry into force will be subject to the new rules described above, although it may be difficult to apply the new rules in case a national authority has not yet been named by national implementing legislation. Companies should therefore become familiar with the new guidance around incident reporting requirements and work to implement them in existing or newly developed Incident Response Plans, so they are able to act quickly in the event of an incident.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.