ARTICLE
22 October 2024

New EU Cyber Rules (NIS2) Take Effect; Implementing Rules Adopted

MB
Mayer Brown

Contributor

Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.
On 17 October 2024, the European Commission adopted the first Implementing Regulation under the Network and Information Security 2 Directive (EU) 2022/2555 (NIS2)...
European Union Technology

On 17 October 2024, the European Commission adopted the first Implementing Regulation under the Network and Information Security 2 Directive (EU) 2022/2555 (NIS2), focusing on digital infrastructures and services. The adoption of the Implementing Regulation coincides with the deadline for EU Member States to transpose the NIS2 Directive into national law, one day before NIS2 rules are set to take effect. NIS2 requires Member States apply national implementing legislation by 18 October; however, as of that date, only a few Member States have finalized the transposition process.

NIS2 sets cyber rules for organizations whose services are considered essential or important for maintaining critical societal and economic activities. It updates and expands the scope of the previous NIS Directive (EU) 2016/1148, which was introduced in 2016. (Read more about NIS2 in our Legal Update.)

The adopted Implementing Regulation applies to companies providing digital infrastructures and services. For each category of digital infrastructures and services (e.g., cloud computing, data center services, content delivery networks, online marketplaces), the Implementing Regulation defines what constitutes a significant incident that triggers reporting obligations under NIS2. In principle, NIS2 requires companies to report serious cybersecurity incidents within 24 hours. The national implementing legislation will specify which national authorities must receive the reports.

In addition, the Implementing Regulation contains an Annex setting out technical and methodological requirements for cybersecurity risk management. In practice, the Annex fleshes out in detail each of the main cybersecurity requirements imposed on in-scope entities by NIS2 (listed in Art. 21(2) of NIS2). Stay tuned for forthcoming thought leadership from Mayer Brown in this regard.

What is considered a significant incident?

According to Art. 3 of the Implementing Regulation, an incident shall be considered to be significant where one or more of the following criteria are met:

  • The incident has caused, or is capable of causing, direct financial loss for the relevant entity that exceeds EUR 500,000, or 5% of the relevant entity's total annual turnover in the preceding financial year, whichever is lower;
  • The incident has caused, or is capable of causing, the exfiltration of trade secrets of the relevant entity;
  • The incident has caused, or is capable of causing, the death of a natural person;
  • The incident has caused, or is capable of causing, considerable damage to an individual's health;
  • A successful, suspectedly malicious and unauthorized access to network and information systems occurred, which is capable of causing severe operational disruption;
  • Incidents have occurred at least twice within 6 months, have the same apparent root cause and have collectively caused, or are capable of causing, direct financial loss for the relevant entity that exceeds EUR 500,000, or 5% of the relevant entity's total annual turnover in the preceding financial year, whichever is lower;

The above applies to all types of providers of digital infrastructure, ICT service management and digital providers within the scope of NIS2.

In addition, for individual types of service, there are other criteria that may constitute a significant security incident, even if none of the above apply. The criteria are set out below as examples for cloud computing services, data center providers and social networking service platforms.


Cloud Computing Services

Data Center Providers

Social Networking Services Platforms

According to Art. 7 of the Implementing Regulation, an incident shall be considered significant if:

  • A service is completely unavailable for more than 30 minutes;
  • The availability of a cloud computing service is limited for more than 5% of the users in the Union, or for more than 1 million of the users in the Union, whichever number is smaller, for a duration of more than one hour;
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a cloud computing service is compromised as a result of a suspectedly malicious action; or
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a cloud computing service is compromised, with an impact on more than 5 % of that cloud computing service's users in the Union, or on more than 1 million of the users in the Union, whichever number is smaller.

According to Art. 8 of the Implementing Regulation, an incident shall be considered significant if:

  • A data center service of a data center operated by the provider is completely unavailable;
  • The availability of a data center service is limited for a duration of more than one hour;
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a data center service is compromised as a result of a suspectedly malicious action; or
  • Physical access to a data center operated by the provider is compromised.

According to Art. 13 of the Implementing Regulation, an incident shall be considered significant if:

  • A social networking service platform is completely unavailable for more than 5% of the users in the Union, or for more than 1 million of the users in the Union, whichever number is smaller;
  • More than 5% of the users in the Union, or more than 1 million of a social networking service platform's users in the Union, whichever number is smaller, are impacted by limited availability;
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a social networking service platform is compromised as a result of a suspectedly malicious action; or
  • The integrity, confidentiality or authenticity of stored, transmitted, or processed data related to the provision of a social networking service platform is compromised with an impact on more than 5% of the users in the Union, or on more than 1 million the users in the Union, whichever number is smaller.

In addition to the above, specific triggers to reporting obligations apply to other providers of digital infrastructure (domain name system providers, top-level domain name registries, and providers of content delivery networks and of trust service under the eIDAS Regulation), ICT service management providers (managed service providers and managed-security service providers) and other digital providers (providers of online marketplaces and search engines), as set forth in articles 9 to 12 and 14 of the Implementing Regulation.

Next Steps

The implementing regulation is expected to be published in the Official Journal of the EU soon, and will enter into force 20 days thereafter. Any incident that happens after entry into force will be subject to the new rules described above, although it may be difficult to apply the new rules in case a national authority has not yet been named by national implementing legislation. Companies should therefore become familiar with the new guidance around incident reporting requirements and work to implement them in existing or newly developed Incident Response Plans, so they are able to act quickly in the event of an incident.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Find out more and explore further thought leadership around Technology Law and Digital Law

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More