Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, online marketplaces, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.
Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.
The IR is open for feedback via the Commission’s Have Your Say portal until July 25.
1. Cybersecurity risk-management measures
The Annex to the draft IR sets out further detail on the cybersecurity risk-management measures referred to in Article 21(2) of NIS2 that covered entities must implement.
As a general matter, the IR states that relevant entities should take a proportionate approach to applying these measures, and implement alternatives that achieve the same purpose if a specific measure is unsuitable (e.g., if a particular covered entity is small).
- Granular requirements for policies and procedures: Covered entities will need policies covering a range of security matters. Among others, they must have an overarching policy on cyber security, as well as topic-specific policies on matters including access control, incident reporting, security testing, patch management, and supply chain security.
- Tiered approval for policies: Management bodies must approve the relative entity’s overarching policy on the security of network and information systems. In addition, all policies must be approved by an “appropriate level of management”and be reviewed and updated at appropriate intervals. The results of these reviews must be documented.
- Detailed requirements for incident handling policy: Covered entities must establish an incident handling policy that must include detailed provisions. Among others, it must include a categorization system for incidents, plans for the escalation and reporting of incidents, and the assignment of roles to detect and appropriately respond to incidents.
- Detailed requirements for business continuity and crises management: Covered entities must ensure that their business continuity plans, backup plans and crisis management processes include the minimum elements listed in the Annex.
- Supply chain contracts: Covered entities must ensure direct suppliers and service providers can provide a sufficiently high level of security.
- Monitoring and logging: Covered entities must establish monitoring and logging processes that, at a minimum, capture specific events to help them identify and respond to incidents. They must also implement tools to control the execution of applications on user workstations, and filters for email and web browsers.
- Basic cyber hygiene practices and cybersecurity training: Covered entities must consider implementing basic data hygiene practices (e.g., policies on clear desks and screens, passwords and other forms of authentication, safe email and web usage, and secure remote working practices). They must also implement an “awareness raising programme” for all employees, including members of management bodies.
- Insider threat and access controls: Covered entities must consider whether employee security management measures are required (e.g., background checks on certain employees), and must take steps to raise employee awareness about security risks, for example if access rights are misused.
- Identification of “crown jewel” assets: Covered entities must create an asset inventory and classify the risk levels of their assets. This asset inventory must be particularly granular (covering hardware, software, services, and facilities etc.), and may require significant work to create and maintain.
- Governance, cyber roles, and compliance monitoring: Covered entities must ensure that employees with a cybersecurity role form part of a defined governance structure. Among other things, at least one person shall report directly to a covered entity’s management body on matters relating to the security of network and information systems, and the management body must receive regular updates on the status of network and information security (e.g., based on independent reviews described below).
- Independent review: Covered entities must develop and maintain processes for carrying out independent reviews of their network and information security measures and the implementation of those measures. Such reviews must be carried out by individuals with “appropriate audit competence”.
- Protection against all hazards: When covered entities determine which risk-management measures to implement, they must take an “all-hazards approach”. As a result, measures to ensure the security of network and information systems must include those designed to protect such systems from system failures, human error, malicious acts or natural phenomena.
2. Definition of a “significant” incident
The IR states that an incident will be deemed “significant” within the meaning of Article 23(3) of NIS2 where one or more of several criteria are fulfilled. An incident affecting all types of covered entities will meet this threshold where, among others, the incident:
- Causes or is capable of causing financial loss where it exceeds EUR 100,000 or 5% of the relevant entity’s annual turnover, whichever is lower. However, it is not clear how companies would calculate this in practice;
- Causes “considerable reputational damage”, taking into account factors such as whether the incident has been reported in the media and whether the entity is likely to lose customers with a material impact on its business or be unable to meet regulatory requirements as a result;
- Leads to the exfliltration of trade secrets;
- Leads to, or is capable of leading to, the death of an individual or damage to their health; or
- Involves successful, suspectedly malicious and unauthorised access to network and information systems.
In addition, among a number of others, the following types of incidents affecting specific types of covered entity will be deemed significant:
- Incidents that lead to the complete unavailability of a cloud computing service, content delivery network, or DNS service for a period of 10 minutes or more. The duration of an incident must be measured from the disruption of the proper provision of the service in terms of availability, authenticity, integrity or confidentiality, until the time of recovery;
- Incidents that lead to the complete unavailability of a data center service for any period of time; and
- Agreed service levels are not met for more than 5% of service users of cloud computing services, managed services, or managed security services, or more than 1 million such users, whichever is smaller, for more than 1 hour. It is unclear, however, what a “service user” is intended to cover: an enterprise customer of a cloud computing service or an individual end-user, or both. The IR does indicate, however, that where a covered entity is unable to determine the exact number of affected users, they should consider an estimate of the maximum possible number of affected users.
Incidents that individually are not considered a significant incident shall be considered collectively as one significant incident where they have occurred at least twice within 6 months and have the same apparent root cause.
* * *
The Covington team continues to monitor and advise on cybersecurity issues across Europe, including on NIS, NIS2, and other cyber-related regulations. If you have any questions about the IR or would like to submit feedback, or have any other questions about how NIS2 and other developments in the cybersecurity space will affect your business, our team would be happy to assist.