Last month, the European Commission published a draft Implementing Regulation (“IR”) under the EU’s revised Network and Information Systems Directive (“NIS2”). The draft IR applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, online marketplaces, and online social networks). It sets out further detail on (i) the specific cybersecurity risk-management measures those entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. Once finalized, it will apply from October 18, 2024.

Many companies may be taken aback by the granular nature of some of the technical measures listed and the criteria to determine if an incident is significant and reportable – especially coming so close to the October deadline for Member States to start applying their national transpositions of NIS2.

The IR is open for feedback via the Commission’s Have Your Say portal until July 25.

  1. Cybersecurity risk-management measures

The Annex to the draft IR sets out further detail on the cybersecurity risk-management measures referred to in Article 21(2) of NIS2 that covered entities must implement.

As a general matter, the IR states that relevant entities should take a proportionate approach to applying these measures, and implement alternatives that achieve the same purpose if a specific measure is unsuitable (e.g., if a particular covered entity is small).

Specifically, the Annex requires covered entities to implement several measures including the following:

  • Granular requirements for policies and procedures: Covered entities will need policies covering a range of security matters. Among others, they must have an overarching policy on cyber security, as well as topic-specific policies on matters including access control, incident reporting, security testing, patch management, and supply chain security.
  • Tiered approval for policies: Management bodies must approve the relative entity’s overarching policy on the security of network and information systems. In addition, all policies must be approved by an “appropriate level of management”and be reviewed and updated at appropriate intervals. The results of these reviews must be documented.
  • Detailed requirements for incident handling policy: Covered entities must establish an incident handling policy that must include detailed provisions. Among others, it must include a categorization system for incidents, plans for the escalation and reporting of incidents, and the assignment of roles to detect and appropriately respond to incidents.
  • Detailed requirements for business continuity and crises management: Covered entities must ensure that their business continuity plans, backup plans and crisis management processes include the minimum elements listed in the Annex.
  • Supply chain contracts: Covered entities must ensure direct suppliers and service providers can provide a sufficiently high level of security.
  • Monitoring and logging: Covered entities must establish monitoring and logging processes that, at a minimum, capture specific events to help them identify and respond to incidents. They must also implement tools to control the execution of applications on user workstations, and filters for email and web browsers.
  • Basic cyber hygiene practices and cybersecurity training: Covered entities must consider implementing basic data hygiene practices (e.g., policies on clear desks and screens, passwords and other forms of authentication, safe email and web usage, and secure remote working practices). They must also implement an “awareness raising programme” for all employees, including members of management bodies.
  • Insider threat and access controls: Covered entities must consider whether employee security management measures are required (e.g., background checks on certain employees), and must take steps to raise employee awareness about security risks, for example if access rights are misused.
  • Identification of “crown jewel” assets: Covered entities must create an asset inventory and classify the risk levels of their assets. This asset inventory must be particularly granular (covering hardware, software, services, and facilities etc.), and may require significant work to create and maintain.
  • Governance, cyber roles, and compliance monitoring: Covered entities must ensure that employees with a cybersecurity role form part of a defined governance structure. Among other things, at least one person shall report directly to a covered entity’s management body on matters relating to the security of network and information systems, and the management body must receive regular updates on the status of network and information security (e.g., based on independent reviews described below).
  • Independent review: Covered entities must develop and maintain processes for carrying out independent reviews of their network and information security measures and the implementation of those measures. Such reviews must be carried out by individuals with “appropriate audit competence”.
  • Protection against all hazards: When covered entities determine which risk-management measures to implement, they must take an “all-hazards approach”. As a result, measures to ensure the security of network and information systems must include those designed to protect such systems from system failures, human error, malicious acts or natural phenomena.
  1. Definition of a “significant” incident

The IR states that an incident will be deemed “significant” within the meaning of Article 23(3) of NIS2 where one or more of several criteria are fulfilled. An incident affecting all types of covered entities will meet this threshold where, among others, the incident:

  • Causes or is capable of causing financial loss where it exceeds EUR 100,000 or 5% of the relevant entity’s annual turnover, whichever is lower. However, it is not clear how companies would calculate this in practice;
  • Causes “considerable reputational damage”, taking into account factors such as whether the incident has been reported in the media and whether the entity is likely to lose customers with a material impact on its business or be unable to meet regulatory requirements as a result;
  • Leads to the exfliltration of trade secrets;
  • Leads to, or is capable of leading to, the death of an individual or damage to their health; or
  • Involves successful, suspectedly malicious and unauthorised access to network and information systems.

In addition, among a number of others, the following types of incidents affecting specific types of covered entity will be deemed significant:

  • Incidents that lead to the complete unavailability of a cloud computing service, content delivery network, or DNS service for a period of 10 minutes or more. The duration of an incident must be measured from the disruption of the proper provision of the service in terms of availability, authenticity, integrity or confidentiality, until the time of recovery;
  • Incidents that lead to the complete unavailability of a data center service for any period of time; and
  • Agreed service levels are not met for more than 5% of service users of cloud computing services, managed services, or managed security services, or more than 1 million such users, whichever is smaller, for more than 1 hour. It is unclear, however, what a “service user” is intended to cover: an enterprise customer of a cloud computing service or an individual end-user, or both. The IR does indicate, however, that where a covered entity is unable to determine the exact number of affected users, they should consider an estimate of the maximum possible number of affected users.

Incidents that individually are not considered a significant incident shall be considered collectively as one significant incident where they have occurred at least twice within 6 months and have the same apparent root cause.

*  *  *

The Covington team continues to monitor and advise on cybersecurity issues across Europe, including on NIS, NIS2, and other cyber-related regulations. If you have any questions about the IR or would like to submit feedback, or have any other questions about how NIS2 and other developments in the cybersecurity space will affect your business, our team would be happy to assist.

Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Photo of Stacy Young Stacy Young

Stacy Young is an associate in the London office. She advises technology and life sciences companies across a range of privacy and regulatory issues spanning AI, clinical trials, data protection and cybersecurity.