Socwise logo
Tamás Tóth

New draft EU legislation on the implementing regulation for the NIS2 Directive

Tamás Tóth
Explore the new EU legislation for the NIS2 Directive, enhancing cybersecurity for digital infrastructure, digital providers and ICT services sector.

The mega expectations set out in the NIS2 Directive are further elaborated in a recent draft legislation
(27 June 2024).

The draft includes both high-level rules and the point beyond which an incident is considered significant, as well as specific cybersecurity risk-management measures, now following a different logic than the implementing regulation of the Hungarian Cybersecurity Certification Act.

The Commission is awaiting feedback on the draft legal act for 4 weeks.

The Directive currently covers medium and large organisations in sectors critical to the economy and society. In addition to the general text of the NIS2 Directive, by 17 October, the EU will adopt an implementing act to define technical and methodological requirements for cybersecurity risk-management measures for certain organisations of the digital infrastructure, digital providers and ICT services (business-to-business) sectors. This could harmonise rules that differ from one Member State to another, but it could also interfere with rules that have already been transposed.

The Directive stated from the outset that “in order to avoid the fragmentation of cybersecurity provisions of Union legal acts, where further sector-specific Union legal acts pertaining to cybersecurity risk-management measures and reporting obligations are considered to be necessary to ensure a high level of cybersecurity across the Union, the Commission should assess whether such further provisions could be stipulated in an implementing act under this Directive”.

  • This is necessary, as the EU Directive has been transposed by Member States independently, within the EU framework, on the basis of their own previous legislation and approach.
  • For this reason, there can be big differences. This contrasts with the DORA Regulation, where the detailed rules (RTS, ITS) were first established centrally at EU level and then adopted by the Member States, thus creating more uniform expectations between Member States.

The draft legislation does not apply to all sectors concerned, only to certain organisations of the digital infrastructure, digital providers and ICT services (business-to-business) sectors.

Sectors and subsectors concerned:

  • DNS service providers, excluding operators of root name servers
  • TLD name registries
  • Cloud computing service providers
  • Data centre service providers
  • Content delivery network providers
  • Trust service providers
  • Managed service providers (outsourced ICT)
  • Managed security service providers (outsourced ICT security service providers),
  • Providers of online marketplaces
  • Providers of online search engines
  • Providers of social networking services platforms

This is because the listed service providers play a significant role in IT supply chains, and incidents affecting them have an impact on other sectors and the general public, and the EU therefore sees a case for harmonised expectations in these sectors to avoid fragmentation between Member States. This could be useful, because a multinational company would have to comply with very different rules in different Member States.

At first glance, there are relatively detailed rules in the draft requirements (Annex – Ares (2024)4640447). They are structured to elaborate on the background of the cybersecurity risk-management measures in Article 21 of the Directive:

  • policies on risk analysis and information system security;
  • incident handling;
  • business continuity, such as backup management and disaster recovery, and crisis management;
  • supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
  • security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
  • policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
  • basic cyber hygiene practices and cybersecurity training;
  • policies and procedures regarding the use of cryptography and, where appropriate, encryption;
  • human resources security, access control policies and asset management;
  • the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

In summary, this draft legislation contains the best practice that is expected today, with forward-looking requirements such as awareness testing and not just the delivery of education. It calls on the sectors concerned to develop processes and apply technologies to monitor and log their networks and systems. This allows them to track and log their incidents and detect and manage incidents appropriately. If you want to translate the general text of the draft into specific technology, the introduction and use of SIEM (SOAR), GRC software, network tools and network security tools could support compliance.