On June 27, 2024, the European Commission published for feedback a draft implementing act (draft implementing act) under the Network and Information Security 2 Directive (NIS2). It specifies cybersecurity risk-management measures for digital infrastructure providers, digital providers and information communication technology (ICT) service managers, as well as thresholds for reportable incidents with respect to each type of provider.
NIS2 provides a list of 10 cybersecurity risk-management measures that entities from critical sectors must apply (such as business continuity, incident handling or supply chain security). It requires such entities to report incidents that have a significant impact on their services to competent authorities and, in some instances, to service recipients. NIS2 does not provide details about these measures or what constitutes “significant impact” to trigger reporting obligations, but it requires the European Commission to do so. The draft implementing act is the result of advice and cooperation between the European Commission, the NIS Cooperation Group and the European Union Agency for Cybersecurity (ENISA).
EU Member States are required to…
