NIS 2 Updates: Changes in Implementing Rules and Publication of Draft Technical Guidance

Due to the recent general election, the national legislation implementing NIS 2 in Ireland has been delayed (having already missed the 17 October 2024 deadline). However, entities who are subject to NIS 2 should still be aware of developments at a European level.    For certain categories of entities (e.g. domain name service providers, certain ICT service providers, and providers of online marketplaces, search engines and social networking platforms), this includes implementing rules as well as technical guidance on cyber security risk management measures which are required by NIS 2 (the technical guidance was issued in draft form for public consultation until 9 January 2025).  While this guidance is only directed at those specified categories of entities (as opposed to all entities subject to NIS 2), it may also be useful for other entities subject to NIS 2 in implementing cyber security measures which are compliant with NIS 2.

What are the recent updates?

Two notable updates include:

  1. Implementing Rules: Following public consultation, the European Commission (the “Commission”) published the final version of Commission Implementing Regulation (EU) 2024/2690 (the “Commission Implementing Regulation”).  This regulation provides further details on cyber security risk management measures applicable to certain essential and important entities.  It also provides further detail regarding when an incident is considered to be ‘significant’ for the purposes of reporting obligations for those categories of entities.  Certain changes were made to the draft which was previously published for public consultation, including to emphasise the principle of proportionality in relation to the cybersecurity measures required and update the definitions of ‘Significant Incident’.
  2. Technical Guidance:  The European Union Agency for Cybersecurity (“ENISA”) has published draft technical guidance (the “Draft Technical Guidance”) which is open to public consultation until 9 January 2025.  The Draft Technical Guidance offers guidance to support relevant entities in implementing the technical and methodological requirements of the NIS2 cybersecurity risk-management measures outlined in the Commission Implementing Regulation.  It is expected that any feedback provided during the public consultation period will be considered before final Technical Guidance is issued.

What changes were made to the draft Commission Implementing Regulation?

Details regarding the entities captured by the Commission Implementing Regulation, and an overview of what it covers, are set out in our previous briefing here (relating to the draft published for public consultation).   This includes entities such as domain name service providers, certain ICT service providers, providers of online marketplaces, search engines and social networking platform, and trust service providers.

The final version of the Commission Implementing Regulation generally reflects the approach taken in the version published for public consultation. However, several amendments have been made. In light of this, entities which are subject to the Commission Implementing Regulation should review the final version in full in order to take steps to comply.  While some of these amendments are minor drafting changes, other amendments are more notable.   For example:

1. Element of proportionality: 

  • A new Article 2(2) has been included which provides that relevant entities should ensure a level of security appropriate to the risks posed.  When complying with the requirements set out in the Annex to the Commission Implementing Regulation, it requires that relevant entities “take due account of the degree of their exposure to risks, their size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact”. This element of proportionality is also contained in the recitals to the Commission Implementing Regulation (as was already the case in the draft published for consultation).
  • In addition, in certain instances the Annex provides that a requirement should be applied “where appropriate”, “where applicable” or “to the extent feasible”.  Article 2(2) now provides that if a relevant entity assesses a certain requirement is not required having regard to the applicable qualifier, it must document its reason for coming to that conclusion.

2. Definition of ‘Significant Incident’:

  • The final version of the definitions of ‘Significant Incident’ have been amended.   For example, the reference to an incident which has caused or is capable of causing considerable reputational damage has been removed, and the threshold for financial loss has been increased from €100,000 to €500,000 (or 5% of the entities total annual turnover in the preceding financial year, whichever is lower).
  • In addition, other amendments have been made to the specific criteria relevant to each category of entity captured by the Commission Implementing Regulation.  For example, for cloud computing service providers, an incident will be considered significant if a cloud computing service provided is completely unavailable for more than 30 minutes, as opposed to the 10-minute period set out in the draft.  

What is the purpose of the Draft Technical Guidance?

The Draft Technical Guidance provides non-binding advice for relevant entities affected by the Commission Implementing Regulation. It explains the technical and practical steps needed to put in place the technical and methodological requirements set out in the Annex of the Commission Implementing Regulation. Although it is directed at the relevant entities captured by the Commission Implementing Regulation, it specifically states that other public or private groups might also find this guidance useful for strengthening their own cybersecurity measures in line with the NIS 2 Directive.

The Technical Guidance includes the following components to assist relevant entities in interpreting and implementing the requirements:

  • Guidance: Indicative and actionable advice on key parameters to consider when fulfilling a requirement or additional explanations for concepts found in the legal text.
  • Examples of Evidence: Suggested types of evidence to demonstrate that a requirement is effectively in place.
  • Additional Tips: General recommendations for further consideration by the relevant entity, when applicable.
  • Standards Mapping: A correlation of each requirement to relevant European and international standards, as well as national frameworks. The guidance is clear that this mapping is not a statement of equivalence among standards but highlights similar cybersecurity requirements across frameworks. This is intended to help entities use multiple standards to streamline compliance, minimize overlap, and simplify audits.

ENISA published the Technical Guidance (see guidance here) on 7 November 2024.  It was originally open for public consultation until 9 December 2024, but this deadline appears to have been extended to 9 January 2025.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.