NIS2 Update on Cybersecurity for Key Service Providers

The European Commission’s recent regulation, issued underthe NIS2 Directive (NIS2:Commission implementing regulation on critical entities and networks - https://digital-strategy.ec.europa.eu/en/library/nis2-commission-implementing-regulation-critical-entities-and-networks),defines mandatory cybersecurity requirements for DNS service providers, TLDname registries, cloud computing providers, data centers, content deliverynetworks, managed service providers, social networking platforms, and othercritical online services. The regulation outlines technical and methodologicalstandards for managing cybersecurity risks, setting clear criteria for when anincident is deemed significant.

Key Points

1. Risk Management Standards: Organizations must implementcomprehensive cybersecurity risk management measures, referencing internationalstandards (ISO/IEC 27001, EN 319, and more). Provisions include establishingrisk policies, securing network systems, and implementing risk treatment plans. 

2. Incident Criteria: Incidents are classified assignificant if they meet specific conditions, such as causing over €500,000 infinancial loss, affecting data integrity, or resulting in serviceunavailability for defined periods. For example, cloud service downtime exceeding30 minutes is significant, as is any breach compromising user data. 

3. Recurring and Malicious Incidents: Recurring incidentswith a common root cause, if occurring twice within six months and collectivelycausing financial loss, are also deemed significant. Unauthorized accesscapable of causing operational disruption is automatically classified as significant. 

4. Sector-Specific Guidelines: Each type of service providerhas distinct thresholds for when incidents become significant. For example, DNSservices must maintain average response times below 10 seconds, and datacenters must prevent unauthorized physical access. 

5. Supply Chain Security: Providers must maintain securesupply chains, requiring cybersecurity standards from direct suppliers andservice providers. 

6. Employee Security Management: Emphasis is placed onmanaging employee access to prevent insider threats, requiring measures such asmulti-factor authentication, disciplinary processes, and background checks forstaff in sensitive roles. 

7. Physical and Environmental Security: The regulationmandates physical protections for critical infrastructure to guard againstenvironmental and malicious threats, like fire or flooding, which could disruptnetwork operations. 

8. User Impact Measurement: To gauge incident impact,organizations must consider both direct users and associated parties, such asbusinesses reliant on their services.

Implementation and Compliance

The regulation provides guidance on balancing securitymeasures with organizational size and resources. Smaller entities, for example,can adopt alternative measures if they cannot fully implement specificrequirements. Compliance monitoring will be conducted by ENISA and nationalauthorities, and all relevant entities are expected to meet these standards tominimize cybersecurity risks.

This regulation, effective shortly after its publication,reinforces the EU’s commitment to strengthening cybersecurity across essentialdigital services, ensuring service continuity and protecting user data fromincreasing cyber threats.

‍