Effective Date
- By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.
They shall apply those measures from 18 October 2024.. - By 17 October 2024, the Commission shall adopt implementing acts laying down the technical and the methodological requirements of the measures with regard to:
DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers. - By 17 April 2025, Member States shall establish a list of EIEs as well as entities providing domain name registration services.
Member States shall review and, where appropriate, update that list on a regular basis and at least every two years thereafter.
Important Obligations:
- The management bodies of EIEs must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation and "can be held liable for infringements."
- The members of the management bodies of EIEs are required to follow training, and shall encourage EIEs to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
- EIEs must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.
- The measures referred shall ensure a level of security of network and information systems appropriate to the risks posed.
Requirements for Measures
The measures shall be based on an "all-hazards approach" that aims to protect network and information systems and the physical environment of those systems from incidents.
The measures shall include "at least" the following:
(a) policies on risk analysis and information system security;
(b) incident handling;
(c) business continuity, such as backup management and disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies and asset management;
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
For Non-EU Entities:
If an entity referred to in paragraph 26.1.(b) ("DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms") is not established in the EU, but offers services within the EU, it shall designate a representative in the EU.
Approach to Address associated Risks
To address the risks from associated regulations with a systematic approach, the organizations may consider to implement an information security management system (ISMS) based on international standard ISO 27001.
Associated Service by DQS HK
