NIS 2 and digital service providers: How to comply with the European Commission's requirements ?

Entities providing services in the digital sector hold a unique position under the NIS 2 Directive (Directive (EU) 2022/2555). Unlike other essential or important entities, the technical and methodological security requirements are specified directly by the European Commission. These entities include:

• DNS service providers;
• Top-level domain name registries;
• Cloud computing service providers (SaaS, IaaS, PaaS, etc.);
• Data center service providers;
• Content delivery network providers;
• Managed service providers;
• Managed security service providers;
• Online marketplace providers;
• Online search engine providers;
• Social networking service platform providers;
• Trust service providers.

Why does the European Commission specify these security requirements?

Typically, Member States are responsible for implementing EU law into their national legal systems. For a directive like NIS 2, Member States are required to transpose its provisions into national law (through laws, regulations, decrees, etc.), giving each country some discretion in interpreting the obligations set by the directive. This can lead to slightly different approaches in drafting transposition laws across Member States.

Additionally, each Member State designates its own national authorities to supervise and monitor the implementation of the NIS 2 Directive, such as ANSSI in France. These variations between Member States can result in divergences in how cybersecurity requirements are implemented from one country to another.

Therefore, when uniform application at the European level is deemed essential, the European Commission can be mandated to develop “implementing acts”. These acts aim to establish harmonized rules across Member States to prevent any discrepancies between countries.

Specifically, to avoid such divergences, the NIS 2 Directive states in its Recital 84 that the European Commission must intervene directly to harmonize security requirements for digital service providers. Services such as online marketplaces, cloud service providers, or data centers operate across borders and often in multiple countries simultaneously. Due to their international nature, these services require uniform rules to ensure consistent and coherent cybersecurity requirements throughout the European Union.

In the summer of 2024, the European Commission launched a call for contributions on its draft implementing act. Both European and American companies and associations responded, with a total of 154 contributions submitted, all available on the European Commission’s website. Ultimately, the Commission, which had until October 17, 2024, to adopt the implementing act, met this deadline. The act will enter into force on November 11, 2024.

What are the obligations for digital providers?

In accordance with Articles 21 and 23 of the NIS 2 Directive, the implementing act outlines two key points: the technical and methodological requirements for managing cybersecurity risks for digital service providers, and the procedures for qualifying and notifying a significant incident.

The act¹ is divided into two parts: a Commission implementing regulation (EU) 2024/2690 of 17 October 2024 outlining the obligations and its annex detailing the measures to be taken.

Unsurprisingly, risk management measures are aligned with well-established standards such as ISO/IEC 27001, ISO/IEC 27002, and ETSI EN 319 401, as well as technical specifications like CEN/TS 18026:2024.

Furthermore, ENISA at the European level and national authorities, such as ANSSI in France, will likely provide guidance to help entities comply, offering national and sectoral risk assessments specific to certain types of entities. However, the entities concerned remain responsible for identifying and documenting their own risks.

To summarize, our law firm presents ten key points to remember:

1. Adopt Measures Tailored to Specific Context: Security measures must be proportionate to the specific context of each entity (size, activity, potential incidents). For entities unable to meet certain requirements, appropriate compensatory measures may be considered. For example, micro-entities unable to separate security roles should implement enhanced monitoring of activities and security logs.
2. Document Non-Compliance: When an entity believes it is unnecessary, inappropriate, or impossible to apply certain requirements, it must document its rationale.
3. Adopt Compliant Policies (Information Security Policy, Risk Management Policy, etc.): The concerned entities must adopt Information Security Policies, Risk Management Policies, and cryptography policies that are compliant with the Implementing Act. The adopted approach must be "all-hazards" (theft, fires, floods, etc.) and include risk treatment plans that foresee prevention, reduction, and, in some cases, acceptance of certain risks. These policies should be regularly tested, re-evaluated, accompanied by indicators to monitor their implementation, and apply to both employees and third parties (suppliers, subcontractors), which may necessitate contractual amendments.‍
4. Timely Prevention and Detection of Security Events: Entities must establish incident management procedures, monitor and log their networks and information systems, and take measures to quickly identify network attacks, especially by detecting abnormal traffic patterns.
5. Notify Significant Incidents: The act specifies criteria to characterize a significant incident, including, but not limited to, incidents causing a direct financial loss exceeding €500,000 or 5% of the entity’s annual revenue (whichever is lower), exfiltration of trade secrets, serious health consequences or death, and malicious unauthorized access that severely disrupts operations. Recurring incidents, even if not significant individually, are collectively deemed significant if they occur at least twice within six months, have the same apparent cause, and cause significant financial losses exceeding €500,000 or 5% of the entity's annual revenue. Specific criteria also apply to certain providers. Planned interruptions and scheduled maintenance are not considered significant incidents.
6. Security in network and information systems acquisition, development and maintenance : Entities must implement procedures to manage risks related to ICT service procurement, adopt a secure development lifecycle, manage configurations and changes, perform regular security testing (penetration testing, vulnerability scans, security audits), and apply patches in a timely manner. This also includes network segmentation, protection against malware, and vulnerability management, in line with the requirements of the implementing act.
7. Secure the Supply Chain: Entities must ensure that their suppliers also meet high security standards by adopting a supply chain security policy and including appropriate security clauses in their contracts.
8. Train and Implement Cyber Hygiene Practices: Entities must establish continuous awareness programs for employees, including management, as well as for suppliers, to promote good cyber hygiene practices and raise awareness of cybersecurity risks. A specific training program for critical security roles should also be implemented, regularly updated, and evaluated to ensure an appropriate response to cyber threats and secure information system management.
9. Secure Human Resources: Entities must ensure that their employees, suppliers, and service providers understand and assume their security responsibilities in accordance with the information security policy. This includes mechanisms to ensure that users with privileged access understand their roles, as well as background checks for sensitive positions. Entities should also include post-employment security clauses and establish disciplinary procedures for security breaches, which should be regularly reviewed.
10. Access Control and Asset Management: Entities must implement access control policies, manage access rights securely, and apply enhanced procedures for privileged and administrative accounts. They must establish an inventory of their assets, classify them according to their importance, and implement appropriate asset management policies throughout their lifecycle. 

Of course, this is only a brief summary, and the implementing act is more detailed and precise.

What should you do today?

What you need to do depends naturally on your current level of cybersecurity maturity.

If you wish to quickly comply with the NIS 2 requirements, here’s how our law firm can assist you:

• Compliance Audit: We conduct a comprehensive legal audit of your contracts and procedures (Information Security Policy, Risk Management Policy, etc.) to identify non-compliance with the NIS 2 Directive and propose adjustments to address these gaps. We ensure that your policies are legally binding on your employees and third parties (suppliers, subcontractors) through contractual amendments or your internal regulations.
• Assistance in Case of Exemption or Adjustment: In cases where certain requirements cannot be met, we help you rigorously document your non-compliance.
• Securing Your Supply Chain: We ensure that your contracts with your suppliers are compliant with your cybersecurity obligations, particularly by incorporating appropriate security clauses for managing relationships with your suppliers.
• Incident Support: We assist you in drafting your incident management policies to ensure compliance with NIS 2 requirements. In the event of an incident, we also help you effectively manage notifications to the competent authorities, whether for NIS 2, GDPR, or any other applicable regulation. This includes coordinating legal obligations, adhering to deadlines, and preparing the necessary information to ensure compliance.
• Assistance in Case of Independent Security Audit: Penetration testing and security audits are particularly sensitive operations that require strict oversight. Our law firm supports you in implementing these processes by drafting specific clauses to ensure the legal and operational security of these procedures. This includes the confidentiality of test and audit results so that this critical information cannot be exploited or disclosed outside the intended scope. We also ensure a precise definition of the audit scope to avoid any risk of overreach that could disrupt your activities. Finally, we manage liabilities in case of issues or incidents occurring during these operations. These measures not only protect your systems but also ensure the continuity of your services, providing a secure and compliant framework with current regulations.
• ‍Coordination with Technical Experts: If you already have an internal cybersecurity team or technical partners, we collaborate with them to ensure comprehensive and effective implementation of security measures in compliance with NIS 2. If necessary, we can also propose to work with our specialized cybersecurity partners to meet your specific technical needs.

By taking these measures now, you will not only comply with the obligations of the NIS 2 Directive but also be better equipped to face the growing challenges in cybersecurity. 

About the Author

Jocelyn Pitet is an attorney at the Paris Bar (France) and co-founder of Entropy, a law firm dedicated to advanced technologies. His practice focuses on areas such as cybersecurity, data protection, IT contracts, blockchain, artificial intelligence, and other disruptive technologies. For over ten years, Jocelyn has been advising innovative startups, leading tech companies, as well as major international groups in managing complex legal challenges related to digital and innovation.

Alongside his work at the law firm, Jocelyn Pitet also holds teaching positions at the University of Paris Panthéon-Assas and the Leonard de Vinci Institute, where he teaches courses on blockchain law, data protection, and cybersecurity law.

Footnotes

1. Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers