Skip to main content
Shaping Europe’s digital future
Press release | Publication

New rules to boost cybersecurity of EU's critical entities and networks

The Commission has adopted the first implementing rules on cybersecurity of critical entities and networks under the Directive on measures for high common level of cybersecurity across the Union (NIS2 Directive).

Text "NIS2 Directive. Rules on cybersecurity of critical entities and networks. #DigitalEU" on dark blue background

This implementing act details cybersecurity risk management measures as well as the cases in which an incident should be considered significant and companies providing digital infrastructures and services should report it to national authorities. This is another major step in boosting the cyber resilience of Europe's critical digital infrastructure.

This adopted implementing regulation will apply to specific categories of companies providing digital services, such as cloud computing service providers, data centre service providers, online marketplaces, online search engines and social networking platforms, to name a few. For each category of service providers, the implementing act specifies when an incident is considered significant, to whom it needs to be reported and in which timeframe.

The adoption of the implementing regulation coincided with the deadline for Member States to transpose the NIS2 Directive into national law. From 18 October 2024, all Member States must apply the measures necessary to comply with the NIS2 cybersecurity rules, including supervisory and enforcement measures.

Read full press release.

More information:

Related content

NIS2: Commission implementing regulation on critical entities and networks

Policy and legislation | 17 October 2024

This Regulation lays down the technical and the methodological requirements of the measures referred to in NIS2 with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers (the relevant entities).