1. NIS2 Implementing Regs & Annex – 17 October 2024
A lot of IT lawyers are preoccupied sorting out DORA Schedules at the moment. Contending with a mid-January deadline, they may yet have to turn their attention to the European Commission’s NIS2 Implementing Regs (and Annex), both published 17 October 2024. These also contain contractual flowdown requirements to think about.
2. Who is affected?
For brevity, this blog will assume a working knowledge of NIS2. The Implementing Regs and the Annex don’t cover all entity types within the sectoral scope of NIS2 (see NIS2 Annexes I and II). Instead they apply to a subset of IT-related entity types.
These are: DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.
Why these entity types in particular? The answer is in NIS2 Recital 84: they are “cross-border in nature” and so “should be subject to a high degree of harmonisation at Union level” therefore specific requirements should be “facilitated by an implementing act”. (Recall that NIS2 is an EU Directive, so left to Member States to transpose into their national law. As an EU Regulation, the Implementing Regs are directly applicable in Member States – without needing to be transposed.)
3. What are the flowdown requirements?
The requirements are set out in para 5.1.4 of the Annex to the Implementing Regs. Broadly, they are a series of cybersecurity-related contract terms that affected entities are encouraged to include in their supplier contracts – “where appropriate” (back to this later). In a bit more detail, the provisions cover:
- general cybersecurity requirements
- skills & training
- background checks
- security incident reporting
- audit rights
- vulnerability patching
- subcontracting
- post-termination data deletion
See the list in full at limbs (a) to (h) of para 5.1.4.
4. Do I have to include them in contracts?
No, but the contract terms are not unheard of so you may have comparable provisions in existing agreements. However, the Implementing Regs take a ‘comply or explain’-style approach which you should bear in mind. More generally, your NIS2 implementation project may be a good opportunity to revisit the cybersecurity clauses in your standard terms.
There is some latitude here. By NIS2 Recital 85, “essential and important entities should in particular be encouraged to incorporate cybersecurity risk-management measures into contractual arrangements with their direct suppliers and service providers” (emphasis added). Recital 4 of the Implementing Regs emphasises the “principle of proportionality” when applying the Annex, while Recital 5 adds that “other compensating measures” can be sufficient.
See Art. 2(2) of the Implementing Regs for the ‘comply or explain’-style approach: where the Annex says something is to be implemented “where appropriate”, then if an entity “considers it not appropriate” it “shall in a comprehensible manner document its reasoning to that effect”. So keep an appropriate record of your approach, in the usual way.
It would also be worth looking at the draft ENISA implementation guidance which offers a few tips on compliance with the para 5.1.4 requirements. E.g. “For small entities with limited bargaining power when dealing with large supplier and service providers consider one or more of the following measures… [e.g.]… collective bargaining or purchasing of products or services… “ (see p. 58).