Overview of NIS2 Commission Implementing Regulation (CIR) 2024/2690 for digital critical infrastructure companies

Commission Implementing Regulation (CIR) 2024/2690 defines extra security requirements, which are mandatory for digital infrastructure companies, that need to be implemented on top of NIS2 requirements.

This CIR 2024/2690 is mandatory for all companies in the European Union that belong to the following sectors: DNS service provider; TLD name registry; cloud computing service provider; data center service provider; content delivery network provider; managed service provider; managed security service provider; provider of online marketplaces, of online search engines, and of social networking services platforms; or trust service provider.

With its 13 detailed sections covering everything from cryptography to physical security, CIR 2024/2690 ensures that digital infrastructure providers will need to go beyond just checking boxes — they’ll need to build a robust, multi-layered defense system.

The basics of CIR 2024/2690

This regulation has a very lengthy name: “Commission Implementing Regulation (EU) 2024/2690 laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers,” and has been in force since October 2024.

You can find here the Full text of CIR 2024/2690.

As its name implies, it is valid for almost all the essential and important entities in the NIS2 scope that belong to the “Digital infrastructure” and “Digital providers” sectors.

The purpose and structure of CIR 2024/2690

As mentioned before, the purpose of this Commission Implementing Regulation is to raise the overall level of cybersecurity for digital infrastructure and providers by defining strict requirements for cybersecurity, since NIS2 itself is not very precise on what kind of cybersecurity needs to be implemented.

CIR 2024/2690 is structured in two main parts: the Main part (articles 1 to 16) and the Annex called “Technical and methodological requirements” (sections 1 to 13).

Here’s how the Main part is structured:

  • Article 1: Subject matter
  • Article 2: Technical and methodological requirements
  • Articles 3 to 14: Specific provisions for significant incidents — detailed criteria for incident classification for different types of digital infrastructure companies
  • Article 15: Repeal of previous regulations
  • Article 16: Entry into force and application

Overview of Annex — Technical and methodological requirements

This Annex is much lengthier than the Main part, and from the compliance perspective, it is the most important. Here is a short overview of the 13 sections:

Section 1: Policy on the security of network and information systems

Outlines the creation and maintenance of a comprehensive security policy. Ensures alignment with business objectives, sets security goals, assigns roles and responsibilities, allocates necessary resources, promotes communication, and mandates regular reviews to continually enhance network and information system security.

Section 2: Risk management policy

Establishes a framework for identifying, assessing, and mitigating cybersecurity risks. Requires regular risk assessments, development and implementation of risk treatment plans, acceptance of residual risks by management, continuous compliance monitoring, and independent reviews to ensure effective risk management and proactive cybersecurity resilience.

Section 3: Incident handling

Details procedures for managing cybersecurity incidents, including detection, analysis, containment, eradication, recovery, and documentation. Emphasizes establishing incident handling policies, effective communication plans, roles assignment, and post-incident reviews to learn and improve response strategies, ensuring swift and effective incident management.

NIS2 CIR 2024/2690: Cybersecurity Requirements for EU Digital Infrastructure

Section 4: Business continuity and crisis management

Requires the creation of business continuity and disaster recovery plans to restore operations after incidents. Includes conducting business impact analyses, setting recovery objectives, managing backups and redundancies, and establishing crisis management processes. Ensures entities are prepared to maintain and quickly resume critical operations during disruptions.

Section 5: Supply chain security

Mandates policies to secure the supply chain by assessing and managing risks from suppliers and service providers. Requires criteria for selecting and contracting suppliers, ensuring their cybersecurity practices meet required standards, monitoring their compliance, and maintaining a directory of suppliers. Aims to mitigate risks originating from third-party relationships.

Section 6: Security in network and information systems acquisition, development, and maintenance

Sets requirements for securing the acquisition, development, and maintenance of network and information systems. Includes security in ICT acquisitions, secure development lifecycles, configuration management, change management, security testing, patch management, network security, segmentation, protection against malware, and vulnerability handling to ensure secure and resilient systems.

Section 7: Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

Requires the establishment of policies and procedures to monitor, measure, and evaluate the effectiveness of cybersecurity risk management. Includes defining what measures to assess, methods for monitoring and measurement, assigning responsibilities, analyzing results, and regularly reviewing and updating policies to ensure ongoing effectiveness and improvement of cybersecurity measures.

Section 8: Basic cyber hygiene practices and security training

Mandates awareness programs and security training for employees and relevant stakeholders. Includes raising awareness about cybersecurity risks, promoting good cyber hygiene practices, providing job-specific security training, assessing training effectiveness, and ensuring continuous education to enhance the overall cybersecurity posture of the organization.

Section 9: Cryptography

Requires policies and procedures for the use of cryptography to protect data confidentiality, integrity, and authenticity. Includes defining cryptographic requirements, selecting appropriate algorithms and protocols, managing cryptographic keys, ensuring secure implementation, and regularly reviewing cryptographic practices to maintain robust data protection measures.

Section 10: Human resources security

Focuses on ensuring that employees and contractors understand and commit to their security responsibilities. Includes background verification, defining security roles and responsibilities, managing employment changes, enforcing disciplinary processes, and ensuring personnel are trained and aware of security policies to prevent insider threats and enhance overall security.

Section 11: Access control

Details policies and procedures for controlling access to network and information systems. Includes managing access rights, implementing authentication and authorization mechanisms, controlling privileged accounts, segregating administration systems, ensuring unique user identities, and applying multi-factor authentication to protect against unauthorized access and ensure secure system usage.

Section 12: Asset management

Requires the creation and maintenance of an accurate asset inventory. Includes classifying assets based on their importance, handling assets securely throughout their lifecycle, managing removable media, maintaining an up-to-date inventory, and ensuring assets are returned or deleted upon termination of employment. Supports effective asset protection and risk management.

Section 13: Environmental and physical security

Mandates measures to protect network and information systems from physical and environmental threats. Includes securing supporting utilities, protecting facilities from natural and intentional threats, implementing perimeter and physical access controls, monitoring environments, and ensuring that physical security measures are regularly reviewed and updated to prevent unauthorized access and damage.

Overall importance of CIR 2024/2690

CIR 2024/2690 represents a significant leap forward in EU cybersecurity regulations for digital infrastructure companies. Think of it as a comprehensive security shield — while NIS2 provides the foundation, this Commission Implementing Regulation provides the detailed blueprints for key cybersecurity aspects.

With its 13 detailed sections covering everything from cryptography to physical security, CIR 2024/2690 ensures that digital infrastructure providers will need to go beyond just checking boxes — they’ll need to build a robust, multi-layered defense system.

To find all the documents needed for complying with the NIS2 Directive, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic