What changed
Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 lays down the technical and methodological requirements of the NIS2 cybersecurity risk-management measures, and specifies when an incident is 'significant', for digital-sector entities: DNS service providers, TLD registries, cloud computing, data centres, content-delivery networks, managed (security) service providers, online marketplaces, search engines, social networks and trust service providers.
Why it matters
For the digital sector, NIS2's open norms became concrete, testable requirements — including numeric thresholds for what counts as a reportable significant incident. Generic 'appropriate measures' arguments no longer suffice for these entities.
Who is affected
The listed digital-infrastructure and digital-provider categories under NIS2, wherever they serve EU customers.
What to check next
Map your security controls to the technical requirements in the annex of Implementing Regulation 2024/2690, and recalibrate incident-classification thresholds to its 'significant incident' criteria.
Key dates
- 2024-10-17Implementing regulation adopted (published 18 October 2024)
Source. EUR-Lex — Commission Implementing Regulation (EU) 2024/2690 ↗
Document: Commission Implementing Regulation (EU) 2024/2690 — CELEX 32024R2690
Verified by Trusq against this source on 4 Jul 2026. Trusq publishes only what it can trace to an official source; the source text prevails. Not legal advice.
Document: Commission Implementing Regulation (EU) 2024/2690 — CELEX 32024R2690
Verified by Trusq against this source on 4 Jul 2026. Trusq publishes only what it can trace to an official source; the source text prevails. Not legal advice.