Public Consultation and Feedback Period for Implementing Regulation laying down rules for the application of Directive (EU) 2022/2555 (NIS2 Directive) as regards technical and methodological requirements of cybersecurity risk management measures and further specification of the cases in which an incident is considered to be significant

The CSSF would like to inform the public that in the context of the implementation of the NIS2 Directive, the European Commission has recently published a Draft Implementing Regulation as well as the related Annex laying down the technical and the methodological requirements of cybersecurity risk management measures referred to in Article 21(2) of the NIS2 Directive and to further specify the cases in which an incident shall be considered to be significant as referred to in Article 23(3) of the NIS2 Directive for public consultation and feedback until 25 July 2024.

Support PSF that are providing trust services (as defined in Article 3, point (16), of Regulation (EU) No 910/2014 are in scope of NIS2.

As the transposition in national law of the NIS2 Directive is still ongoing, the identification of other Support PFS which will be in scope of the Directive as essential or important entities is in progress.

However, due to their activities in the Digital Infrastructure sector (cloud computing service providers, data centre service providers) and/or ICT service management sector (managed service providers and managed security service providers), a large number of Support PFS authorised as IT systems and communication networks operators of the financial sector pursuant to Article 29-3 of the Law of 5 April 1993 on the financial sector are also likely to fall under the NIS2 Directive as essential or important entities.

Therefore, the CSSF invites all the above-mentioned types of Support PFS to take note of this text and, if they are interested, to submit their potential feedback to the European Commission directly through the website provided for this purpose.

The Public Consultation and Feedback of the Implementing Regulation is available by following the link below:
https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14241-Cybersecurity-risk-management-reporting-obligations-for-digital-infrastructure-providers-and-ICT-service-managers_en

Name	Description	Duration
cssf_cookies	Saves information regarding the user's consent to the use of cookies for each optional category.	1 year
ROUTEID	Technical cookie allowing load distribution.	Deleted when the browsing session ends
TBMCookie*	Security: This cookies protects the website against automated attacks.	Deleted when the browsing session ends
__utmvc	These first party cookies are set by a third party service to filter out malicious requests.	Deleted when the browsing session ends
__utmvm*	These first party cookies are set by a third party service to filter out malicious requests.	15 minutes

Name	Description	Duration
cssf_profile	This cookie adapts the website pages to the profile chosen by the visitor (professionals, markets, consumers).	1 year
pll_language	This cookie saves the user’s language choice.	1 year

Name	Description	Duration
_pk_id.#	Collects anonymous statistical data on the website consultations, such as the number of visits or the average time spent on the website. The data is processed in-house and is not shared with a third party.	1 year
_pk_ses.#	Collects anonymous statistical data for the tracking of the pages consulted during the browsing session. The data is processed in-house and is not shared with a third party.	30 minutes