CIR 2024/2690 Implementation Guide
The EU Implementing Regulation that specifies exactly what technical and methodological measures NIS2 entities must implement – published in the Official Journal on 17 October 2024 and directly applicable across all member states.
What Is CIR 2024/2690?
Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 was published in the Official Journal of the European Union (OJ L series, 2024/2690). It lays down rules for the application of Directive (EU) 2022/2555 (the NIS2 Directive) with regard to technical and methodological requirements of cybersecurity risk-management measures. Unlike the NIS2 Directive itself, this regulation does not require national transposition – it applies directly in all 27 member states from the date of its entry into force.
The CIR is the answer to the question every compliance officer asks: 'What exactly do we have to implement?' While §30 BSIG (the German transposition) lists 10 measure areas in broad terms, the CIR Annex breaks these down into specific, auditable technical and methodological requirements. It is the most granular official specification of NIS2 obligations available – more detailed than the Directive itself, more specific than the BSIG, and directly enforceable.
The regulation was developed in consultation with ENISA and the NIS Cooperation Group, drawing on existing frameworks including ISO/IEC 27001, ETSI EN 319 401, and national standards. It applies specifically to DNS service providers, TLD name registries, cloud computing service providers, ICT service management providers, managed security service providers, online marketplace providers, online search engine providers, social networking service platform providers, and trust service providers – though its technical requirements serve as a de facto benchmark for all NIS2 entities.
DNS service providers
TLD name registries
Cloud computing service providers
ICT service management (managed services) and managed security service providers
Online marketplace providers
Social networking services platform providers
Trust service providers
Regulation Structure
The CIR consists of 7 articles defining scope, definitions, and requirements, plus a detailed Annex containing the technical and methodological specifications.
Article 2 – Definitions
Establishes definitions for 'network and information system security', 'significant incident', and other key terms. Aligns terminology with the NIS2 Directive while adding implementation-specific precision.
Article 3 – Significance of incidents
Defines when an incident is 'significant' – the threshold that triggers reporting obligations. An incident is significant if it causes financial loss exceeding EUR 500,000 or 5% of annual turnover, results in exfiltration of trade secrets, causes death or considerable damage to health, or meets entity-specific criteria defined in the Article.
Article 4 – Recurring significant incidents
Specifies that recurring incidents which individually do not meet the significance threshold may be aggregated and treated as a single significant incident if they collectively meet the criteria within a six-month period.
Article 5 – Significant incidents for DNS and TLD registries
Adds specific significance criteria for DNS service providers and TLD registries, including service availability below 99.9% for any period, incorrect DNS response rates, and compromise of integrity or confidentiality of stored domain registration data.
Article 6 – Technical and methodological requirements
The core article – requires covered entities to implement the technical and methodological requirements set out in the Annex. The measures must be 'appropriate and proportionate' to the risks, taking into account the entity's size, exposure, likelihood of incidents, and societal impact.
Article 7 – Entry into force
The regulation entered into force on the twentieth day following its publication in the Official Journal (published 17 October 2024). It applies directly in all member states without requiring national transposition.
Policy on the security of network and information systems
Requires a documented security policy approved by management, reviewed at least annually, and updated after significant incidents or changes. Must define roles, responsibilities, and the framework for all subsequent measures. Must include a risk acceptance policy and evidence of management commitment.
Risk management
Requires a documented risk assessment methodology, risk identification covering all critical assets and processes, risk analysis with likelihood and impact assessment, risk treatment with documented decisions (accept, mitigate, transfer, avoid), and residual risk acceptance by management. Must be reviewed at planned intervals and after significant changes.
Incident handling
Requires incident detection, classification, response, and recovery procedures. Must define roles and responsibilities for incident handling, establish communication channels, include post-incident analysis (lessons learned), and maintain incident logs. Detection must include monitoring for anomalies and known indicators of compromise.
Business continuity and crisis management
Requires business impact analysis, continuity plans for critical services, backup and recovery procedures with tested restore capabilities, and crisis management procedures. Backup integrity must be verified regularly. Recovery time objectives must be defined and tested. Plans must be reviewed after incidents or significant changes.
Supply chain security
Requires a supply chain security policy, assessment of direct suppliers' cybersecurity practices, contractual security requirements for ICT products and services, and monitoring of supplier security posture over the contract lifecycle. Must consider supply chain-specific risks including those arising from the supplier's own supply chain.
Security in acquisition, development, and maintenance
Requires secure development lifecycle for in-house development, security requirements for acquired ICT products and services, configuration management, change management procedures, and security testing (including vulnerability scanning and penetration testing where appropriate). Must cover the full lifecycle from acquisition through decommissioning.
Cryptography
Requires a policy on the use of cryptography, including selection of cryptographic algorithms and key lengths appropriate to the classification of data, key management procedures (generation, distribution, storage, rotation, revocation, destruction), and periodic review of cryptographic implementations against current best practices and known vulnerabilities.
Access control and asset management
Requires an access control policy based on business and security requirements, identity management with unique user identification, access provisioning and de-provisioning procedures, privileged access management, and an asset inventory covering all network and information system components. Access rights must be reviewed at planned intervals.
Multi-factor authentication and secure communication
Requires multi-factor authentication or continuous authentication for access to critical systems and remote access. Secure communication channels must be established for emergency and fallback scenarios. Voice, video, and text communications used for incident response must be secured against interception.
Cybersecurity awareness and training
Requires regular cybersecurity awareness programmes for all personnel, role-specific training for staff with security responsibilities, and management training on cybersecurity governance. Training must cover the entity's security policies, common threats, incident reporting procedures, and the personnel's specific responsibilities.
The NIS2 Directive (EU) 2022/2555 is the parent legislation – it establishes the framework, obligations, and enforcement regime at EU level. Member states were required to transpose it into national law by 17 October 2024. Germany's transposition is the NIS2UmsuCG, which amends the BSIG. The BSIG now contains all NIS2 obligations in German law, including §30 (cybersecurity measures) and §32 (incident reporting).
The CIR 2024/2690 is a directly applicable EU regulation – it does not require transposition and takes precedence over conflicting national provisions. Where the CIR specifies a technical requirement, that requirement applies directly, regardless of whether the BSIG addresses it. For the entity types listed in Article 1, the CIR is the primary compliance standard.
For entities NOT directly listed in CIR Article 1 but still subject to NIS2 (e.g., energy providers, healthcare, transport), the CIR serves as the most authoritative reference for what 'appropriate and proportionate' measures look like. German courts and the BSI are expected to reference the CIR's technical specifications when evaluating whether a company's measures meet the §30 BSIG standard – even if the CIR does not formally bind those entities.
- Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 – Official Journal of the European Union, OJ L 2024/2690
- EUR-Lex – Full text of CIR 2024/2690 (CELEX: 32024R2690)
- Directive (EU) 2022/2555 (NIS2 Directive) – Official Journal of the European Union
- ENISA – Technical guidance on NIS2 implementation measures (2024)
- secuvera GmbH – Analysis of CIR 2024/2690 requirements and mapping to ISO 27001 (2024)
- BSIG – §30 (Risikomanagementmaßnahmen), §32 (Meldepflichten), as amended by NIS2UmsuCG