CIR 2024/2690 Implementation Guide
The EU Implementing Regulation that specifies exactly what technical and methodological measures NIS2 entities must implement - published in the Official Journal on 17 October 2024 and directly applicable across all member states.
What Is CIR 2024/2690?
Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 was published in the Official Journal of the European Union (OJ L series, 2024/2690). It lays down rules for the application of Directive (EU) 2022/2555 (the NIS2 Directive) with regard to technical and methodological requirements of cybersecurity risk-management measures. Unlike the NIS2 Directive itself, this regulation does not require national transposition - it applies directly in all 27 member states from the date of its entry into force.
The CIR is the answer to the question every compliance officer asks: 'What exactly do we have to implement?' While §30 BSIG (the German transposition) lists 10 measure areas in broad terms, the CIR Annex breaks these down into specific, auditable technical and methodological requirements. It is the most granular official specification of NIS2 obligations available - more detailed than the Directive itself, more specific than the BSIG, and directly enforceable.
The regulation was developed in consultation with ENISA and the NIS Cooperation Group, drawing on existing frameworks including ISO/IEC 27001, ETSI EN 319 401, and national standards. It applies specifically to DNS service providers, TLD name registries, cloud computing service providers, ICT service management providers, managed security service providers, online marketplace providers, online search engine providers, social networking service platform providers, and trust service providers - though its technical requirements serve as a de facto benchmark for all NIS2 entities.
DNS service providers
TLD name registries
Cloud computing service providers
ICT service management (managed services) and managed security service providers
Online marketplace providers
Social networking services platform providers
Trust service providers
Regulation Structure
The CIR consists of 7 articles defining scope, definitions, and requirements, plus a detailed Annex containing the technical and methodological specifications.
Article 2 - Definitions
Establishes definitions for 'network and information system security', 'significant incident', and other key terms. Aligns terminology with the NIS2 Directive while adding implementation-specific precision.
Article 3 - Significance of incidents
Defines when an incident is 'significant' - the threshold that triggers reporting obligations. An incident is significant if it causes financial loss exceeding EUR 500,000 or 5% of annual turnover, results in exfiltration of trade secrets, causes death or considerable damage to health, or meets entity-specific criteria defined in the Article.
Article 4 - Recurring significant incidents
Specifies that recurring incidents which individually do not meet the significance threshold may be aggregated and treated as a single significant incident if they collectively meet the criteria within a six-month period.
Article 5 - Significant incidents for DNS and TLD registries
Adds specific significance criteria for DNS service providers and TLD registries, including service availability below 99.9% for any period, incorrect DNS response rates, and compromise of integrity or confidentiality of stored domain registration data.
Article 6 - Technical and methodological requirements
The core article - requires covered entities to implement the technical and methodological requirements set out in the Annex. The measures must be 'appropriate and proportionate' to the risks, taking into account the entity's size, exposure, likelihood of incidents, and societal impact.
Article 7 - Entry into force
The regulation entered into force on the twentieth day following its publication in the Official Journal (published 17 October 2024). It applies directly in all member states without requiring national transposition.
Policy on the security of network and information systems
Requires a documented network and information systems security policy approved by management, setting the entity's approach to managing security, reviewed at planned intervals and updated after significant incidents or changes. It frames all the measures that follow.
Risk management policy
Requires a risk management framework with a defined methodology, identification of risks to network and information systems, analysis and evaluation against risk acceptance criteria, a treatment plan, and approval of residual risk by management, reviewed at planned intervals.
Incident handling
Requires policy and procedures for detecting, analysing, containing, responding to, and recovering from incidents, with defined roles, logging, escalation and communication, and a structured post-incident review that feeds lessons learned back into the measures.
Business continuity and crisis management
Requires a business continuity and disaster recovery plan based on a business impact analysis, backup and redundancy management with tested restore procedures, and a crisis management plan with defined roles, reviewed and tested at planned intervals.
Supply chain security
Requires a supply chain security policy governing relationships with direct suppliers and service providers, including security criteria for selection, contractual requirements, and a directory of suppliers maintained and monitored over the relationship lifecycle.
Security in network and information systems acquisition, development and maintenance
Requires security to be built into the acquisition, development, and maintenance of systems, covering secure development practices, configuration management, change management, security testing, patch management, and handling of vulnerabilities throughout the lifecycle.
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
Requires the entity to define policies and procedures to assess whether its risk-management measures are effective, including monitoring, review, and independent assessment, so that shortcomings are identified and the measures are improved over time.
Basic cyber hygiene practices and security training
Requires basic cyber hygiene practices and a security awareness programme for all personnel, with role-specific training for staff who have security tasks and for management, covering policies, threats, and reporting duties.
Cryptography
Requires a policy and procedures on the use of cryptography, including selection of algorithms and key strengths appropriate to the data, and key management covering generation, storage, rotation, and destruction, reviewed against current best practice.
Human resources security
Requires human resources security measures across the employment lifecycle, including verification before hiring as appropriate, defined security responsibilities, terms and conditions, and procedures for changes of role and termination so that access ends when employment does.
Access control
Requires an access control policy with management of access rights (11.2) and privileged accounts (11.3), administration systems (11.4), unique identification (11.5), authentication (11.6), and multi-factor or continuous authentication (11.7) for access to critical systems and remote access, reviewed at planned intervals.
Asset management
Requires an asset management policy with classification of assets, an inventory of network and information systems and supporting assets, handling rules according to classification, and policies for removable media and the secure return or disposal of assets.
Environmental and physical security
Requires protection of facilities against physical and environmental threats, including supporting utilities, controlled physical access to systems, and protection against failures such as power loss, fire, and water, proportionate to the risk to the systems.
The NIS2 Directive (EU) 2022/2555 is the parent legislation - it establishes the framework, obligations, and enforcement regime at EU level. Member states were required to transpose it into national law by 17 October 2024. Germany's transposition is the NIS2UmsuCG, which amends the BSIG. The BSIG now contains all NIS2 obligations in German law, including §30 (cybersecurity measures) and §32 (incident reporting).
The CIR 2024/2690 is a directly applicable EU regulation - it does not require transposition and takes precedence over conflicting national provisions. Where the CIR specifies a technical requirement, that requirement applies directly, regardless of whether the BSIG addresses it. For the entity types listed in Article 1, the CIR is the primary compliance standard.
For entities NOT directly listed in CIR Article 1 but still subject to NIS2 (e.g., energy providers, healthcare, transport), the CIR serves as the most authoritative reference for what 'appropriate and proportionate' measures look like. German courts and the BSI are expected to reference the CIR's technical specifications when evaluating whether a company's measures meet the §30 BSIG standard - even if the CIR does not formally bind those entities.
- Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 - Official Journal of the European Union, OJ L 2024/2690
- EUR-Lex - Full text of CIR 2024/2690 (CELEX: 32024R2690)
- Directive (EU) 2022/2555 (NIS2 Directive) - Official Journal of the European Union
- ENISA - Technical guidance on NIS2 implementation measures (2024)
- secuvera GmbH - Analysis of CIR 2024/2690 requirements and mapping to ISO 27001 (2024)
- BSIG - §30 (Risikomanagementmaßnahmen), §32 (Meldepflichten), as amended by NIS2UmsuCG