EU 2024/2690

CIR 2024/2690 Implementation Guide

The EU Implementing Regulation that specifies exactly what technical and methodological measures NIS2 entities must implement - published in the Official Journal on 17 October 2024 and directly applicable across all member states.

Cory HiseyCory Hisey·Continuously reviewed

What Is CIR 2024/2690?

Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 was published in the Official Journal of the European Union (OJ L series, 2024/2690). It lays down rules for the application of Directive (EU) 2022/2555 (the NIS2 Directive) with regard to technical and methodological requirements of cybersecurity risk-management measures. Unlike the NIS2 Directive itself, this regulation does not require national transposition - it applies directly in all 27 member states from the date of its entry into force.

The CIR is the answer to the question every compliance officer asks: 'What exactly do we have to implement?' While §30 BSIG (the German transposition) lists 10 measure areas in broad terms, the CIR Annex breaks these down into specific, auditable technical and methodological requirements. It is the most granular official specification of NIS2 obligations available - more detailed than the Directive itself, more specific than the BSIG, and directly enforceable.

The regulation was developed in consultation with ENISA and the NIS Cooperation Group, drawing on existing frameworks including ISO/IEC 27001, ETSI EN 319 401, and national standards. It applies specifically to DNS service providers, TLD name registries, cloud computing service providers, ICT service management providers, managed security service providers, online marketplace providers, online search engine providers, social networking service platform providers, and trust service providers - though its technical requirements serve as a de facto benchmark for all NIS2 entities.

Entities Directly Covered
The CIR applies mandatory requirements to the following entity types as defined in Article 1:

DNS service providers

TLD name registries

Cloud computing service providers

ICT service management (managed services) and managed security service providers

Online marketplace providers

Social networking services platform providers

Trust service providers

Regulation Structure

The CIR consists of 7 articles defining scope, definitions, and requirements, plus a detailed Annex containing the technical and methodological specifications.

Article 2 - Definitions

Establishes definitions for 'network and information system security', 'significant incident', and other key terms. Aligns terminology with the NIS2 Directive while adding implementation-specific precision.

Article 3 - Significance of incidents

Defines when an incident is 'significant' - the threshold that triggers reporting obligations. An incident is significant if it causes financial loss exceeding EUR 500,000 or 5% of annual turnover, results in exfiltration of trade secrets, causes death or considerable damage to health, or meets entity-specific criteria defined in the Article.

Article 4 - Recurring significant incidents

Specifies that recurring incidents which individually do not meet the significance threshold may be aggregated and treated as a single significant incident if they collectively meet the criteria within a six-month period.

Article 5 - Significant incidents for DNS and TLD registries

Adds specific significance criteria for DNS service providers and TLD registries, including service availability below 99.9% for any period, incorrect DNS response rates, and compromise of integrity or confidentiality of stored domain registration data.

Article 6 - Technical and methodological requirements

The core article - requires covered entities to implement the technical and methodological requirements set out in the Annex. The measures must be 'appropriate and proportionate' to the risks, taking into account the entity's size, exposure, likelihood of incidents, and societal impact.

Article 7 - Entry into force

The regulation entered into force on the twentieth day following its publication in the Official Journal (published 17 October 2024). It applies directly in all member states without requiring national transposition.

The 13 Measure Points (CIR Annex)
The Annex organises technical and methodological requirements into 13 thematic points. Each point contains numbered sub-requirements with specific implementation criteria. For example, point 11 (access control) covers identification (11.5), authentication (11.6), and multi-factor authentication (11.7).
1

Policy on the security of network and information systems

Requires a documented network and information systems security policy approved by management, setting the entity's approach to managing security, reviewed at planned intervals and updated after significant incidents or changes. It frames all the measures that follow.

2

Risk management policy

Requires a risk management framework with a defined methodology, identification of risks to network and information systems, analysis and evaluation against risk acceptance criteria, a treatment plan, and approval of residual risk by management, reviewed at planned intervals.

3

Incident handling

Requires policy and procedures for detecting, analysing, containing, responding to, and recovering from incidents, with defined roles, logging, escalation and communication, and a structured post-incident review that feeds lessons learned back into the measures.

4

Business continuity and crisis management

Requires a business continuity and disaster recovery plan based on a business impact analysis, backup and redundancy management with tested restore procedures, and a crisis management plan with defined roles, reviewed and tested at planned intervals.

5

Supply chain security

Requires a supply chain security policy governing relationships with direct suppliers and service providers, including security criteria for selection, contractual requirements, and a directory of suppliers maintained and monitored over the relationship lifecycle.

6

Security in network and information systems acquisition, development and maintenance

Requires security to be built into the acquisition, development, and maintenance of systems, covering secure development practices, configuration management, change management, security testing, patch management, and handling of vulnerabilities throughout the lifecycle.

7

Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

Requires the entity to define policies and procedures to assess whether its risk-management measures are effective, including monitoring, review, and independent assessment, so that shortcomings are identified and the measures are improved over time.

8

Basic cyber hygiene practices and security training

Requires basic cyber hygiene practices and a security awareness programme for all personnel, with role-specific training for staff who have security tasks and for management, covering policies, threats, and reporting duties.

9

Cryptography

Requires a policy and procedures on the use of cryptography, including selection of algorithms and key strengths appropriate to the data, and key management covering generation, storage, rotation, and destruction, reviewed against current best practice.

10

Human resources security

Requires human resources security measures across the employment lifecycle, including verification before hiring as appropriate, defined security responsibilities, terms and conditions, and procedures for changes of role and termination so that access ends when employment does.

11

Access control

Requires an access control policy with management of access rights (11.2) and privileged accounts (11.3), administration systems (11.4), unique identification (11.5), authentication (11.6), and multi-factor or continuous authentication (11.7) for access to critical systems and remote access, reviewed at planned intervals.

12

Asset management

Requires an asset management policy with classification of assets, an inventory of network and information systems and supporting assets, handling rules according to classification, and policies for removable media and the secure return or disposal of assets.

13

Environmental and physical security

Requires protection of facilities against physical and environmental threats, including supporting utilities, controlled physical access to systems, and protection against failures such as power loss, fire, and water, proportionate to the risk to the systems.

CIR, NIS2 Directive, and BSIG - How They Fit Together
Understanding the legal hierarchy is essential for compliance planning.

The NIS2 Directive (EU) 2022/2555 is the parent legislation - it establishes the framework, obligations, and enforcement regime at EU level. Member states were required to transpose it into national law by 17 October 2024. Germany's transposition is the NIS2UmsuCG, which amends the BSIG. The BSIG now contains all NIS2 obligations in German law, including §30 (cybersecurity measures) and §32 (incident reporting).

The CIR 2024/2690 is a directly applicable EU regulation - it does not require transposition and takes precedence over conflicting national provisions. Where the CIR specifies a technical requirement, that requirement applies directly, regardless of whether the BSIG addresses it. For the entity types listed in Article 1, the CIR is the primary compliance standard.

For entities NOT directly listed in CIR Article 1 but still subject to NIS2 (e.g., energy providers, healthcare, transport), the CIR serves as the most authoritative reference for what 'appropriate and proportionate' measures look like. German courts and the BSI are expected to reference the CIR's technical specifications when evaluating whether a company's measures meet the §30 BSIG standard - even if the CIR does not formally bind those entities.

Sources
  • Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 - Official Journal of the European Union, OJ L 2024/2690
  • EUR-Lex - Full text of CIR 2024/2690 (CELEX: 32024R2690)
  • Directive (EU) 2022/2555 (NIS2 Directive) - Official Journal of the European Union
  • ENISA - Technical guidance on NIS2 implementation measures (2024)
  • secuvera GmbH - Analysis of CIR 2024/2690 requirements and mapping to ISO 27001 (2024)
  • BSIG - §30 (Risikomanagementmaßnahmen), §32 (Meldepflichten), as amended by NIS2UmsuCG
Implement CIR Requirements Systematically
The platform maps every CIR Annex requirement to structured tasks with evidence uploads, deadline tracking, and management sign-offs - turning a 30-page regulation into actionable compliance steps.