Updated juni 23, 2026
Summary: Commission Implementing Regulation (EU) 2024/2690 converts the risk-management principles of NIS-2 Article 21 into specific, auditable technical controls for cloud providers, data centres and MSSPs. Sovereign on-premises deployments that follow ENISA's 2025 technical guideline can satisfy these controls without exposing data to foreign-jurisdiction cloud environments.

Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 is the directly applicable EU act that converts the high-level risk-management principles of NIS-2 Directive Article 21 into specific, enforceable technical and methodological requirements. Unlike the Directive itself, which required national transposition, this Regulation applies in every Member State without further legislative action, making it the most operationally consequential cybersecurity instrument the European Commission has issued for network and information systems operators to date.

Scope: Which Entities Are Directly Bound

The Implementing Regulation targets a precisely defined group of digital infrastructure and service providers, not the full universe of NIS-2 essential and important entities.

The Regulation applies to DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery networks, managed service providers (MSPs), managed security service providers (MSSPs), and providers of online marketplaces, online search engines and social networking platforms. Each category carries a distinct control emphasis. Cloud computing service providers must demonstrate logical isolation between customer environments and produce evidence of cryptographic separation. Data centre operators are specifically required to address physical security perimeters, power resilience and cooling redundancy as part of their risk-management documentation. MSSPs face the most detailed supply-chain requirements because they introduce third-party tooling into customers’ environments and thereby extend the attack surface of multiple regulated entities simultaneously.

Entities that fall under NIS-2 Article 21 but outside the Implementing Regulation’s listed categories, such as energy distribution operators or hospital networks, remain subject to the Directive’s risk-management obligations directly. National competent authorities retain the power to extend the Regulation’s technical specificity to those sectors through supplementary implementing measures, and several Member States had signalled that intention before the Regulation’s applicability date.

Let op: Commission Implementing Regulation 2024/2690 is not optional guidance. ENISA Executive Director Juhan Lepassaar stated at the 2025 NIS2 Technical Guideline presentation: “The Implementing Regulation is not guidance; it is legally binding and directly applicable in all Member States. Entities that treat it as optional best practice will face enforcement consequences.”

ENISA’s 2025 Technical Guideline: From Regulation to Audit Checkpoints

ENISA published its NIS2 Technical Guideline in 2025 as a structured translation of the Implementing Regulation’s requirements into concrete configuration benchmarks and audit checkpoints that sovereign infrastructure operators can verify against.

The guideline organises controls around the ten security domains referenced in NIS-2 Article 21, including policies on risk analysis, incident handling, business continuity, supply-chain security, cryptography and human resources security. For each domain, ENISA specifies the artefacts an operator must produce, the technical parameters that constitute compliance (for example, minimum key lengths, maximum session token lifetimes, log retention periods) and the evidence that a national authority inspector should be able to examine on site.

For sovereign on-premises operators, the guideline is particularly useful because it acknowledges that compliance does not require a specific commercial product. An operator running an air-gapped or Swiss-hosted infrastructure can satisfy the cryptographic requirements by demonstrating that its chosen algorithms and key management processes meet the parameters, regardless of which vendor supplies the underlying stack. The ENISA guideline cross-references the European Cybersecurity Certification Framework (EUCC) where relevant, which means operators seeking formal certification can use the same documentation set for both the EUCC audit and a NIS-2 inspection.

Cryptographic Controls, Access Management and Supply-Chain Security

These three control domains receive the most detailed treatment in Implementing Regulation 2024/2690 and represent the areas where sovereign deployments have a structural advantage over public cloud configurations.

Cryptographic requirements

The Regulation requires entities to maintain a written cryptography and key management policy that covers algorithm selection, key lifecycle, and renewal procedures. It does not mandate specific algorithms by name in the legislative text, but it requires that choices be justified against the current state of the art, which in practice means alignment with ENISA’s own cryptographic recommendations and, increasingly, readiness for post-quantum migration. Sovereign operators running on-premises key management systems, such as hardware security modules under their own physical control, can produce key custody records that public cloud customers cannot replicate because hyperscaler key management services retain the ability to access keys under lawful process in their home jurisdiction.

Access management

Article 21 as elaborated by the Implementing Regulation requires privileged access management to be documented, with role-based access control policies covering both human administrators and non-human service accounts. Multi-factor authentication is required for all administrative access to network and information systems. For sovereign operators, this maps directly to directory service configurations: a Nextcloud-based workspace federated against an on-premises LDAP or LDAP-over-TLS directory, with hardware token MFA enforced at the gateway, satisfies these requirements in a way that is fully auditable without dependency on a foreign-controlled identity provider.

Supply-chain security

This is the domain where the Regulation introduces the most operationally significant new obligations. Every entity must assess the cybersecurity practices of its direct suppliers and service providers, maintain a register of critical third-party dependencies, and include contractual clauses that require suppliers to notify the entity of security incidents affecting the supply chain. The NIS Cooperation Group has stated: “Supply-chain security is no longer a theoretical risk category. The Implementing Regulation requires entities to evaluate and contractually bind every provider that touches their network or information systems.” For MSSPs, this creates a cascading obligation: they must both comply themselves and help their customers document the MSSP as a supplier in the customer’s own supply-chain register.

Compliance Documentation for National Authority Inspections

A compliance officer facing a national authority inspection under the Implementing Regulation must be able to produce a specific set of documents, not general security policies.

Control domain Required documentation Evidence an inspector will examine
Risk management Current risk register with residual risk acceptance sign-off Date of last review, approver identity, link to asset inventory
Cryptography Cryptography and key management policy Algorithm list, key rotation logs, HSM custody records
Access control Role-based access control matrix and MFA policy User provisioning and deprovisioning logs, privileged session recordings
Supply chain Supplier register with criticality ratings Contractual clauses, most recent supplier security assessments
Incident handling Incident response plan with tested escalation procedure Tabletop exercise records, notification templates timed to 24-hour threshold
Business continuity BCP and DRP with recovery time objectives Last tested RTO/RPO results, backup verification logs

IBM’s Cost of a Data Breach Report 2024 records the average cost of a data breach at USD 4.88 million, the highest in the report’s history, which provides a financial baseline for the cost-benefit calculation that should accompany a compliance officer’s risk acceptance decisions. ENISA’s NIS Investments Report 2024 found that approximately 40 percent of newly in-scope organisations lacked a documented risk assessment at the time of measurement, meaning a substantial share of regulated entities are already in a documentation gap. ENISA’s Threat Landscape 2024 recorded more than 1,000 significant incidents reported to national authorities across the EU in 2023, underscoring that inspection triggers are real and frequent.

Alignment and Divergence with DORA’s ICT Risk-Management Framework

Financial entities supervised under DORA Regulation (EU) 2022/2554 face a dual-regime question: which obligations overlap, and where must they produce separate evidence streams?

DORA functions as a lex specialis for financial entities. Where its ICT risk-management requirements are deemed equivalent to NIS-2’s, national competent authorities may accept DORA compliance as satisfying the corresponding NIS-2 obligation. In practice, the overlap is substantial for incident classification, business continuity, and third-party risk management. Both frameworks require documented ICT risk assessments, recovery capability testing, and contractual requirements on critical ICT third-party providers.

The divergence appears at the level of technical specificity. Implementing Regulation 2024/2690 specifies cryptographic policy requirements and supply-chain contractual clauses in more prescriptive terms than DORA’s ICT risk-management framework, which tends to operate at the level of principles and outcome descriptions. A bank that is DORA-compliant may therefore still need supplementary documentation to satisfy a NIS-2 inspection if the bank also operates infrastructure that falls within the Implementing Regulation’s scope categories, such as a private cloud platform offered to other financial institutions.

Let op: Entities subject to both DORA and Implementing Regulation 2024/2690 should map their control frameworks side by side before the first inspection. Assuming full equivalence without a documented gap analysis is the most common compliance error for dual-regulated financial infrastructure operators.

The January 2026 Amendment Proposals and Micro-Enterprise Scope

The Commission’s amendment proposals discussed in early 2026 do not remove the general size-based exemptions that allow micro and small enterprises to fall outside NIS-2 scope. Instead, they tighten the criticality-override pathway: a small entity providing a service for which no reasonable alternative exists within an EU Member State, such as a niche MSSP serving a single critical-infrastructure sector, can be designated in-scope by the relevant national authority regardless of headcount or annual turnover. The proposals also clarify the criteria national authorities must apply before making such a designation, requiring a documented assessment of market concentration and substitutability. For compliance officers at small operators serving essential-sector customers, this means that a sector-by-sector analysis of whether a criticality designation could apply is now a prudent precaution, even for entities that have previously assumed they were below the threshold.

FAQ

When did Commission Implementing Regulation 2024/2690 enter into force and when must entities comply?

The Regulation was published on 17 October 2024 and entered into force twenty days after publication in the Official Journal of the European Union. As a directly applicable EU regulation it required no national transposition. The applicability date aligns with the NIS-2 national implementation timeline, meaning entities within its scope were expected to have controls in place from that date onward.

Does the Implementing Regulation apply to every NIS-2 entity, or only to specific sectors?

It applies to a defined subset: DNS service providers, TLD registries, cloud computing service providers, data centre service providers, content delivery networks, MSPs, MSSPs and certain platform providers. Other NIS-2 essential and important entities remain subject to Article 21 directly but are not bound by the Implementing Regulation’s specific technical requirements unless national law extends its reach.

How does a compliance officer demonstrate conformance during a national authority inspection?

The officer must produce a current risk register, written policies on cryptographic controls and key management, a role-based access control matrix with MFA evidence, a supplier register with contractual security clauses, incident response plans with documented test dates, and business continuity evidence including tested recovery time objectives. ENISA’s 2025 technical guideline maps each of these artefacts to the corresponding Implementing Regulation provisions.

Are entities subject to both NIS-2 and DORA required to comply with both regimes separately?

DORA operates as a lex specialis, and national authorities may accept DORA compliance as satisfying equivalent NIS-2 obligations. However, the greater technical specificity of Implementing Regulation 2024/2690 around cryptographic policies and supply-chain contracts may require additional documentation even for fully DORA-compliant financial entities that also operate in-scope infrastructure categories.

Do the 2026 NIS-2 amendment proposals change the scope thresholds for micro and small enterprises?

The proposals do not remove existing size-based exemptions but tighten the criticality-override pathway. A small enterprise providing an irreplaceable service to essential-sector operators can be designated in-scope by national authorities, and the proposals set clearer criteria for when that designation is permissible. Small operators serving critical-infrastructure customers should conduct a documented substitutability analysis rather than assuming size exemptions apply automatically.

Frequently asked questions

When did Commission Implementing Regulation 2024/2690 enter into force and when must entities comply?
The Regulation was published on 17 October 2024 and entered into force twenty days after publication in the Official Journal. Because it is a directly applicable EU regulation rather than a directive, no national transposition is needed; entities must comply from the date of applicability as specified in the text, which aligns with the NIS-2 national transposition timeline.
Does the Implementing Regulation apply to every NIS-2 entity, or only to specific sectors?
The Implementing Regulation targets a defined subset of NIS-2 entities: DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery networks, managed service providers, managed security service providers, and providers of online marketplaces, online search engines and social networking platforms. Other essential and important entities remain subject to NIS-2 Article 21 directly but are not bound by the specific technical requirements of 2024/2690 unless national law extends its scope.
How does a compliance officer demonstrate conformance during a national authority inspection?
A compliance officer should produce a current risk register mapped to each Article 21 measure, written policies covering cryptographic standards, access control, vulnerability handling and supply-chain due diligence, evidence of periodic penetration testing and audit logs, incident response plans with documented test dates, and contractual clauses with every material supplier. ENISA's 2025 technical guideline provides a checkpoint structure that maps directly to this documentation set.
Are entities subject to both NIS-2 and DORA required to comply with both regimes separately?
Yes, but with an important sectoral carve-out. DORA Regulation (EU) 2022/2554 establishes a lex specialis for financial entities supervised under its scope: where DORA's ICT risk-management requirements are at least equivalent to those of NIS-2, national competent authorities may treat DORA compliance as satisfying the corresponding NIS-2 obligation. However, the technical specificity of Implementing Regulation 2024/2690, particularly around supply-chain contracts and cryptographic controls, may require additional documentation even for DORA-compliant financial entities.
Do the January 2026 NIS-2 amendment proposals change the scope thresholds for micro and small enterprises?
The Commission proposals discussed in early 2026 focus on clarifying the criteria by which micro and small enterprises operating critical services, such as sole-provider DNS operators or niche MSSPs, fall within NIS-2 scope regardless of headcount or turnover. The proposals do not remove existing size-based exemptions in general but tighten the 'criticality override' pathway, meaning a small entity providing an irreplaceable service to essential-sector operators could be designated in-scope by national authorities even if it would otherwise qualify for exemption.