**"Cybersecurity: The New Era of Protection with the European Implementing Regulation"**

**"Cybersecurity: La Nuova Era di Protezione con il Regolamento di Esecuzione Europeo"**

![Visual Impact on Cybersecurity](https://example.com/impatto_cybersecurity.jpg)

# Cybersecurity: New Rules for a Safer Future

October 17, 2024, marks a crucial date for strengthening cybersecurity in Europe. The European Commission has officially approved the Implementing Regulation related to cybersecurity measures and significant cyber incidents, in line with the NIS2 Directive, which aims to ensure a high level of cybersecurity across the continent. This directive is particularly important in an era where cyber threats are becoming increasingly sophisticated and widespread.

## Understanding the Implementing Regulation

The Implementing Regulation consists of 43 recitals, 16 articles, and an Annex outlining detailed rules for managing cybersecurity. But who does it apply to? The rules target a broad range of actors in the digital sector, from cloud service providers to managed IT and security service providers, from online marketplaces to search engines and social platforms. This broad approach reflects the growing interconnection in an increasingly digital world.

### Main Objectives

The Regulation aims to clearly outline the responsibilities of various entities in the event of significant cybersecurity incidents. In particular, Article 1 establishes technical and methodological requirements for different service providers, providing a clear roadmap for addressing cyber threats.

## When Is an Incident Considered Significant?

One of the key aspects of the Regulation is the definition of when an incident may be considered “significant.” According to Article 3, there are specific criteria to consider:

1. **Economic Losses**: The incident causes or could cause financial damage exceeding €500,000 or equivalent to 5% of the annual revenue of the previous year.
2. **Data Exfiltration**: If the incident involves the leakage of trade secrets.
3. **Impact on Health**: Situations where the incident could cause harm to health or even the death of individuals.

These criteria are decisive for monitoring and managing incidents that could compromise user and information security.

### Recognizing Collectively Significant Incidents

Often, a single incident may not appear relevant, but the Regulation stipulates that recurring incidents can be considered significant on a collective level. Article 4 states that if two or more events occur with the same apparent cause within six months, they can be assessed together. This collective analysis logic provides a broader framework for assessing risks and planning responses.

## Security Measures and Risk Management

The Regulation also provides guidelines on risk management and the security policy of network and information systems. According to Article 1 of the Annex, each entity is required to develop a clear security policy that specifies roles and responsibilities. It is essential that this policy is communicated to all staff and external parties involved, fostering an atmosphere of shared responsibility.

### Risk Management

Risk management is a key element of cybersecurity strategy. Article 2 of the Annex requires entities to implement a risk management framework that allows for the identification and mitigation of risks associated with network systems. This includes an annual review (or in the case of significant changes) of risk assessments and treatment plans.

### Supply Chain Security

Another crucial aspect is supply chain security. Article 5 of the Regulation emphasizes the importance of implementing a security policy that reduces risks associated with third-party dependencies. It is imperative that service providers adhere to contractually defined security standards to ensure adequate protection throughout the chain.

## A Step