- Many EU states have missed the NIS2’s original implementation deadline
- Critical sectors are concerned over about the EU’s cyber-preparedness
- Companies such as Dahua Technology and Siemens have adopted comprehensive measures to promote NIS2 compliance
Ever since the EU Parliament passed the National Information Security Directive 2 in November 2022, 17 October 2024 had been earmarked as a landmark day in the history of European cyber security regulation.
It was to be the date when the EU’s sweeping new regulation, a replacement for the NIS Directive adopted in July 2016, would be implemented across the bloc’s 27 member states.
But as of the end of October 2024, only four EU member states – Belgium, Croatia, Hungary and Latvia – had completed the full transposition of NIS2.
And yet more states, such as Spain and Portugal, have yet to publish public drafts of their proposals to implement the Directive into national law.
The uneven implementation of NIS2 across the bloc has raised concerns among critical sectors that a lack of clarity over the regulation’s status will present unreasonable compliance challenges that could stymie some of the EU’s most dynamic companies, at a time when the bloc is desperately trying to stimulate economic growth.
What is the EU’s NIS2 directive?
NIS2 is builds on the framework laid by the EU’s 2016 NIS Directive, the first EU-wide directive that aimed to harmonise national legislation on cybersecurity between its member states.
Much more modest in scope, the NIS Directive applied only to operators of essential services (ESP), defined to include energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution, and digital infrastructure.
NIS2 expands significantly on this scope, defining two new categories of service providers deemed ‘essential’ and ‘important’ to the national economy. The upshot is that nearly 160,000 organisations across the EU are now set to fall within the bloc’s new directive.
NIS2 lays out a more comprehensive framework of obligations: companies must now comply with a more stringent list of mandatory measures, including cybersecurity training and risk analysis policies, and strict reporting timeframes for cybersecurity breaches, which mean notice must be given to relevant authorities within set timelines.
NIS2 also carries far stricter penalties than its predecessor for non-compliance. ‘Essential’ business can now be fined up to €10 million or 2 percent of global annual revenue, whichever is higher, for failing to adhere to the directive, while ‘important’ business face still substantial penalties up to €7 million, or 1.4% of global annual revenue, whichever amount is higher.
The urgency of the EU introducing more comprehensive regulations has been made clear by the spate of high-profile cyberattacks the continent has suffered in recent years.
Coordinating the response of EU nation states to cyber threats formed a significant part of the rationale of replacing NIS1 which, according to the EU Commission, ‘did not promote joint crisis response’.
But despite the high stakes, many EU member states remain far behind in the legislative process: although Germany, the Netherlands and Czechia have draft laws pending, Ireland, Greece and Spain remain further behind in the process.
How can companies get ahead of NIS2?
With all the uncertainty surrounding NIS2’s implementation, it’s understandable that many companies feel left in the dark about the bloc’s new directive. According to a recent cybersecurity report conducted by Microsoft, for example, only 20% of Irish companies are currently compliant with NIS2.
But some companies have taken steps in getting ahead of the regulations. Dahua Technology, for example, have implemented measures in line with NIS2 such as
vulnerability management and incident reporting policies, cryptography and encryption measures, product security management and risk assessments policies.
Meanwhile Siemens, a technology conglomerate based in Germany, have conducted special trainings with their employees to ensure wide awareness of the new directive.
Regardless of the NIS2’s implementation timeframe, the bloc’s recommendations are good practice for any company large enough to be vulnerable to cyberattack, and can help reassure customers of responsible data handling and prompt cyber incident response.
Conclusion
While NIS2’s implementation will not have gone as smoothly as many within the Commission would have liked, it is clear that cybersecurity has become a primary concern for multinational companies, whose reliance on complex digital systems inevitably creates openings for malign cyber actors.
By adopting measures that have been implemented by companies such as Dahua and Siemens, businesses can not only get ahead of the EU’s incoming NIS2 directive, but also proactively put in place the structures necessary for responsible cyber incident response.