With less than two months to go until the 17 October 2024 deadline, only three of the 27 EU member states – Belgium, Croatia and Hungary – have adopted the laws needed to implement the Network and Information Security 2 Directive (NIS 2) in their national legislation. Although this directive is essential to strengthen the cyber security of critical infrastructures, it struggles to be implemented uniformly across Europe. Why such a delay when time is running out?
The NIS 2 directive marks a significant development compared to its predecessor, NIS 1. Not only does it expand its scope to 18 sectors – compared to 10 previously – it does so with unprecedented ambition. Now areas as diverse as energy, healthcare, finance and even food are subject to stringent cyber security requirements. This expansion is not accidental: cyber threats are multiplying, becoming more sophisticated and targeting more and more devices, including those that have been more spared until now.
Comparison between NIS 1 and NIS 2
The complexity of the NIS 2 Directive is undoubtedly one of the main reasons for the delay in its implementation in many Member States. The directive requires significant changes in the management of cyber risks, in many internal processes and above all in the responsibilities of managers. This in-depth review of national legislative frameworks is proving to be a long and often politicized process.
Expansion of scope : Where NIS 1 focused primarily on essential service operators and digital service providers, NIS 2 now includes critical sectors such as healthcare and digital infrastructure, reflecting increased awareness of the risks involved.
Reporting obligations : The incident reporting requirements under NIS 2 are more stringent and impose specific deadlines for each step of the notification process, a crucial measure for a rapid and coordinated response to cyber attacks.
Supervision and sanctions : With NIS 2, surveillance becomes more stringent. Regular audits are now the norm and penalties for non-compliance are increased, increasing corporate accountability.
Management responsibility : Unlike NIS 1, NIS 2 imposes personal responsibility on managers, making them directly responsible for the implementation of cyber security measures. A change reflects not only the increased severity of cyber threats, but also the need for proactive management at the highest level.
The obstacle to implementation: its legal and administrative complexity
Almost two months before the deadline set by the EU, only three of the 27 member states – Belgium, Croatia and Hungary – have passed laws to implement the NIS 2 directive. Other countries have made progress, but the situation remains unclear for states such as Ireland, Sweden and Spain, where little information has been communicated about the development of the legislative work.
In Germany, although the process is documented, it is unlikely that the country will meet the deadline. The bill, if approved, could enter into force in the spring of 2025. For their part, Denmark and the Netherlands have postponed the consideration of their respective proposals to the next legislative assembly for adoption in early 2025, citing the complexity of the task. Austria saw its bill fail in July in the national council, and a new attempt is not expected until after elections in September.
Some countries, such as Poland and the Czech Republic, adapt the directive by adding specific subcategories or expanding its scope. In Hungary, a strict classification of IT systems is imposed without distinguishing between essential and important installations.
Overall, while some states closely follow the text of the directive, others face legislative challenges or choose to introduce specific adaptations, which risks delaying uniform implementation at European level.
France is not a unique case
In France, for example, although a formal legal text awaits one parliamentary calendar, there is still uncertainty, especially regarding the integration or not of certain local authorities within the framework of the directive. This text already begins on the NIS2 adventure municipalities have a population of more than 30,000 inhabitants,the municipalities’ communities And public establishments of inter-municipal cooperation (EPCI) with its own tax system whose activities fall within activity sectors considered very critical or critical, as well as EPCIs without their own taxationif they carry out their activities in sectors considered very critical or critical and if their workforce exceeds the thresholds defined by legislation. But this text must now be discussed and changed, which is far from the priority at the moment.
A fragmented framework, challenge for multinational companies
For companies operating in several EU countries, the uneven implementation of NIS 2 represents a significant challenge. They have to deal with a fragmented legislative framework, where obligations vary not only from country to country, but also in terms of the timetable for their implementation. This difference complicates risk management and makes compliance even more difficult, especially for companies that may be required to comply with stricter regulations in some countries long before others have finalized their legislation.
In the meantime, companies must remain vigilant, adapt to different national requirements and, above all, prepare to navigate an increasingly complex and restrictive regulatory landscape.
The next months will be decisive. In this race against time, only the most proactive will succeed in avoiding the severe penalties that come with non-compliance with NIS 2, although we already know that application dates will inevitably slip.
Overview map of the status of the implementation of the NIS 2 Directive
in EU member states
Progress in the implementation of the NIS 2 Directive varies considerably between countries, with some Member States having already completed the process, while others are significantly delayed. (Source: https://www.mayerbrown.com/)
