NIS 2 Cybersecurity Directive Faces Implementation Challenges Across EU Member States
New European Union regulations aimed at enhancing cyber defenses for businesses are facing challenges, as many member states have not yet adopted the necessary rules to meet a critical enforcement deadline, according to a recent analysis of the directive’s progress.
The EU’s NIS 2 cybersecurity directive sets rigorous standards for companies regarding their internal cybersecurity systems and practices. It imposes stricter requirements on risk management, transparency obligations, and business continuity planning in the event of a cyber breach.
As of Thursday, the new directive officially became enforceable by member states, meaning businesses must now ensure compliance with its provisions. However, most EU countries have yet to implement NIS 2 into their national laws, leading to potential inconsistencies in enforcement.
Currently, two countries—Portugal and Bulgaria—have not initiated the transposition process for NIS 2, which involves incorporating directives into national legislation.
“The implementation status varies significantly across the bloc,” noted Tim Wright, a partner and technology lawyer at Fladgate.
What is NIS 2?
NIS 2, or the Network and Information Security Directive 2, is an EU directive designed to bolster the security of IT systems and networks throughout the bloc. Initially proposed in 2020, this law updates an earlier directive simply called NIS.
NIS 2 broadens the scope of its predecessor to tackle more contemporary cybersecurity challenges, as cybercriminals have developed new methods to breach companies and compromise sensitive data.
The directive applies to organizations within the EU that provide essential services to consumers, including banks, energy suppliers, healthcare institutions, internet providers, transport firms, and waste management companies.
Under the new regulation, businesses will have a “duty of care” to report and share information about cyber vulnerabilities and breaches, even if it involves disclosing their status as victims of a cyber attack.
In the event of a cyber breach, businesses must notify authorities within 24 hours—a more stringent timeline compared to the 72-hour window stipulated for data breaches under the General Data Protection Regulation (GDPR).
Furthermore, companies are required to assess their technology vendors for cyber threats and vulnerabilities individually.
Will it be effective?
The effectiveness of NIS 2 will largely depend on consistent implementation and enforcement among EU member states.
“Bad actors may target countries lagging in their NIS 2 transposition or exploit weaknesses in supply chains, focusing on smaller, less-secure vendors to gain access to larger, better-protected organizations,” warned Wright.
Businesses have been preparing their internal processes and controls for years in anticipation of the Thursday deadline. Chris Gow, the EU public policy lead at enterprise tech firm Cisco, indicated that the inconsistent implementation of NIS 2 has been exacerbated by local adaptations of the law.
This inconsistency can create challenges, particularly for smaller organizations with limited resources. Gow advises companies not to feel overwhelmed by the discrepancies but instead to identify a common core of security controls and processes that will facilitate compliance.
What if a company fails to comply?
For “essential” entities, such as transport, finance, and water companies, non-compliance with NIS 2 could result in fines of up to 10 million euros ($10.9 million) or 2% of global annual revenues, whichever is higher.
Meanwhile, “important” businesses, including food companies, chemicals firms, and waste management services, may face fines of up to 7 million euros or 1.4% of their global annual revenues for breaches.
Additionally, companies may encounter potential service suspensions and increased scrutiny if they do not comply with NIS 2.
“NIS 2 makes it clear that significant fines, possible service suspensions, and compliance monitoring are being employed to encourage organizations responsible for critical services to address cybersecurity threats effectively,” noted Carl Leonard, EMEA cybersecurity strategist at Proofpoint.
He added, “A baseline has been established regarding risk management and mitigation measures, including incident handling, staff training, and leadership accountability.”
news via inbox
Get the latest news, expert insights, success stories and updates straight to your inbox