Standards, Regulations & Compliance
NIS2 Directive Lags in Adoption and Implementation
Uptake by European Union member countries of a measure intended to beef up continental cybersecurity has hardly been enthusiastic. 15 months after EU nation-states were supposed to have implemented the Network and Information Security 2 Directive, fewer than two-thirds have done so fully. Key players such as France and Ireland haven’t even passed the necessary national legislation.
See Also: On-Demand | NYDFS MFA Compliance: Real-World Solutions for Financial Institutions
Experts are divided over the effect this situation has on Europe’s defensive capabilities at a time when the continent faces severe threats. Only on Wednesday, the Polish prime minister accused Russia of a wave of December cyberattacks on the country’s energy grid.
Either way, variations in NIS2 implementation – in terms of timing and the details of the implementing legislation – is proving tricky for the businesses meant to follow the letter of the law.
“Companies operating across borders face a level of uncertainty as they might have to plan compliance efforts in one country while navigating different requirements in another country,” said Simona Kaneva, the policy analysis and outreach manager at the European Cyber Security Organisation, a non-profit that provides coordination between private and public sectors across Europe.
Uncertainty was one of the big problems that NIS2 was supposed to fix.
The first NIS Directive, adopted in 2016, aimed to the standardize the security practices of essential services in sectors such as energy and transport, and digital services such as search and cloud. It was the first trading bloc-wide cybersecurity legislation and it wasn’t very clear about things like which services were to be classified as essential, leading to uneven implementation at the national level. A 2020 report from the European Union Agency for Cybersecurity found that 35% of surveyed organizations were confused about NIS’s requirements.
To clear up that confusion, and also to address the evolving nature of the threat, 2022’s NIS2 removed the distinction between “essential” and “digital” services in favor of applying the law to any organization that provides “essential or important services.” The split between “essential” and “important” is a function of headcount and revenue thresholds, as well as the sector in which the entity operates – for example, large energy and digital infrastructure providers are essential, whereas medium-sized chemicals and manufacturing firms are important.
Overall, NIS2 covers sectors that escaped the first directive, such as waste management, postal services and social platforms. The newer law forces EU countries to adopt national cybersecurity strategies with policies for things like supply chain security, while boosting coordination between their Computer Security Incident Response Teams. It establishes a European cyber crisis liaison organization network. The national authorities established under the first NIS now have much stronger roles in overseeing organizations’ security practices.
Incident reporting requirements have been clarified and tightened. And, whereas the first NIS allowed countries to set their own penalties for non-compliance, NIS establishes penalties ranging from compliance orders to fines that can stretch as far as 2% of global annual revenue. Crucially, it also introduces criminal sanctions for board members.
But, NIS2 is still a directive. Unlike EU regulations such as the General Data Protection Regulation, which force member states to all implement one unified law, EU directives set only minimum levels of harmonization, allowing countries considerable leeway in the way they interpret the law beyond those baseline requirements.
Take the matter of board-level liability. Germany’s implementing law, which was passed in December and is yet to take effect, only refers to the executive branch of a company’s board. Belgium’s law specifies that liability extends to both executive and supervisory boards.
According to lawyer Alex van der Wolk, co-chair of Morrison Foerster’s global cyber practice, the headcount threshold for falling under NIS2’s requirements is another point of divergence – some countries, such as Germany, have chosen to only take the headcount of a company’s local entity into account, while others opt to focus on the company’s overall EU group headcount. NIS2 allows for both approaches.
In Belgium, where the government transposed NIS2 into local law in April 2024, months ahead of the largely-missed October implementation deadline, the national regulator has had time to formulate very detailed guidance for organizations. This guidance specifies that when a group’s internal IT services are provided by a separate company within that group, that company could distinctly fall under NIS2’s requirements because it provides managed services, even if they are only internal-facing. “Other member states are silent on that,” said van der Wolk.
“You see a pretty decent baseline of harmonization” in countries’ interpretations of the directive, he added. “The deviations are in the details.”
Given the nature of EU directives, it is far from unusual for their implementation to have different paces and styles across countries, experts emphasized. “Some of the reasons behind delaying the transposition include elections and subsequent government changes, as well as the nature of each country’s legislative structures,” said Kaneva.
As for the effect on NIS2’s overall mission, van der Wolk pointed out that the impact on companies is limited by the fact that the first NIS already established the necessary national authorities and most of the structures for international cooperation.
Some see a potentially serious impact on Europe’s cybersecurity stance. “It’s definitely a problem, not least because offensive cyber operations are now a standard tool of statecraft,” said cybersecurity researcher and consultant Lukasz Olejnik. “Lack of NIS2 operationalization may be a helpful measure for external actors seeking to interfere with systems of EU states, particularly Western Europe. Russian cyberthreat actors may be the direct benefactors for the time being.”
“The NIS2 Directive aims to ensure a high level of cybersecurity across the EU,” said a spokesperson for the European Commission. “We therefore encourage all member states to transpose and implement NIS2 swiftly.”
There are even debates in Brussels now about whether a future NIS3 should be a directive or a more harmonized regulation, Kaneva confirmed when asked about such discussions, but stressed that ECSO has no position on this matter.
According to the Commission, the current state of NIS2 implementation is as follows:
- 17 member states have notified complete transposition: Belgium, Italy, Croatia, Greece, Lithuania, Malta, Romania, Slovakia, Cyprus, Denmark, Slovenia, Latvia, Czechia, Hungary, Portugal, Austria and Estonia;
- 3 member states have notified partial transposition: Germany, Finland and Poland;
- 7 member states have not yet communicated any transposition measures: Bulgaria, Spain, France, Ireland, Luxembourg, the Netherlands and Sweden.
[/gpt3]
