EU Member States Struggle NIS2 Implementation
The European Commission has reported that only Belgium and Croatia have notified their transposition of the updated EU cybersecurity rules, known as the Network and Information Security Directive 2 (NIS2), into their national laws. With the deadline of October 17, 2024, looming, the majority of the 27 member states have yet to comply. NIS2, approved in 2022, aims to bolster the resilience of critical sectors like energy, transport, and banking against cyber threats.
Belgium has fully implemented the directive, while Croatia has partially done so. The remaining 25 countries are under pressure to meet the deadline, as the directive significantly expands the scope of entities covered—from around 600 under NIS1 to nearly 15,000 under NIS2. Failure to comply could result in fines of up to €10 million or 2% of worldwide revenue, whichever is higher.
The French joint parliamentary committee has highlighted challenges in meeting the transposition deadline, noting that many newly included entities are unaware of the compliance requirements. In Germany, the adoption of implementing laws is not expected until early 2025, further complicating the situation.
This delay in transposition reflects broader issues with awareness and preparedness among businesses. The first directive from 2016 did not achieve its goals of improving cyber resilience and promoting joint crisis response, necessitating the overhaul with NIS2.
Source: Only Belgium and Croatia adopt EU cyber rules, week before deadline