NIS2 compliance hampered across EU as October deadline approaches

The EU’s second Network and Information Security Directive (NIS2) will strengthen existing cybersecurity risk management and incident reporting obligations that have applied under the original NIS regime and extend them to thousands of other businesses. However, as we explore below, some EU member states look set to miss the 17 October deadline for implementing the directive into their national legislation.

NIS2: the basics

NIS2 builds on the original NIS directive which took effect in the EU in 2018 and imposes cybersecurity risk management and incident reporting obligations on in-scope organisations under a tiered system of regulation.

Increased scope

‘Essential entities’ face the strictest requirements and most comprehensive regulatory oversight – including, potentially, on-site inspections and targeted, independent, security audits – while ‘important entities’ face lighter touch regulation. Each EU country must establish a list of essential and important entities within their jurisdiction by 17 April 2025.

The concept of ‘essential entities’ replaces the concept of ‘operators of essential services’ that applied under the original NIS regime – but it is much broader in scope. While employee and turnover thresholds mean smaller organisations will be outside of its scope, the concept is expected to capture existing operators of essential services in sectors such as energy, financial services, transport and health, as well as businesses that have not previously been subject to NIS regulation – including providers of electronic communication networks or services; pharmaceutical companies; operators of hydrogen production, storage and transmission; and potentially businesses designated as ‘very large online platforms’ under the EU’s Digital Services Act too.

The concept of ‘essential services’ will also extend to some businesses that faced lighter touch regulation under the original NIS regime, such as cloud computing providers. Data centre service providers are among the other technology providers expected to be classed as ‘essential services’ too.

The concept of ‘important entities’ captures providers of online search engines, online marketplaces and social networks, as well as manufacturers of computers and vehicles, businesses engaged in food production and processing, chemicals companies, and waste management providers.

Extraterritorial effect

The directive applies to relevant entities which provide their services or carry out their activities within the EU. There are specific mechanisms in place to govern how technology and platform providers not established in the EU are governed, including an obligation to designate a representative in the EU.

Cybersecurity risk management

Organisations subject to the NIS2 regime are obliged to “take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services”.

The precise cybersecurity measures each organisation must implement to comply with their legal obligations under NIS2 will depend on factors such as their size, exposure to risk, the likelihood of occurrence of incidents and their severity, and the availability and cost of implementing technology or international standards. However, specific cybersecurity measures endorsed in the legislation include policies on risk analysis and information system security, those regarding incident handling, access control policies and the use of multi-factor authentication or continuous authentication solutions.

Supply chain security must also be considered, including the vulnerabilities “specific to each direct supplier and service provider” as well as “the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures”.

Personal liability

“Management bodies” must “approve the cybersecurity risk management measures taken” and oversee their implementation. Individuals in those bodies could be held personally liable if the organisation fails to comply with its cybersecurity obligations under NIS2.

Incident reporting

NIS2 also sets out new cybersecurity incident reporting rules. Any incident that has “a significant impact” on in-scope services must be notified to national computer security incident response teams (CSIRTs) or regulators. These are incidents that have caused or are capable of causing severe operational disruption of the services or financial loss for the entity concerned; or that have affected or are capable of affecting other natural or legal persons by causing considerable material or non-material damage.

A staged approach to incident notification is provided for under the directive, with obligations kicking in after 24 hours, 72 hours and within a month of the incident

Enforcement

Fines of up to €10m, or 2% of an organisations’ annual global turnover, whichever is highest, can be imposed on essential entities. For important entities, the equivalent thresholds are €7m and 1.4% of turnover.

Patchy implementation

While the contents of NIS2 were finalised in late 2022 and came into force in EU law in early 2023, EU member states are required to transpose the directive into respective national legislation by 17 October 2024. However, it is clear that some EU countries will not have the relevant implementing legislation in place by this deadline, let alone the wider frameworks of guidance that would provide impacted organisations with the tools to work towards compliance.

France

According to Annabelle Richard of Pinsent Masons in Paris, political uncertainty in France following a snap summer election has delayed implementation of NIS2 in the country.

“The draft transposition law is ready, and has been for some time, to be reviewed by the French parliament. The transposition, as it is currently drafted, does not aim to gold-plate the directive. It seeks to simplify information system security rules, by limiting the accumulation of regulatory requirements. Unfortunately, the dissolution of the national assembly and the delay in appointing a new prime minister has significantly derailed the process. It is not possible at this point to confirm whether the law will be adopted before 17 October 2024.”

“Beyond the legal framework, a number of regulatory texts will also be necessary to complete the regulatory framework under NIS2. All these texts have been drafted and are ready to be reviewed and adopted with the law when it is voted on,” she said.

Richard said the number of NIS-regulated organisations in France is expected to multiply by 30 – from 500 to around 15,000 – and the sectors concerned increase from six to 18. She said there is already some guidance in France to help businesses meet their obligations under NIS2.

“The French National Information Security Agency (ANSSI) intends to support in-scope organisations as much as possible and does not intend to impose immediate blind sanctions – it is already possible to find information about NIS2 and its implementation in France on ANSSI’s website, including a test to determine whether a specific activity will fall within the scope of the regulation,” Richard said.

Germany

Daniel Widmann of Pinsent Masons in Munich said Germany will not meet the 17 October 2024 deadline for implementing NIS2, adding that it is expected that Germany will not pass the implementing law until the beginning of 2025.

Widmann said: “With its implementation law, Germany is seeking to narrow the scope of national NIS2 regulation compared to the EU directive.”

“According to the current version of the German implementation law, when determining the number of employees and the annual turnover, only ‘the business activity attributable to the type of establishment’ is to be considered. This means that only the part of the legal entity that carries out the business activities listed in the NIS2 annexes will be taken into account when calculating the NIS2 thresholds and not other parts of the business, like HR or finance,” he said.

“Some German legal experts have questioned whether restricting the scope of NIS2 in this way will be compatible with the requirements of EU law and so there is concern that it might lead to legal uncertainty. To be on the safe side, German companies wondering whether they are in scope of NIS2 are advised to consider the wording of the NIS2 Directive rather than the current wording of the German implementation law,” Widmann said.

Spain

Paloma Bru and María Gutiérrez-Bolívar Fernández of Pinsent Masons in Madrid said Spain too could miss the 17 October 2024 implementation deadline for NIS2, since a draft implementing law has still to be published.

“Although the NIS2 Directive has not yet been transposed at national level, Spanish companies should include this regulation in their compliance agenda, as it is possible that, as with the NIS Directive, it will be transposed using the regulatory tools that allow for an urgent procedure, such as a Royal Decree Law, which would speed up the legislative process,” Bru said.

Gutiérrez-Bolívar Fernández added: “Companies already affected by the original NIS Directive, as well as those that may be affected by the extension of the sectoral scope of NIS2, should familiarise themselves with this regulation in order to reach the level of maturity required by the directive and therefore avoid possible sanctions once it becomes fully effective in Spain. To this end, it is essential to carry out a gap analysis and work on developing a robust cybersecurity foundation that meets the high standards of NIS2.”

The Netherlands

The Dutch government confirmed early this year that it would miss the NIS2 implementation deadline, however there has been some progress towards transposition of the directive since.

Amsterdam-based Andre Walter of Pinsent Masons said: “The draft implementation law – Cyberbeveiligingswet – has been published for consultation and, following the end of the online consultation period in July, is currently being reviewed on the basis of the feedback received. The proposals are expected to be updated and then submitted to the Dutch parliament. It is expected that the adoption process of the new Cyberbeveiligingswet will take until the second quarter of 2025 to complete.”

In the Netherlands, the Rijksdienst Digitale Infrastructuur will be the competent authority for NIS2 for many, but not all, in-scope organisations. A self assessment tool to help companies assess whether they are in scope of NIS2 has been published in the Netherlands, while the Dutch government has also provided a ‘quick scan’ tool to support high-level compliance.

Luxembourg

A draft Bill to implement NIS2 has been produced and was referred in March to the Committee on Institutions with Luxembourg’s parliament, but it has not yet been published in final form.

Aurélie Caillard of Pinsent Masons in Luxembourg said the draft Bill makes provisions for a mechanism, which is already in effect, that allows businesses to self-register for the purposes of NIS2 regulation in the country.

“Entities using the self-registration mechanism need to specify their contact details, their sectors and activities, their geographical presence and size and, where applicable, the group of entities to which they belong,” Caillard said.

“The draft Bill provides that the Luxembourg Regulatory Institute (ILR) or the Commission for the Supervision of the Financial Sector (CSSF) will confirm to the entity concerned its designation as an essential or important entity under NIS2,” she said.

According to the ILR, the deadline for self-registering for NIS2 in Luxembourg will depend on the entry into force of the future law transposing the NIS2 Directive into Luxembourg law.

The ILR has also said that it is open to it to identify an entity as important or essential in accordance with its criticality for Luxembourg, even if it the entities do not fall within the scope of NIS2 by default.

“The ILR has confirmed that organisations that were subject to the original NIS Directive as well as providers of electronic communications networks and services do not need to complete the self-registration process for NIS2,” Caillard said, highlighting that those organisations can expect the ILR to confirm and notify them of their classification as either ‘essential’ or ‘important’ entities.

Caillard said that businesses in Luxembourg are set to get help towards meeting their NIS2 incident reporting obligations as ILR has indicated its intention to update the existing SERIMA risk analysis platform it operates to enable the reporting of significant incidents.

She added that businesses in scope of NIS2 in Luxembourg will be expected to notify the ILR or CSSF of the cybersecurity measures they put in place to meet their cybersecurity risk management obligations under the law.

 “This requirement, which will be specified by the competent authority by means of a regulation or circular, is in line with existing notification requirements under Luxembourg telecommunication regulations – the ILR is the Luxembourg competent authority regarding telecommunications.”

Ireland

The General Scheme for the National Cyber Security Bill 2024 (the NCS Bill), which provides the general scheme of the legislation that will incorporate NIS2 into national Irish law, was published on 30 August.

According to Nicola Barden of Pinsent Masons in Dublin, the drafting of the NCS Bill was prioritised over the summer so that Ireland can meet the 17 October implementation deadline. However, it still needs to be put before the Oireachtas, the Irish parliament, and is subject further review and change.

The National Cyber Security Centre (NCSC) in Ireland has been designated as the competent authority for certain entities, while the Cyber Crisis Management Authority and the Computer Security Incident Response Team will also be performed by, or sit within, the NCSC, under the NCS Bill. The NCSC has said that it is “committed to engaging with its constituents and stakeholders to ensure that NIS2 requirements are communicated ahead of time, and where possible, provide suitable advice and guidance on implementation”.

The NCSC has confirmed that it will be publishing an “Am I in Scope?” tool soon but it has warned that the tool is not intended to provide a definitive answer. It will give users a chance to think about aspects of their business which could bring them into scope, Barden said, adding: “This will be a useful tool but businesses which might be caught should start to look at the content of the NSC Bill itself, as 17 October is fast approaching.”

Actions for businesses

In our work at Pinsent Masons, we have seen a growing number of enquiries from businesses about NIS2 – both in terms of its scope, as it applies across a wide range of sectors, and on the substance of the compliance requirements – in recent months.

Queries have not just come from EU businesses – we have also fielded requests for help from businesses in the UK, US and further afield, reflecting the fact that NIS2 has extra-territorial effect.

The delayed implementation of NIS2 across EU member states has hampered organisations seeking to ensure their compliance, as there remains a lack of clarity over the precise legal requirements they will face in each jurisdiction. However, there are things businesses can do now.

Experts in Pinsent Masons’ cyber team have already helped clients assess whether they are in scope, and helped them to understand their current control framework to build familiarity with the expected controls required by NIS2.

Some of the overarching and minimum requirements of NIS2 should be grouped to efficiently and effectively implement required information security controls, which should be applied within a broader information security management system. There is likely to be some overlap in controls, which is fine for ensuring a holistic and robust approach to cyber defence.

Once controls are identified, organisations should seek to integrate them into their current control framework so that operations become seamless. As organisations dive into the specific requirements, other standards and frameworks can be used for building appropriate technical and organisational measures to satisfy the requirements of NIS2 – such as ISO 27001:2022. This approach makes it easier for operational teams to manage and deploy their controls and for organisations to evidence compliance when required.