As the national implementation deadline for the NIS 2 EU Directive is over, businesses in scope should ensure they will soon be ready to comply with the strengthened cybersecurity requirements.
On December 14, 2022, Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union ("NIS 2 Directive") was adopted. This updated framework for EU cybersecurity strengthens the requirements for sectors deemed essential and important to critical infrastructure, significantly expanding its scope compared to the former Directive (EU) 2016/1148 ("NIS 1").
Although the deadline for national implementation expired on October 17, 2024, NIS 2 Directive's implementation is still at an early stage in most of the EU Member States.
Implementation Status Across the EU
The EU Member States were required to transpose the NIS 2 Directive into national law by October 17, 2024 and apply transposed provisions from October 18, 2024. By the transposition deadline, a limited number of countries (including Belgium, Croatia, Hungary, Italy, Latvia, and Lithuania) had transposed the NIS 2 Directive into national law. In other countries, such as France and Germany, the transpositions drafts are still underway.
Aim and Scope
As flagged in our previous Alert, the NIS 2 Directive aims to enhance cybersecurity by removing divergences in NIS 1's implementation. It broadens the range of entities in scope, including medium-sized and large public and private organizations in eighteen (18) business sectors (see NIS 2 Directive's Annex I and II) and regardless of their size, specific categories of entities listed in Article 2 of NIS 2 Directive.
Enforcement and Personal Liability of Representatives
In terms of enforcement, NIS 2 Directive introduces substantial administrative fines, non-monetary sanctions, and personal liability of legal representatives of entities in scope in the event of non-compliance.
Consequences of Belated Implementation
Failing to implement the NIS 2 Directive by the October 17, 2024, deadline entitles the European Commission to initiate infringement proceedings before the European Court of Justice against an EU Member State.
For organizations in scope, the delayed implementation of NIS 2 Directive results in its inapplicability after October 17, 2024, except for those of its provisions that may benefit of a direct effect as from October 18, 2024. Direct effect is limited to the provisions that are clear, precise, and unconditional, and which create rights for organizations vis-à-vis their Member State.
Although NIS 2 Directive's implementation is still underway in most the EU Member States, entities in scope should continue their preparation effort as compliance with the NIS 2 Directive requires implementing a broad range of cybersecurity risk management measures, given the potential for serious consequences in EU Member States in which the directive is or becomes in effect.