17 October 2024 was the deadline for European Union (EU) Member States to transpose into national law NIS2, the sweeping cybersecurity directive that expands the scope of NIS1 to cover more sectors and impose broader security requirements. To coincide with the deadline, the EU published a corresponding Commission Implementing Regulation that Member States were expected to apply as of 18 October 2024. It clarifies what constitutes a significant incident that triggers the prescribed reporting obligations and also specifies the cybersecurity risk management measures for companies providing digital infrastructure and services. The measures are expected to be a model for other “essential” and “important” entities down the road.
Moreso than the directive itself, the Commission Implementing Regulation provides much-needed guidance that will enable all covered entities, whether essential or important, to move forward with improving their cyber resilience… even if their legislatures have stalled. Only a handful of countries reportedly met or came close to meeting the transposition deadline, and the roster varies from source to source. What happened, what didn’t happen, and what happens next?
Which Member States Met the Deadline?
According to this NIS2 Article 28 tracker tool, only two countries met the 17 October deadline, although the majority are making progress. According to the tracker, as of this writing these are the standings by phase:
- Transposed: Croatia, Italy
- Implementation: Belgium, Hungary, Latvia, Lithuania
- Not Started: Estonia
- Preparation: Remaining 20
The tracker may not be definitive, but it provides central access to the draft laws for each Member State and their status, along with comments. This is important because close-to-final draft documents can be held up for many reasons but still provide valuable information to help covered entities in various countries proceed.
Why Did So Few Member States Meet the 17 October Deadline?
While compliance levels may currently appear low, this is a common phase in the lifecycle of directives. Similar to a federation, the EU has limited legislative authority outside of specific domains where Member States have agreed to share sovereignty. For all other domains, including cybersecurity, directives must be incorporated into Member States’ national legislation, where they may be adapted to some degree.
NIS2 also applies to companies outside the EU that provide covered services within the EU. If you fall in that category, you should self-assess whether NIS2 applies to you, as you likely won’t be notified.
National priorities, budgets and resources vary, so getting all 27 Member States to meet the same deadline can seem like herding cats. Some countries that prioritized transposing NIS2 into law were met with delays once the drafts reached their legislatures. For example, the snap election in France this summer and ongoing uncertainty has derailed NIS2 implementation there, although the draft transposition law has long been ready for parliamentary review.
Previous high-priority directives have met similar fates. In July 2024, only four governments — the Netherlands, Denmark, Finland and Sweden — submitted their National Energy and Climate Plans (NECPs) on time, a major blow to one of the EU’s attempts to curb emissions by 2030. And in July 2020, only five countries met the deadline to adopt the EU Waste Framework Directive into national law. It’s not uncommon for countries to openly state they will not make the deadline.
What’s Next? Upcoming NIS2 Deadlines
17 October 2024 is the NIS2 deadline stuck in everyone’s minds, but for covered entities, the clock doesn’t start ticking until your Member State passes legislation and notifies you that you’re subject to compliance. Only one more deadline is specified in the directive: 17 April 2025, and it’s also for Member States. They have six months from the transposition deadline (whether or not they met it) to categorize and notify entities they've deemed essential or important. Given the increase in sectors covered under NIS2, that will be another monumental effort. In France alone, the number of regulated organizations is estimated to balloon from 500 to 15,000. Many countries have published self-assessment tools so companies can move forward without waiting to be notified.
As with other EU directives, NIS2 also applies to companies outside the EU that provide covered services within the EU. If you fall in that category, you should self-assess whether NIS2 applies to you, as you likely won’t be notified.
EU directives cannot specify deadlines for covered entities; those are left to each country. However, given how much we’ve known about NIS2’s seven broad security requirements for at least two years, planning and implementation efforts should be well underway, including how you will meet the new incident reporting requirements. Here’s some specific steps that will help you stay on track.
What Should Critical Infrastructure Entities Do Now?
Wherever you are in your NIS2 planning or implementation, now’s the time to accelerate. Many tools and resources are already online. Take advantage of what’s available as you move forward with these steps:
- Take your country’s self-assessment, if available, to determine if you are an important or essential entity. Per above, this also applies to foreign entities that provide covered services within the EU.
- Read the NIS2 implementing regulation and plan for compliance by assessing your readiness and identifying key technology, process and other gaps.
- Read your country’s transposition law. If still in draft, track its legislative progress, including comments. Either way, assess your readiness against the requirements and identify key technology, process and other gaps.
- Contact your country’s designated NIS2 competent authorities. Many countries have already named them. They will be your primary resources to answer questions about the implementing regulation and your country’s national law.
- Consult with cybersecurity vendors, lawyers and other experts for guidance, as well as with peers to see what they’re doing.
Align with NIST CSF 2.0
Even if you haven’t yet turned your attention to NIS2 compliance, you may be well on your way if your security program already aligns with other regulatory frameworks and standards, particularly the NIST Cyber Security Framework (CSF), now NIST CSF 2.0.
The directive encourages adoption of established standards and best practices, and NIST CSF 2.0 is one of the most globally adopted frameworks across industries. Why? Because it offers a structured yet flexible approach to cybersecurity and provides a roadmap that organizations can easily follow. In addition to expanding the scope of NIS1 to new sectors, NIS2 places greater emphasis on governance and accountability, risk management, incident response and supply chain security. Each of these areas is addressed in NIST CSF, especially in version 2.0, which breaks out governance into a sixth function (Govern, Identify, Protect, Detect, Respond and Recover).
Nozomi Networks Is Here to Help
The NIS2 Directive aims to improve the overall level of cyber resilience across the EU, including cross-border harmonization. Like other EU directives, how well the initiative achieves that goal will depend on how consistently covered entities implement its requirements, how vigorously Member States enforce compliance, and how soon.
For covered entities, NIS2 compliance will necessitate a revision of security priorities, particularly in OT. This includes enhanced visibility of assets, regular risk analysis and expanded risk management beyond IT to encompass OT. For some entities, especially those in newly regulated sectors under the expanded scope, planning for, implementing and operationalizing these changes will take time. We can help you.
In our NIS2 mapping guide, we describe how critical infrastructure entities can leverage the Nozomi Networks platform support all seven security requirements. We’ve also published several resources and have NIS2 experts available to help you on your compliance journey. As more details emerge, we’ll keep you informed about how to use our platform to meet requirements.
