Critical Infrastructure Security , Standards, Regulations & Compliance

Most EU Nations to Miss Upcoming NIS2 Deadline

Only Six Nations Have Incorporated NIS2 Into National Statute
Most EU Nations to Miss Upcoming NIS2 Deadline
Europe has plenty of mountain ranges but not a lot of countires that integrated the NIS2 directive into national statute. (Image: Shutterstock)

Most European countries are set to miss a trading bloc deadline for implementing a key cybersecurity regulation that requires measures such as mandatory security auditing for essential services such as hospitals and banks.

See Also: A Secure Platform to Transform Financial Services

The European Union Network and Information Security Directive, or NIS2, imposes cybersecurity risk management and incident reporting obligations for organizations working across critical sectors such as finance, energy and healthcare.

Although the regulation came into force early last year, EU national parliaments have a deadline of Oct. 17 to turn the law into national regulation. Key features of the law include requiring EU states to establish a computer security incident response team to coordinate incident reporting and information sharing.

With just days left before the deadline to kick in, many EU countries have acknowledged they will likely miss the deadline and will mostly implement the regulation in the first half of next year.

In Ireland the Department of the Environment, Climate and Communications that published the draft version of the NIS2 in August, confirmed the country will miss the Thursday deadline and that the country is likely to implement the directive in 2025.

While in Germany, the initial parliamentary debate for the proposed national NIS2 bill only took place last week.

Similarly in France, a draft regulation has not been finalized by the French parliament and a lack of political consensus among the lawmakers.

"However, this does not mean that regulated entities here in Ireland, or indeed other countries that miss the ratification deadline, can sit back and ignore the NIS2 October 17th deadline. NIS2 will still come into effect on that date, and organizations will be held accountable under the EU NIS2 Directive," said Brian Honan, who heads Dublin-based BH Consulting.

Six countries - Belgium, Croatia, Greece, Hungary, Latvia and Lithuania - have integrated the NIS2 into national statute.

Honan added in Ireland, the newly established National Competent Authorities under the proposed General Scheme of National Cyber Security Bill will monitor adherence to the directive.

The NIS2 Directive categorizes critical sectors as "essential" and "important," based on size, sector and criticality. The regulation recommends that enforcement agencies within EU member states conduct security inspections, issue warnings about violations, as well as report cybersecurity incidents within 24 hours. National cybersecurity emergency response teams are required to share information on cyberthreats, vulnerabilities and incidents.

Any violation of the regulation could cost essential companies 10 million euros or 2% of the global annual revenue. The maximum penalty for important services is 7 million euros or 1.4% of the global annual revenue.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.