Critical Infrastructure Security , Standards, Regulations & Compliance
Most EU Nations to Miss Upcoming NIS2 Deadline
Only Six Nations Have Incorporated NIS2 Into National StatuteMost European countries are set to miss a trading bloc deadline for implementing a key cybersecurity regulation that requires measures such as mandatory security auditing for essential services such as hospitals and banks.
See Also: A Secure Platform to Transform Financial Services
The European Union Network and Information Security Directive, or NIS2, imposes cybersecurity risk management and incident reporting obligations for organizations working across critical sectors such as finance, energy and healthcare.
Although the regulation came into force early last year, EU national parliaments have a deadline of Oct. 17 to turn the law into national regulation. Key features of the law include requiring EU states to establish a computer security incident response team to coordinate incident reporting and information sharing.
With just days left before the deadline to kick in, many EU countries have acknowledged they will likely miss the deadline and will mostly implement the regulation in the first half of next year.
In Ireland the Department of the Environment, Climate and Communications that published the draft version of the NIS2 in August, confirmed the country will miss the Thursday deadline and that the country is likely to implement the directive in 2025.
While in Germany, the initial parliamentary debate for the proposed national NIS2 bill only took place last week.
Similarly in France, a draft regulation has not been finalized by the French parliament and a lack of political consensus among the lawmakers.
"However, this does not mean that regulated entities here in Ireland, or indeed other countries that miss the ratification deadline, can sit back and ignore the NIS2 October 17th deadline. NIS2 will still come into effect on that date, and organizations will be held accountable under the EU NIS2 Directive," said Brian Honan, who heads Dublin-based BH Consulting.
Six countries - Belgium, Croatia, Greece, Hungary, Latvia and Lithuania - have integrated the NIS2 into national statute.
Honan added in Ireland, the newly established National Competent Authorities under the proposed General Scheme of National Cyber Security Bill will monitor adherence to the directive.
The NIS2 Directive categorizes critical sectors as "essential" and "important," based on size, sector and criticality. The regulation recommends that enforcement agencies within EU member states conduct security inspections, issue warnings about violations, as well as report cybersecurity incidents within 24 hours. National cybersecurity emergency response teams are required to share information on cyberthreats, vulnerabilities and incidents.
Any violation of the regulation could cost essential companies 10 million euros or 2% of the global annual revenue. The maximum penalty for important services is 7 million euros or 1.4% of the global annual revenue.