The EU’s NIS2 Directive Deadline Has Arrived: Are Organizations Ready?

Today marks the deadline for the EU’s Network and Information Security (NIS)2 Directive to be incorporated into national laws, but concerns have been raised about organizations’ readiness to comply with the rules.

During a recent Infosecurity Magazine webinar, many participants expressed feeling unprepared to comply with the directive, which is set to take effect today.

Brian Honan, CEO of BH Consulting, highlighted that many organizations have not fully embraced the spirit of NIS, despite it being in place since 2016.

The original NIS directive applied to specific “essential” sectors, but NIS2 has expanded its scope to include a broader range of industries deemed either “essential” or “important.” This updated legislation is expected to impact around 150,000 large and medium-sized companies within the EU.

One major challenge for organizations is determining if they are subject to the directive’s requirements, especially for businesses involved in supply chains that operate within the EU market.

Variation in Nation-State Implementation

There is significant disparity among EU member states in terms of implementing NIS2 legislation, with some countries already compliant while others lag behind. This inconsistency raises concerns about the directive’s overall effectiveness.

Tim Wright, a Partner and Technology Lawyer at Fladgate, highlighted the wide variance in readiness among member states, with some having made little to no progress in transposing NIS2 into national law.

Furthermore, the NIS2 directive will face delays in France due to political factors, adding further confusion for affected organizations.

Urgent Need to Confirm Compliance Requirements

NIS2 introduces new requirements in areas such as incident response, supply chain security, data security, and training. Achieving compliance will require a significant investment for many organizations affected by the directive.

The directive imposes substantial fines for non-compliance, with penalties reaching up to €10m or 2% of global turnover for essential entities. Senior management is also held directly liable for compliance, increasing the stakes for organizations.

Keith Fenner, SVP and GM International at Diligent, emphasized the importance of GRC teams in ensuring organizational compliance with NIS2 requirements.

Organizations uncertain about their status under the directive are encouraged to seek external advice, engage with competent authorities, and seek legal guidance to avoid potential penalties.

Sarah Pearce, a partner at Hunton Andrews Kurth, stressed the indirect impact of NIS2 on organizations, stating that even those who believe they are not subject to the directive may be affected through their customers.

As the deadline for NIS2 compliance looms, organizations must take proactive steps to understand and meet the requirements to avoid potential penalties and ensure cybersecurity resilience in an evolving threat landscape.