NIS2 implementation enters the final stretch – six months to deadline
In six months’ time, on 17 October 2024, Member State laws that transpose the EU’s revised Network and Information Systems Directive (“NIS2”) will start to apply. As described in more detail in our earlier blog post (here), NIS2 significantly expands the categories of organizations that fall within scope of EU cybersecurity legislation. This new, cross-sector law imposes additional and more granular security and incident reporting rules, enhanced governance requirements that apply to organizations’ “management bodies,” and creates a stricter enforcement regime.
Organizations that are preparing for NIS2 need to keep a watchful eye on national implementing laws, competent authorities, and secondary legislation from the Commission on some of the substantive requirements.
Some Member States (e.g., Croatia) have already passed their transposing legislation, and others (e.g., Germany and Belgium) have published draft laws that are going through the legislative process. Despite the October deadline, many Member States have not yet published drafts or started their legislative process. NIS2 is a “minimum harmonization” law, meaning that Member States’ implementing laws can impose additional obligations beyond those set out in the text of the Directive.
As we enter the last six months before national laws start to apply, establishing which Member States’ competent authorities will have jurisdiction to enforce NIS2 will also be a critical assessment for regulated entities.
We also expect to see European Commission implementing acts that will flesh out NIS2 obligations, complementing guidance the Commission published earlier this year (see our blog here). These implementing acts were expected to be published in early 2024, but have not yet materialized. Watch this space.
* * *
The Data Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, including on NIS, NIS2, and other cyber-related regulations. If you have any questions about Member State transpositions of NIS2, how NIS2 will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to assist.