NIS2 is Here - Understanding the NIS2 Directive and Its Transposition Across Europe

The Network and Information Security Directive (NIS2 Directive) is an important piece of European Union legislation aimed at bolstering cyber security across the member states. NIS2 officially came into force on 17th October, and while some EU member countries have met this deadline, many are still working to fully transpose the legislation.  

Making NIS2 the Law 

All EU countries were required to transpose NIS2 into law last October, but the transposition of the NIS2 Directive into national legislation is not without its challenges. Member states face several hurdles as they work to align their national laws with the directive's requirements: 

1. Diverse Cyber Security Maturity Levels: European countries vary significantly in terms of cyber security maturity. While nations like Belgium and Germany have advanced cyber security frameworks, others may lack the necessary infrastructure or expertise, complicating the transposition process.  
2. Resource Limitations: Implementing the directive's requirements can be resource intensive. For smaller EU countries or those with limited budgets, securing the necessary funding and expertise to meet the directive's standards poses a significant challenge. 
3. Balancing National and EU Interests: While the directive aims for harmonisation, member states must balance EU-wide requirements with national priorities and existing frameworks. This balancing act can lead to delays or inconsistencies in transposition. 
4. Sector-Specific Adaptations: The directive applies to a wide range of sectors, each with unique characteristics and needs. Tailoring national legislation to accommodate these differences is a complex task. 
5. Cooperation and Information Sharing: While the directive emphasises collaboration, establishing effective mechanisms for information sharing among member states, and between the public and private sectors, remains a challenge. Trust and data privacy concerns can impede these efforts. 

Current Progress and Notable Developments 

 Some countries have made significant strides in NIS2 implementation, while others are still in the early stages of implementation. On 27th November, the European Commission opened infringement procedures for the 23 countries that had not yet transposed the EU directive into law. Here's an overview of the implementation status for various member states: 

• Belgium: Likely the most advanced country observed with its adoption. Leveraging their CyFun (Cyber Fundamentals) and other established frameworks, Belgium has implemented the legislation and set out clear guidance of what in scope organisations need to do.  
• Italy: Transposed the NIS2 Directive into national law through Legislative Decree No. 138/2024, which came into effect on 18th October and will complete its identification of in-scope companies by 31st March. 
• Germany: Known for its robust cyber security infrastructure, Germany has been proactive in transposing the NIS2 Directive, although did not meet the deadline. The country has focused on enhancing its existing frameworks and ensuring that businesses are prepared to comply with the new standards. Adherence to standards, such as, ISO27001 are advised to ensure compliance of NIS2.  
• France: France has been active in aligning its national laws with the directive. The country has invested in public-private partnerships to foster information sharing and improve cyber security resilience. 
• Central and Eastern Europe: Countries in Central and Eastern Europe face unique challenges due to varying levels of cyber security maturity. Efforts are underway to build capacity and infrastructure to meet the directive's requirements. Hungary has made great progress but is yet to fully transpose the directive, and in Croatia the Regulation on Cyber Security came into force on 30th November as part of their NIS2 transposition. 
• Smaller Member States: For smaller EU countries, resource constraints and limited expertise pose significant obstacles. These nations are seeking support from the EU and larger member states to bolster their cyber security capabilities. 

The 23 member states yet to fully transpose NIS2 are Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Greece, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Finland and Sweden. 

UK Position 

The UK is expected to adopt components of the NIS2 Directive through updates to its cyber security legislation, notably the proposed Cyber Security and Resilience Bill, which will aim to be compatible to NIS2 and other new EU regulations. This effort aims to enhance the resilience and security of critical infrastructure by expanding the scope of sectors covered, including digital services and supply chains. The bill emphasises improved risk management practices, mandatory incident reporting, and increased regulatory oversight. It seeks to strengthen cooperation between public and private sectors to address cyber threats more effectively. By aligning with key principles of the NIS2 Directive, the UK aims to safeguard its national infrastructure while maintaining strong cyber security standards post-Brexit. 

How Organisations are Getting Ready for NIS2 

Organisations within NIS2 scope are adopting different approaches, with varying levels of urgency compared to other impending legislations like DORA. Some are holding off on major changes until the NIS2 legislation is locally implemented, while others are proactively conducting comprehensive gap analyses using frameworks like ISO27001 and NIST CSF to pinpoint weaknesses and enhance their maturity. Although there is no specific method mandated, it is generally advisable to take a proactive stance on security and compliance. 

Budget considerations are clearly significant in the efforts to achieve NIS2 compliance, according to BlueVoyant’s discussions with organisations on readiness. While some organisations have planned for and secured funding specifically for their NIS2 projects, many have had to reallocate funds from other planned projects or areas such as recruitment. Despite the concerns, some organisations do not appear to be in a state of panic and believe that their current measures will satisfy regulators. Regardless, NIS2 should be viewed as an impetus for organisations, especially those with less regulation, to enhance their security. 

Looking to the Future 

The successful transposition and implementation of the NIS2 Directive holds the promise of a more secure and resilient European digital landscape. As member states continue their efforts, several trends and potential developments are worth noting: 

1. Increased EU Support: The EU is likely to enhance its support for member states, particularly those facing resource constraints. This support could take the form of funding, expertise sharing, and capacity-building initiatives. 
2. Emergence of Best Practices: As countries implement the directive, best practices and success stories will emerge, providing valuable insights for others. These examples can serve as blueprints for effective transposition and compliance. 
3. Enhanced Public-Private Partnerships: Collaboration between the public and private sectors will be crucial for effective implementation. Governments and businesses will need to work together to share information, develop innovative solutions, and respond to cyber threats. 
4. Focus on Emerging Technologies: The directive's implementation will likely spur increased attention to emerging technologies such as artificial intelligence, the Internet of Things (IoT), and 5G. Ensuring these technologies are secure from the outset will be a priority. 
5. Ongoing Evolution of Cyber Threats: Cyber threats will continue to evolve, necessitating an adaptive and forward-looking approach to cyber security. The NIS2 Directive is a significant step, but ongoing vigilance and innovation will be essential. 
6. Global Implications: The NIS2 Directive's success could set a precedent for international cyber security standards. As the EU strengthens its cyber security posture, other regions may look to adopt similar measures, contributing to a more secure global digital ecosystem. 

Conclusion

The transposition of the NIS2 Directive across Europe represents a critical juncture in the EU's efforts to enhance cyber security. While challenges persist, the directive's successful implementation promises a more secure and resilient digital future for the EU. By fostering collaboration, sharing best practices, and prioritising emerging technologies, member states can navigate the complexities of transposition and ensure the directive's objectives are realized. As the EU continues to lead in cyber security, its efforts will have far-reaching implications, not only for Europe but for the global community. 

If you are uncertain about your organisation’s NIS2 compliance requirements, or require support in achieving them, please contact us. 

Please fill out this survey to let us know where you are in your NIS2 journey and how BlueVoyant can help your organisation achieve compliance.