Key Points
- NIS 2 Directive officially became enforceable, but many EU member states have not yet adopted it into national law.
- The directive imposes stricter cybersecurity requirements, including reporting cyber breaches within 24 hours of discovery and vendor risk assessments.
- Fines for non-compliance can reach up to 10 million euros or 2% of global revenue for essential entities.
- Companies are advised to focus on common cybersecurity practices to meet compliance despite variations in local laws.
The European Union’s new NIS 2 directive, aimed at strengthening cybersecurity measures across essential sectors, has faced a slow start due to delayed adoption by many member states. This directive officially became enforceable on Thursday and requires businesses to implement stricter cybersecurity systems, risk management, and incident reporting measures. However, most EU countries have yet to incorporate the directive into their national laws, raising concerns about uneven enforcement.
The NIS 2 directive is a significant update to the EU’s original Network and Information Security Directive (NIS), which was first introduced to improve the security of IT systems and networks. The updated version, proposed in 2020, expands the scope to address newer cybersecurity challenges and includes tougher requirements for companies that provide essential services like banking, healthcare, energy, and transport.
Under NIS 2, businesses must report cyber breaches within 24 hours of discovery—compared to the 72-hour window stipulated by the EU’s General Data Protection Regulation (GDPR). Companies must also assess their technology vendors for vulnerabilities and share information on cyber threats with other organizations. This directive places a “duty of care” on businesses to be transparent about cyber vulnerabilities and hacks, even if it means admitting they were victims of a breach.
Despite the directive’s importance, research from the DNS Research Federation shows that countries like Portugal and Bulgaria have not started the transposition process, leading to potential enforcement gaps. Tim Wright, a partner at law firm Fladgate, emphasized that inconsistent implementation across the bloc could create opportunities for cybercriminals to exploit weaker member states.
The consequences for businesses failing to comply are severe. Essential entities, including finance and transport companies, face fines of up to 10 million euros or 2% of global annual revenue. In comparison, important entities like food or chemical firms could be fined up to 7 million euros or 1.4% of annual revenue. Firms not meeting compliance standards could also face service suspension and closer supervision.
Experts warn that while the regulations are comprehensive, their effectiveness depends on uniform enforcement across the EU. Chris Gow, Cisco’s EU public policy lead, noted that discrepancies in local adaptations of NIS 2 could complicate compliance for smaller companies. He advised organizations to focus on common cybersecurity practices that can be scaled to meet the directive’s requirements.
