The deadline for the EU’s Network and Information Security (NIS)2 Directive to be incorporated into national laws is today (October 17), but experts have raised serious concerns about organizations readiness to comply with the rules.
During an Infosecurity Magazine webinar hosted just a week before the NIS2 deadline, many audience members said that they felt their organization is not fully prepared to comply with the directive.
Participants expressed confusion as to whether NIS2 applies to their organization – a huge concern given the rules apply from today.
Brian Honan, CEO, BH Consulting said during the session: “Even though NIS has been around since 2016, I do think it’s one of those things that many organizations have paid lip service to but haven’t got into the spirit of.”
The original NIS directive applied only to certain “essential” sectors across the EU. These were energy, health, transport, drinking water, banking, digital infrastructure, financial market infrastructure and digital service providers.
The scope of directive has been expanded with NIS2, passed by the EU in 2022, to add numerous other sectors defined as either “essential” or “important.” These are food, waste water, manufacturing, waste management, postal & courier, public administration, providers of public electronic communications network or services, space research, ICT service management and chemicals.
The updated legislation is expected to impact about 150,000 large and medium companies within EU.
The provisions also apply to businesses that are part of the supply chain for these sectors, which some are finding difficult to apply.
This includes in the UK, where many businesses operate in or sell products into the EU market.
Sarah Pearce, partner at UK-based law firm Hunton Andrews Kurth, said she has also observed confusion among organizations as to whether they are subject to the requirements or not.
“I do think it is something a lot of organizations do struggle with in terms of analysis. It is not entirely clear if you’re affected just reading it on the face of it,” she noted.
Variation in Nation-State Implementation
Another significant concern regarding NIS2 readiness is that the implementation status among EU member states currently varies significantly, with many still not ready to transpose the directive into national law.
Tim Wright, Partner and Technology Lawyer at Fladgate, noted: “At one end of the scale, countries such as Belgium, Croatia, Hungary and Latvia have already adopted NIS2-compliant legislation, whilst at the other end, countries such as Bulgaria, Estonia, and Portugal appear to have made little to no progress in the transposition process.”
In addition, it has been reported that the NIS2 directive will not come into force in France on October 17 due to the dissolution of the French National Assembly on June 9.
Wright argued this variation could significantly impact NIS2’ effectiveness.
This issue adds further confusion for organizations as to whether they are impacted. Pearce noted that there is some scope for member states to further define which organizations are going to be subject.
In the absence of national legislation, the NIS2 directive will still take precedence. This will leave organizations potentially exposed to large penalties for non-compliance despite the law not being transposed by their own national legislature.
Urgent Need to Confirm Compliance Requirements
NIS2 introduces requirements across a range of areas, including incident response and reporting, supply chain security, data security and training.
Therefore, achieving compliance will require a significant investment for many of the new organizations impacted.
The directive imposes maximum fines amounting to €10m or 2% of global turnover for essential entities and €7m or 1.4% of global turnover for important entities.
Notably, NIS2 also imposes direct obligations and liability on senior management, raising the compliance stakes.
Keith Fenner, SVP and GM International at Diligent, emphasized that there could be major consequences if businesses fail to comply with NIS2 requirements.
"Previously, responsibility for cybersecurity was placed solely on IT departments, but with the latest developments in regulation, the entire organization is responsible. Governance, risk and compliance (GRC) teams must avoid tackling NIS2 compliance in siloes, instead ensuring transparency from the board to key departments," commented Fenner.
During the Infosecurity Magazine webinar, the panellists urged organizations who are unclear on whether they are impacted by the directive to urgently seek out external advice. This includes engaging with relevant competent authorities and getting legal advice.
Pearce added: “You might not think that you’re subject to it given what your organization does, but actually indirectly by way of what your organization does you could be because of your customers.”