The deadline for Member State implementation of NIS2 is less than a month away, but the majority of Member States we surveyed are likely to miss this deadline. This raises practical compliance challenges for multinationals in Europe, but there are concrete steps organisations can and should take now to prepare.

NIS2 repeals and replaces the NIS Directive and harmonizes the EU’s existing cybersecurity framework. It imposes more onerous cybersecurity obligations on entities in a wider range of sectors and, as discussed in more detail in our post New Cybersecurity Law Regulates Far Beyond Critical Infrastructure, has an extremely broad scope. Member States must transpose NIS2 into local laws by 17 October 2024. A handful of Member States have already implemented NIS2, and there are often important differences in the scope of national regimes. However, as shown in our survey below, many jurisdictions are likely to miss this deadline. Multinational organisations therefore should start their compliance efforts based on the NIS2 Directive itself and its transposition in the Member States where national legislation is either enacted or nearly final, while building in flexibility and monitoring to react to further implementing acts.

Much of the commentary around NIS2 has focused on its onerous incident reporting requirements, employee training, and technical protection against attacks. However, there is more to consider. The most common questions we hear from organisations, and key initial considerations against this still-shifting legislative background, are set out below.

  • How do we determine whether we are in scope?
  • What do the new obligations mean in practice, particularly for employee training?
  • What is the management liability risk under NIS2?

To address those questions, and wider compliance with NIS2 and related obligations under the patchwork of existing and new national law, organisations need a clear plan to address immediate and longer-term obligations. This plan should cover the following key actions:

  • Scope: determine which specific entities in your corporate group are in scope of NIS2 itself or national implementing legislation, bearing in mind the need to continuously monitor new legislation and adjust your approach.
  • Registration: prepare to register as a covered entity where required.
  • Technical requirements in NIS2 and implementing legislation must be translated into concrete actions for your IT security team.
  • Flow down: amend contracts with suppliers to ensure compliance through your supply chain.
  • Reporting obligations: understand the onerous timescales for reporting under NIS2 and take proactive steps to be ready to comply rapidly in the event of an incident (and streamline such with parallel notification regimes such as under data protection law).
  • Documentation: ensure you have fully documented your compliance efforts.
  • Management oversight: consider how you will ensure management oversight is informed and effective.

This compliance program must take into account the broader cybersecurity and operational resilience landscape, from existing sector-specific regulation to future related legislation like the Critical Entities Resilience Directive. Subscribe to our Connect on Tech Blog to receive our updates on NIS2 and other data, cyber and technology-related developments, and click here to contact a member of our European Data & Technology team.

Author

Kathy Harford is the Lead Knowledge Lawyer for Baker McKenzie’s global IP, Data & Technology practice.

Author

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author

Beat König is an associate of Baker McKenzie's IP and Technology Team in Vienna. Beat advises multinational and domestic clients on telecommunications law, software licensing, data protection, IT outsourcing, patent law, trademark law, copyright, cyber security, e-commerce matters and related litigation.

Author

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Caroline Serbanescu is an Associate at the Brussels office of Baker McKenzie.

Author

Milena Hoffmanová heads the Prague office Pharmaceuticals & Healthcare group. Her practice covers pharmaceuticals and healthcare matters, compliance, general commercial law, administrative law, as well as data protection and privacy law matters.

Author

Dušan Hlavatý heads the IPTech practice in Baker McKenzie Prague and is a member of the Prague core M&A team. Dušan deals with, among other things, privacy issues, telecommunication matters, cyber security, digital media, gaming, e-commerce, IP and technology projects.

Author

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author

Marlyse Lissan joined Baker McKenzie in July 2021. Marlyse is a member of the Information Technology and Communications team and focuses on new technologies, computer technology, Internet and telecommunications.

Author

Prof. Dr. Michael Schmidl is co-head of the German Information Technology Group and is based in Baker McKenzie's Munich office. He is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Michael also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.

Author

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Michaela advises German and international companies on all aspects of information technology law, data protection law, IT contract law as well as on e-commerce, IT / data litigation related matters. Her practice covers in particular advice of companies on issues concerning domestic and cross-border data privacy law.

Author

Simone Rieken is a senior associate in Baker McKenzie's Frankfurt office and a member of the Information Technology Practice Group. Prior to joining the Firm, she worked for a large German corporate law firm, focusing on IT and data protection law. She studied law at the University of Trier and at Queen Mary, University of London and clerked in Hamburg and Los Angeles. She advises national and international companies on all aspects of IT and data protection law. She focuses on data protection with regard to direct marketing and related tracking and profiling activities. Another focus of her practice is on IT (outsourcing) projects and agile software developments.

Author

Csaba Vári is head of the Privacy practice for Baker McKenzie in Hungary and a member of the Intellectual Property and Technology group. He provides comprehensive advice to clients on privacy and cybersecurity matters, from European data protection regulations and local privacy laws to e-commerce and cloud services regulation. His work focuses on advice and support to clients regarding data protection impact assessments, data security incident reporting, and responding to queries from data subjects, as well as representation before regulatory authorities and courts.

Author

Author

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author

Nathalja Doing is an associate in Baker McKenzie Amsterdam's Intellectual Property, Information Technology & Communications and Commercial practice groups. She is part of its IP and IT subgroups and the multidisciplinary Privacy Team. Nathalja has particular knowledge on various aspects of law and technology, specifically GDPR, platform laws, content regulation and IP.

Author

Author

Martyna advises clients on personal data protection and IP law. She is experienced in representing individuals and entrepreneurs in court proceedings. Martyna has also provided current legal consultancy for businesses, including in employment law.

Author

Radoslaw Nożykowski is a Counsel in the IP Tech/Compliance &Investigations departments at Baker McKenzie Warsaw office. He has over 15 years of professional experience working for clients from technology, finance, media and healthcare sectors. He is recommended by Chambers Europe and Legal 500 in the area of TMT (including privacy compliance).

Author

Patricia Perez joined the Information Technology & Communications Department of Baker & McKenzie in Madrid in 2013. Her prior experience includes working at national law firms in the Corporate and Intellectual Property and Information Technology departments.

Author

Author

Peder Oxhammar is Head of Baker McKenzie’s Intellectual Property Group in Stockholm. Mr. Oxhammar practices mainly within the field of intellectual property with special focus on patents, contentious matters, strategy and licensing. He advises clients in a wide range of industries in Sweden, including pharmaceuticals, white-goods, electronics, and defense.

Author

William Höglund is a member of Baker McKenzie’s Intellectual Property and Data & Technology Practice Group in Stockholm. William focuses his practice mainly on intellectual property, IT and privacy law.

Author