The deadline for Member State implementation of NIS2 is less than a month away, but the majority of Member States we surveyed are likely to miss this deadline. This raises practical compliance challenges for multinationals in Europe, but there are concrete steps organisations can and should take now to prepare.
NIS2 repeals and replaces the NIS Directive and harmonizes the EU’s existing cybersecurity framework. It imposes more onerous cybersecurity obligations on entities in a wider range of sectors and, as discussed in more detail in our post New Cybersecurity Law Regulates Far Beyond Critical Infrastructure, has an extremely broad scope. Member States must transpose NIS2 into local laws by 17 October 2024. A handful of Member States have already implemented NIS2, and there are often important differences in the scope of national regimes. However, as shown in our survey below, many jurisdictions are likely to miss this deadline. Multinational organisations therefore should start their compliance efforts based on the NIS2 Directive itself and its transposition in the Member States where national legislation is either enacted or nearly final, while building in flexibility and monitoring to react to further implementing acts.
Much of the commentary around NIS2 has focused on its onerous incident reporting requirements, employee training, and technical protection against attacks. However, there is more to consider. The most common questions we hear from organisations, and key initial considerations against this still-shifting legislative background, are set out below.
- How do we determine whether we are in scope?
- What do the new obligations mean in practice, particularly for employee training?
- What is the management liability risk under NIS2?
To address those questions, and wider compliance with NIS2 and related obligations under the patchwork of existing and new national law, organisations need a clear plan to address immediate and longer-term obligations. This plan should cover the following key actions:
- Scope: determine which specific entities in your corporate group are in scope of NIS2 itself or national implementing legislation, bearing in mind the need to continuously monitor new legislation and adjust your approach.
- Registration: prepare to register as a covered entity where required.
- Technical requirements in NIS2 and implementing legislation must be translated into concrete actions for your IT security team.
- Flow down: amend contracts with suppliers to ensure compliance through your supply chain.
- Reporting obligations: understand the onerous timescales for reporting under NIS2 and take proactive steps to be ready to comply rapidly in the event of an incident (and streamline such with parallel notification regimes such as under data protection law).
- Documentation: ensure you have fully documented your compliance efforts.
- Management oversight: consider how you will ensure management oversight is informed and effective.
This compliance program must take into account the broader cybersecurity and operational resilience landscape, from existing sector-specific regulation to future related legislation like the Critical Entities Resilience Directive. Subscribe to our Connect on Tech Blog to receive our updates on NIS2 and other data, cyber and technology-related developments, and click here to contact a member of our European Data & Technology team.