The Eu’s Directive (EU) 2022/2555, more commonly referred to as NIS2 has the aim of enhancing cybersecurity across the European Block through essential and important entities implementing increased robust digital risk management practices and technologies.
Following on from GDPR, with its’ extra terrestrial scope, NIS2 establishes a common set of cybersecurity requirements for uniformity of security measures.
Under the 2016 NIS1, with the focus limited to essential services defined as transportation, energy and similar infrastructure-heavy OT sectors, along with healthcare, NIS2 expanded the scope to include digital services and hardware, with this now including Managed Service Providers (MSP’s), within certain domains.
The security requirements within NIS2 are more stringent and prescriptive compared to those in NIS1, with the timelines for incident reporting being significantly reduced, to force entities to react more swiftly to potential breaches.
With the objective of creating a proactive pan-EU approach to cybersecurity and the emphasis on cross-border cooperation, it may have been expected that NIS2 would be detailed in its’ description, definitions, articles and recitals, as with other EU Directives.
However, despite the intent to create a minimal threshold for cyber security in light of evolving threats and emergent technologies, NIS2 is rather loose and lacking the detail of earlier legislation.
Compounding the issue, National NIS2 implementation varies widely across member states, with differing levels of progress and substantial differences in national laws, requirements, supervisory authorities, and enforcement deadlines.
This created compliance headaches, given the enhanced penalties and measures for NIS2 non-compliance, with the EU shifting towards greatly cyber security accountability for critical service and product providers.
Per-country NIS2 supervision is thus fragmented, with each EU Member State appointing one, or several cybersecurity authorities, (e.g., Belgium’s Cybersecurity Centre, Malta’s Cyber Security Authority, Netherlands’ NCSC) overseeing compliance and enforcement.
Further, in respect of non-compliance penalties, although most Member States utilise NIS2’s maximum penalties of€10 million, or 2% of global turnover, some add stricter powers, including for executive liability, or imposing far tougher audits (e.g., France, Poland, Malta).
There are currently 27 countries in the European Union, only a limited number have fully appointed and operational national NIS2 regulators, or competent authorities, with the European Commission having sent official warnings to 19 Member States, for delays in appointing competent authorities and implementing NIS2.
As a consequence, where your organisation operates in more than one EU territory, careful compliance management programs are required, in order to prevent unintentional regulatory breaches and consequent financial penalties and knock-on audit costs.
For assistance in managing your European Regulatory operating environment; whether NIS2, DORA, EU AI Act, contact our team.
Main: +44 0203 286 7624
UK: +44 (0) 745 9264240
EU: +32 ()) 477 30.66.38
