EU Nations Failing to Meet NIS2 Deadline Given Warning

The European Commission has launched infringement procedures against over 20 member states due to their failure to enact two pivotal cyber regulations aimed at enhancing the resilience of critical infrastructure within the European Union. This comes in response to missed deadlines for the implementation of rules that were intended to be operational by October 17.

Countries such as Germany, France, Ireland, along with 20 others, have not yet integrated the European Union’s Network and Information Security Directive (NIS2) into their national laws. The NIS2 directive establishes essential obligations regarding cybersecurity risk management and incident reporting for organizations operating in crucial sectors, including finance, healthcare, energy, and IT.

In a formal statement, the European Commission indicated that letters of formal notice have been dispatched to these 23 member states, which are now required to respond within two months by confirming the directive’s implementation. Failure to do so may lead to the commission issuing reasoned opinions and potentially escalating the matter to the Court of Justice, which could impose compliance orders and fines against non-complying states.

In addition to this, 24 member states, including Germany, are being sought for responses regarding their lack of risk assessments for critical infrastructure, as stipulated by the Critical Entities Resilience Directive. This directive notably broadens the definition of critical sectors from two to eleven.

The European Commission emphasized that the new rules are designed to ensure the continuous provision of vital services across sectors like energy, transportation, and digital infrastructure, while bolstering defenses against various threats, including cyber-attacks and natural disasters. It’s crucial for organizations within these sectors to understand the implications of this directive, as it lays down stringent compliance frameworks and risk management protocols.

NIS2 Implementation Status

As far as the NIS2 directive is concerned, only six EU nations—Belgium, Croatia, Greece, Hungary, Latvia, and Lithuania—have successfully enacted this regulation into their national statutes. The German government is currently deliberating on its NIS2 national bill, having introduced its proposal just a week prior to the deadline. Meanwhile, France has encountered political disagreements that have delayed the finalization of its requisite regulations.

Most countries that missed the October deadline have indicated a timeline leading to compliance by March 2025. The NIS2 framework categorizes sectors into “essential” and “important” based on their operational impact and scale, recommending rigorous enforcement actions including security inspections and incident reporting within a constrained timeframe.

Non-compliance with these directives could lead to significant financial repercussions, with penalties for essential organizations reaching up to €10 million or 2% of their global annual revenue, whichever is higher. For organizations classified as “important,” penalties could amount to €7 million or 1.4% of their global sales.