NIS2 deadline day – current state of play

Today, Thursday 17 October 2024, marks the European Union’s (EU) deadline for Member States to transpose the flagship cyber security directive NIS2 into national law, strengthening cyber rules for critical infrastructure all entities that provide essential or important services to the European economy and society,

NIS2 is a significant piece of legislation that provides legal measures aimed at increasing the overall level of cyber security across organisations within the EU. 

The NIS2 Directive, which succeeds the original NIS Directive, expands its scope to new sectors and places greater focus on governance and accountability, cyber security risk management, incident reporting, and supply chain security.

Only a handful of countries such as Belgium and Croatia will meet the EU's transposition deadline, while other Member States such as the Netherlands have stated that they will need more time.

Commenting on the deadline and what it means for those organisations affected by NIS2, Executive Principal Consultant Mick Flitcroft said:

“In our latest Global Cyber Policy Radar, we explore not only these differences in timings, but also the likely variations between how the rules are adopted and implemented at a national level.

"While NIS2-regulated entities operating across multiple EU countries must keep on top of these nuances, this does not mean that they should ‘sit back and wait’ for national laws to be implemented before taking action to comply. Indeed, compliance with NIS2 is unlikely to be an easy ‘tick box’ exercise, but rather will require investment in a well-considered long-term security programme.

"In addition, early indications from those Member States who have made good progress toward implementing NIS2, such as Belgium, suggest that regulatory frameworks will be aligned to existing standards such as the NIST CSF and ISO 27001. Therefore, organisations can and should be planning and acting toward compliance now.”