EU Member States had until today, October 17, 2024, to transpose the Network and Information Security (NIS) 2 Directive into their national laws. As Directives are not directly applicable in EU Member States, the EU legislator required all 27 Member States to incorporate into their local laws the requirements of NIS 2 and to make them binding on covered entities within their jurisdiction. However, a large number of EU Member States have missed the transposition deadline.

Our previous blog post discusses the requirements of NIS 2 in greater detail. In essence, the purpose of the new cybersecurity law is to expand the range of industry sectors as well as entities that are covered by the cybersecurity requirements set out by the existing framework (i.e., the NIS 1 Directive of 2016), introduce new incident reporting obligations, impose additional liability on management bodies of covered entities, and to set out in more detail the measures that organizations will need to take to ensure that they are managing their cybersecurity posture.

Thus far, only Belgium, Croatia, Hungary, Latvia, Lithuania, and Italy have passed laws implementing NIS 2. France, Austria, Germany, Luxembourg, the Netherlands, Sweden, and Ireland are among the EU countries where draft bills are still undergoing parliamentary review. In Bulgaria, Malta, Portugal, and Spain, so far, no action has been taken to transpose NIS 2.

While NIS 2 imposes minimum requirements for the EU Member States to implement, national lawmakers were also allowed to introduce further and, in some cases, stricter cybersecurity obligations. Global companies operating in several EU Member States should spend time now considering which Member States will regulate them pursuant to NIS 2, and pay particular attention to cybersecurity frameworks that may vary from one EU country to another. By way of example, Belgium, Hungary, and Latvia have already set different deadlines for companies to register and file specific documentation with local authorities. Ireland and Germany have designated their lead supervisory authorities but have also assigned selected tasks to various other sectoral regulators. In France, several statutes were proposed in addition to a transposition law, and the French cybersecurity regulator (l’Agence Nationale de la Sécurité des Systèmes d’Information) has already issued practical guidance for companies, pending the transposition of the NIS 2 framework into French law after the deadline of October 17. Moreover, incidents will have to be reported to EU Member States’ local authorities via different channels. Companies that suffer cross-border incidents should therefore consider the need to revise their incident response plans to ensure compliance.

As from tomorrow, companies that are established in EU Member States that have transposed NIS 2 (e.g., Belgium) must comply with applicable local requirements, such as incident reporting obligations, to avoid sanctions. Companies operating in EU Member States where NIS 2 has not been transposed are advised to monitor the adoption and entry into force of other national transpositions of the EU law, and to follow the recommendations and guidance of local cybersecurity authorities.