The European Commission announced on 17 October that its new Network and Information Security Directive 2 (NIS2 Directive) has been officially adopted and, from 18 October, will be enforceable by EU members.
The new regulations apply to critical entities such as data centre services, cloud providers, online marketplaces, search engines, and social media platforms, which must now comply with new security and notification requirements when it comes to reporting serious cyber incidents.
Andy Garth, ESET Director of Government Affairs commented: “Yesterday was the deadline for EU Member States to transpose NIS2 into national law, marking a significant milestone. According to the timeline set by the directive, all organizations that fall under NIS2 should have started complying with their obligations from now. However, many EU Member States have not yet fully incorporated the directive into their national laws. To date, only Belgium, Croatia, Hungary, and Lithuania are in an advanced state of adopting NIS2 into their national legislation. Companies in these countries must now comply with it.
Other countries, including major ones like Germany and France, are expected to finalize their laws in the coming months. Once the national laws are in place, all affected organizations must self-report to their national authorities confirming they fall under NIS2, implement risk management measures, and meet reporting requirements. It is crucial for organizations to start preparing now, even if their country hasn’t yet finalized the national law transposing the NIS2 rules. Once national legislation is in place, organizations will need to be fully compliant without delay.”
According to the timeline set by the directive, all organizations that fall under NIS2 should have started complying with their obligations from now. However, many EU Member States have not yet fully incorporated the directive into their national laws.
To date, only Belgium, Croatia, Hungary, and Lithuania are in an advanced state of adopting NIS2 into their national legislation. Companies in these countries must now comply with it. Other countries, including major ones like Germany and France, are expected to finalize their laws in the coming months. However, these transpositions will not be straightforward. As NIS2 is a Directive rather than a Regulation, there will be some differences across the member states, reflecting national specificities.
Despite these differences, the core principles of NIS2 remain consistent across the EU. Once the national laws are in place, all affected organizations must self-report to their national authorities confirming they fall under NIS2, implement risk management measures, and meet reporting requirements. ESET products can assist organizations not only with advanced protection and detection but also with reporting and compliance obligations.
It is crucial for organizations to start preparing now, even if their country hasn’t yet finalized the national law transposing the NIS2 rules. Once national legislation is in place, organizations will need to be fully compliant without delay.
To learn more about NIS2, be sure to register for the ESET European Cybersecurity Day in Brussels, happening on November 20.
ESET Ireland 