EU Member States Face Deadlines for Cybersecurity Regulations Amid Compliance Challenges

Missed Deadlines for Cybersecurity Regulations in the EU

As of today, 17 October, most EU member states are poised to miss the crucial deadline for implementing regulations designed to safeguard critical entities against cyber-attacks. Concerns are also mounting regarding the potential fragmentation of these regulations across the region. According to a report by Euronews last week, the European Commission has only received confirmations of compliance from Belgium and Croatia regarding the transposition of the Network and Information Security Directive, known as NIS 2. A spokesperson for the Commission stated on 16 October that, as of this week, Italy and Lithuania had also partially adopted the new rules.

Countries such as Germany, the Netherlands, Sweden, and Czechia are in the process of drafting relevant legislation, while others like Ireland, Greece, and Spain are lagging further behind in the implementation process.

Objectives of NIS2

The regulations, approved in 2022, aim to enhance the protection of critical entities—including sectors such as energy, transport, banking, water, and digital infrastructures—against significant cyber incidents. NIS2 will replace the previous NIS1 framework, which the Commission criticized for failing to effectively improve the cyber resilience of businesses operating within the EU and for not promoting collaborative crisis response efforts.

NIS2 introduces a more stringent timeline for incident reporting, mandating that organizations provide a warning within 24 hours and submit a detailed incident report within 72 hours whenever they experience a serious operational disruption.

Related Topics

  • Debate on Cyber Certificate to be Addressed by Incoming Tech Commissioner
  • Vulnerability of Europe’s Leading Solar Power Grid to Cyber Threats: Implications of a Potential Cyberattack
  • Surge in Disruptive Cyber Attacks Reported in the EU, According to Cybersecurity Chief

Compliance Challenges

Diverse approaches to compliance are emerging among member states. For instance, Denmark plans to update its regulations on a sector-by-sector basis, initially focusing on the energy sector. Some governments, including France, have expressed concerns over a lack of awareness among companies now subject to these rules, particularly given the expanded scope—from 500 entities under NIS1 to potentially 15,000 under NIS2.

Businesses are expressing apprehension regarding the fragmented implementation of these regulations and the challenges posed for providers operating across multiple markets. EurEau, which represents both private and public national drinking and wastewater service providers, has voiced concerns about the delays experienced by member states. Its Secretary General, Oliver Loebel, remarked to Euronews that “it remains unclear in many countries which water operators will be covered by the directive. We anticipate significant variations in implementation between Member States, which is concerning.”

He further noted that the water sector may require financial assistance to implement necessary measures, a form of support that is far from guaranteed. Smaller operators, in particular, may face difficulties in accessing cybersecurity expertise. “We trust that existing resilience strategies, such as water safety plans, can be integrated into broader resilience frameworks,” Loebel added.

The Software Alliance (BSA) has echoed these concerns, emphasizing that its members are worried about the discrepancies in timelines and reporting obligations across Europe. “There are significant concerns. The EU Commission has yet to publish the implementing regulation concerning ‘incident reporting,’ which is a core aspect of NIS2. Without that clarity, it becomes challenging for businesses to fully grasp their obligations, and the window for compliance is rapidly closing,” BSA stated.

Impact on SMEs

The European DIGITAL SME Alliance has raised alarms about the potential impact on the tens of thousands of small and medium-sized enterprises (SMEs) that may be affected due to their involvement in the supply chains of larger companies governed by the NIS2 rules. “There is a lack of clarity regarding how companies should secure their supply chains. Absent clear guidance, it is challenging for entities to prepare adequately. There is a prevailing concern that, in the absence of other recommendations, organizations needing to secure their supply chains will default to the same requirements as NIS2, irrespective of the inclusion of a risk-based approach,” the association commented.

NIS2 also establishes penalties for non-compliance, including fines of up to €10 million or 2% of global annual revenue. Moreover, senior management can be held personally accountable for security breaches resulting from negligence, indicating that the responsibility for cybersecurity policy will extend beyond IT departments.

More From Author

Bangladesh’s Transformation: The Impact of Sheikh Hasina’s Departure

Zelenskyy to Present ‘Victory Plan’ at EU Summit Amid Migration and Middle East Discussions

Leave a Reply

Your email address will not be published. Required fields are marked *