Updated cyber rules enter into force in one week, but just two of the 27 member states have so far notified the European Commission about their national implementing laws.
ADVERTISEMENTOnly Belgium and Croatia have officially notified the European Commission about their transposition of updated EU cybersecurity rules for critical entities, a week before the deadline, a spokesperson for the Commission told Euronews.
“Thus far, the Commission has received notification of full transposition of NIS2 into national law by Belgium and of partial transposition by Croatia,” a spokesperson said without being able to give further comment, as “the process is ongoing”.
The remaining 25 countries have until 17 October, to implement the Network and Information Security Directive 2 (NIS2), which was approved back in 2022 with the aim to protect critical entities, such as energy, transport, banking, water and digital infrastructures, against major cyber incidents.
Euronews reported in March that Croatia was the first, and only country, to have notified the Commission about their partial transposition. The status of the country remains the same.
Fines up to €10 million
The Commission proposed the overhaul of NIS1 – aimed at beefing up the resilience of network and information systems across Europe against cybersecurity risks – with the aim to keep up with increased digitisation and an evolving cybersecurity threat landscape.
According to a spokesperson for the EU executive, the first directive presented in 2016 failed until now to improve cyber resilience of businesses operating in the EU, and did not promote joint crisis response.
Companies need to issue a warning within 24 hours and deliver an incident report within 72 hours in case of incidents that cause serious operational disruptions.
In case of non-compliance, companies face fines up to €10 million, or 2% of worldwide revenue, whichever is higher.
Companies lack awareness
The French joint parliamentary committee for digital and postal affairs said in a report published last Thursday that while NIS 1 concerned nearly 600 entities, NIS2 will change the scale to nearly 15,000 entities in scope.
The committee consulted stakeholders including the national cybersecurity office, software producers and cloud associations between March and May, and concluded that the transposition deadline “raises a number of challenges” for companies that are now within the scope.
“The majority of the new entities concerned are not aware of the measures and the criteria that they will have to analyse themselves to determine their compliance,” it said.
It adds that “the bill has still not been presented to the Council of Ministers, and with the date of 17 October 2024 approaching, its future is uncertain.”
In Germany, too, the plan for the adoption of the implementing law is foreseen in early 2025.
Spanish
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
English
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Sundanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu