NIS2 delays should not be cause for business inaction

Delays in the implementation of the EU’s second Network and Information Security Directive (NIS2) were brought into sharp focus recently when 19 of the 27 EU member states were publicly censured for failing to transpose the directive in their own jurisdictions – more than six months after the deadline for doing so expired. Germany, Ireland, Spain, France, the Netherlands and Luxembourg are among the 19 countries that have missed the deadline.

The European Commission could yet lodge infringement proceedings against countries that delay NIS2 implementation much further, with the possibility thereafter that the EU courts levy fines.

The NIS2 regime significantly expands the number of organisations subject to EU cybersecurity obligations, but for businesses that now find themselves in-scope, the lack of finalised national implementing legislation creates uncertainty over precisely what action they need to take to ensure compliance.

As we explore below, however, doing nothing will expose in-scope businesses to risk. There are actions they can take now to prepare for the NIS2 regime taking effect.

What is the NIS2 Directive?

NIS2 establishes a harmonised legal framework for the regulation of minimum cybersecurity standards across the EU. It expands and builds on the framework established by the first Network and Information Security Directive (NIS1), which came into effect in the EU in 2018.

NIS2 imposes significant obligations on in-scope entities. Among other requirements, NIS2 introduces:

• reporting obligations, which mandate that entities must report incidents with a significant impact on the provision of their services to the relevant national authorities;
• ·obligations to adopt general appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the network and information systems they use in their operations;
• 11 specific cybersecurity measures that organisations must implement;
• cooperation and information-sharing requirements with other entities and national authorities to enhance the overall cybersecurity posture within the EU;
• enforcement tools for national authorities for non-compliance, including significant fines and personal liability of management.

A wide range of sectors – comprising critical and important entities – are affected, ranging from energy, transport and other types of traditional critical national infrastructure (CNI), through to technology providers, certain manufacturers, healthcare and postal services, and many more in between. The type of organisation potentially in scope is therefore very broad.

What is causing the delays to implementation?

It is difficult to pinpoint a single, overarching cause of the delays, owing to the unique legislative procedures of each EU member state. It is possible that governments simply underestimated the complexity of the transposition process, and waited too long to commence the drafting and parliamentary hearing processes.

Further, in the current complex geopolitical climate, transposition simply may not have been a high enough priority for national governments, with recent electoral and political difficulties across the EU potentially having complicated an otherwise straightforward implementation process.  The European Commission could also have misjudged the complexity of the task of implementing the directive, and the time it will have taken to do so. 

Whatever the cause of the delays, it is by now looking increasingly likely that NIS2 will not be fully transposed across the EU until much later this year at the earliest – more than two years after the directive itself came into effect.

What do the delays mean for organisations in scope?

Unlike EU regulations, which enter into force across the EU on a prescribed date, from which point they have direct effect and are legally binding in all member states, EU directives must be individually transposed by each member state – often through a protracted legislative process – before the requirements become legally binding on those within their scope. Accordingly, the practical effect of the delays is that NIS2 obligations will not be fully applicable in an EU member state’s jurisdiction until its government has fully transposed the directive.

Member states also have a degree of latitude as to how exactly the broad requirements of an EU directive will be legislated for in their country. This means that, until the final transposition legislation is written down, organisations do not know exactly what the legal framework will be. Accordingly, the delays in transposing NIS2 continue to create uncertainty.

In Pinsent Masons’ experience, the response of organisations to these transposition delays has been varied. Some organisations have adopted a “wait and see” approach, taking limited action until final legislation is in force. Others have commenced extensive NIS2 compliance programmes, but with the awareness that the goalposts may shift as to the specific requirements as laws are introduced.

There are logical reasons for this varying approach, from different organisational cultures and attitudes to risk, to differences in the sophistication of an organisation’s cybersecurity programme. Other factors include whether the entity was already in-scope of NIS1 or whether it is having to adjust to an entirely new framework under NIS2, as well as the progress of transposition across individual member states – implementation for organisations that operate in one or a small number of EU member states will have be more, while those who operate across multiple member states navigating a more challenging implementation experience.

However, on any view, the lack of legal certainty as to what is required of organisations across the EU is unhelpful for business. For large-scale covered organisations with operations in many or all jurisdictions across the EU – some of which have transposed the directive, with others months off doing so – the inconsistent implementation of NIS2 has placed them in the difficult position of having simultaneously to comply with overlapping and inconsistent cybersecurity regulatory regimes.

Moreover, the inconsistent transposition across the EU has compounded the uncertainty that exists in the NIS2 directive text. This is most notable in two areas.

First, the NIS2 directive text lacks clarity as to how group organisations are affected. For multi-jurisdictional organisations with complex intra-group operations and business activities, the NIS2 text is unclear as to how NIS2 obligations apply in reality, in circumstances where certain parts of the business might fall in a sector within scope, whilst other parts do not. This will be exacerbated if different member states have different requirements for business operations existing in multiple jurisdictions.

Secondly, NIS2 has extraterritorial application. It captures non-EU entities that carry out activities within the EU. However, for complex multinational businesses, how this operates in practice is not always clear from the text of the directive itself. Again, this uncertainty is compounded by the lack of clarity as to how different member states will legislate for organisations not based in that country.

How organisations should be responding to the delays

The transposition delays may, to a certain extent, have afforded companies additional time to strengthen their understanding of the directive and their obligations under it, ensuring that, for example, the entire company, and not just legal, regulatory or compliance teams, are aware of the changes and the company’s obligations.

While it may be tempting, however, for organisations to scale back the implementation of unfinished compliance regimes in response to the transposition delays, the lack of updates and evidence of progress coming from many EU member states’ governments should not be mistaken for legislative inertia.

The progress of draft legislation through government legislatures can be as unpredictable as it often is slow. Organisations that deprioritise the implementation of NIS2 compliance regimes may find themselves on the wrong side of the directive if the relevant government announces that the transposing legislation will be implemented sooner than initially thought. While governments will usually give affected entities within their own jurisdiction time to ensure their compliance, they may be reluctant to do so in circumstances when organisations have known about the substantive requirements of the directive for almost two years – and particularly if the European Commission escalates matters and countries face fines being levied on a daily basis for continued delay in implementation, as is one potential outcome.

Accordingly, it is important for organisations to be closely monitoring the progress of NIS2 transposition in the jurisdictions in which they operate and further ensure that compliance regimes are ready to be implemented in those jurisdictions. Where organisations have already identified that they are in scope of NIS2, or likely to be, then it would be prudent to have put compliance plans in place, even if those programmes may not be running at full steam pending further clarity on the legal position.

Documenting decisions will also be important. In the event of any enforcement action by a national authority, we anticipate that more leniency will be afforded to those organisations that have carefully considered their NIS2 obligations and opted to take a proportionate risk-based approach in the absence of the full legislative position, as opposed to those that have not even started to consider their cybersecurity position.

Ultimately, whilst NIS2 may, by some, be considered nothing more than an additional regulatory burden, businesses should reflect on the fact that the overarching intent behind NIS2 is to improve cybersecurity standards across the EU. There is likely to be considerable benefit in using the directive – even with the current uncertainty – as an impetus to usher in cyber improvement processes. The benefits in doing so, and reducing the likelihood of cyber attack, will be familiar to all senior decision-makers within an organisation given the prevalence of such incidents and the profile they often attract.

Inaction will likely increase organisations’ vulnerability to attack by cyber threat actors – with any reputational damage caused by those attacks being compounded by the organisation’s failure to have implemented NIS2-compliant cybersecurity measures in the ample time that it had to do so.

A version of this article was first published by Data Guidance.