The European Commission has threatened 23 EU countries with potential fines over their failure to implement the Network and Information Security (NIS2) Directive into national laws.
Cyber law expert Stuart Davey of Pinsent Masons said the lack of national implementing legislation for NIS2 is hampering business efforts to comply with the new regime.
NIS2 builds on the original NIS directive which took effect in the EU in 2018 and imposes cybersecurity risk management and incident reporting obligations on in-scope organisations under a tiered system of regulation. EU member states had until 17 October 2024 to implement the directive into their national legislation, but only four met the deadline.
The Commission said it had opened “infringement procedures” against 23 states – including Germany, France, Spain, Ireland, the Netherlands and Luxembourg – “for failing to fully transpose the NIS2 Directive”.
“Full implementation of the legislation is key to further improving the resilience and incident response capacities of public and private entities operating in these critical sectors and the EU as a whole,” the Commission said. “The Commission is therefore sending letters of formal notice to the other 23 member states concerned that now have two months to respond and to complete their transposition and notify their measures to the Commission. In the absence of a satisfactory response, the Commission may decide to issue a reasoned opinion.”
The issuing of a reasoned opinion would represent the second stage in the Commission’s infringement procedure. A failure of a member state to act in accordance with a reasoned opinion can result in matters being escalated to the EU’s highest court. Continued non-compliance thereafter can result in fines being imposed.
“Because NIS2 is a directive, EU member states have latitude to determine how they wish to implement the directive’s requirements into their respective laws,” Davey said. “The lack of finalised legislation is currently creating uncertainty for organisations that consider themselves to be in scope of NIS2, in particular those multinational companies operating across various EU countries. It is hoped that this announcement from the Commission may prompt more member states to fully transpose NIS2.”