With just a week left until the EU’s new cybersecurity rules take effect, only Belgium and Croatia have fully or partially adopted the Network and Information Security Directive 2 (NIS2). This crucial legislation aims to protect critical sectors like energy, transport, and banking from cyber threats. The remaining 25 EU countries face a race against time to implement these measures, which include strict reporting requirements and potential fines of up to €10 million for non-compliance. Industry experts warn of widespread unawareness among affected entities, highlighting the urgent need for action to bolster the EU’s cyber resilience in an increasingly digital landscape.
A pressing deadline
As the 17 October deadline approaches, the EU faces a significant challenge. The NIS2 Directive, which updates cybersecurity rules established in 2016, requires member states to enhance their cybersecurity frameworks. This directive demands a high level of preparedness from member states, necessitating the establishment of Computer Security Incident Response Teams (CSIRTs) and national network and information systems (NIS) authorities Yet, only Belgium and Croatia have made significant strides towards compliance.
The stakes of non-compliance
Non-compliance with the NIS2 Directive carries severe consequences. Companies failing to meet the directive’s requirements may face fines of up to €10 million or 2% of their worldwide revenue, whichever is higher. These stringent penalties underscore the EU’s commitment to bolstering cyber resilience. However, the challenge lies in the widespread lack of awareness among entities now under the directive’s scope. A French parliamentary report indicates that many of the nearly 15,000 entities affected by NIS2 are unaware of the compliance measures required.
Increased vulnerability in key sectors
The urgency to adopt the NIS2 Directive is amplified by recent findings on cybersecurity vulnerabilities within the EU. A report released on 10 October 2024 highlights critical vulnerabilities in telecommunications and energy sectors, with supply chain weaknesses in 5G networks and renewable energy infrastructures being particularly concerning. These vulnerabilities, coupled with a shortage of cybersecurity professionals, pose significant risks to the EU’s cyber infrastructure.
To address these vulnerabilities, the EU has proposed comprehensive measures, including continuous risk assessments and resilience-enhancing strategies. Member states are urged to conduct self-assessments in line with the NIS2 and CER cybersecurity directives, aiming to improve collective cyber situational awareness and supply chain security. The impending implementation of the Digital Operational Resilience Act (DORA) by January 2025 further underscores the EU’s commitment to enhancing cybersecurity across critical sectors.