Today is the Deadline for NIS2, So What?

As of today, October 17, 2024, the deadline for the EU’s Network and Information Security Directive 2 (NIS2) has officially arrived. However, only Belgium and Croatia have fully implemented the required cybersecurity measures into national law​.

This is worrying, as many critical sectors, including energy, utilities, healthcare, and transport, are now at risk due to the lagging implementation.

Only Two Countries Reported Back

In a report published by Euronews, it was revealed that only two EU member states, Belgium and Croatia, have adopted the cybersecurity requirements mandated by NIS2. This leaves the vast majority of EU nations lagging behind, despite the urgent need to protect critical national infrastructure (CNI) from cyberattacks. As we move beyond the deadline, most nations have failed to meet even the basic reporting requirements, creating a patchwork of preparedness levels across Europe.

According to a recent BankInfoSecurity report, the reasons for this sluggish progress vary, but the risk to CNI remains high, leaving a large portion of Europe vulnerable to cyber threats​. NIS2 was meant to enhance the security of sectors critical to the smooth running of society, such as financial services, water, energy, healthcare, and transport. However, with only two countries adhering to the deadline, the broader European cybersecurity landscape remains exposed.

What Happens Now?

The immediate question is: What are the consequences for those countries that have not yet complied? The answer is not simple. While fines and penalties may eventually be imposed, the immediate impact will be felt in the form of regulatory uncertainty. Businesses in sectors such as energy, , utilities, healthcare, and finance, may now face cybersecurity risks with limited governmental guidance or frameworks.

In the short term, the European Commission is likely to pressure non-compliant member states to accelerate their adoption of the directive. Some have cited the complexity of integrating NIS2 with their existing national laws as a reason for delay. For companies operating in critical sectors, the responsibility is on them to ensure that they follow cybersecurity best practices, regardless of whether their governments have passed NIS2 into law.

Reasons for Delay

Several factors have contributed to the slow adoption of NIS2:

1. Complexity of Requirements: NIS2 is more expansive and includes a wide range of industries, which has proven challenging for some member states to interpret and incorporate into their legal systems. Governments have found it difficult to tailor broad EU directives into specific national laws.
2. Lack of Resources: Smaller EU countries and those with less developed cybersecurity infrastructure have struggled to meet the NIS2 requirements. Setting up the necessary monitoring systems, incident reporting frameworks, and national cybersecurity agencies takes time and money—resources not every state has at its disposal.
3. Regulatory Challenges: Each member state has its own regulatory framework, and harmonizing these with the new NIS2 directive has been a complex task. Even countries with well-developed cyber regulations have faced difficulties adjusting to the expanded scope of NIS2, which covers more sectors than the original directive.
4. Coordination Issues: The directive also requires significant collaboration between private and public entities. Governments need to work closely with private companies in critical sectors, many of which are still in the process of ramping up their cybersecurity capabilities to comply with the NIS2 standards.

Industrial and Critical Infrastructure at Risk

The most concerning aspect of this delay is the increased risk for industrial and critical national infrastructure (CNI). Cyberattacks on CNI have risen in recent years, with hackers targeting industrial control systems (ICS), energy grids, water supplies, and healthcare facilities. NIS2 was designed to address these vulnerabilities, but without swift adoption, these critical sectors remain exposed.

The energy sector, for example, is particularly vulnerable. European energy companies, including those managing electricity grids and oil and gas pipelines, are prime targets for ransomware attacks and nation-state hackers. The consequences of a successful attack could be catastrophic, leading to widespread blackouts, environmental damage, or even loss of life.

Similarly, the healthcare sector has seen a significant uptick in cyber incidents. With many healthcare systems already strained by resource limitations, the failure to implement NIS2 leaves hospitals and medical facilities vulnerable to attacks that could disrupt patient care or compromise sensitive data.

What Can Be Done?

While the EU Commission continues to urge member states to comply, industries operating in critical sectors must not wait. Regardless of whether NIS2 has been implemented in a country’s law, companies in energy, healthcare, and other critical sectors should be proactive. Adopting robust cybersecurity practices, conducting risk assessments, and improving incident response protocols should be prioritized.

For now, the EU’s cybersecurity future hangs in the balance. The slow pace of NIS2 adoption is concerning, particularly for industries at the heart of national security and public safety. The hope is that member states will accelerate their efforts in the coming months, but for now, the question remains: “If not now, when?”