Only Belgium, Croatia adopt EU cyber rules for critical sectors, week before deadline

Only Belgium and Croatia have officially notified the European Commission about their transposition of updated EU cybersecurity rules for critical entities, a week before the deadline, a spokesperson for the Commission told Euronews. 

“Thus far, the Commission has received notification of full transposition of NIS2 into national law by Belgium and of partial transposition by Croatia,” a spokesperson said without being able to give a further comment, as “the process is ongoing.” 

The remaining 25 countries have until 17 October, to implement the Network and Information Security Directive 2 (NIS2), which was approved back in 2022 with the aim to protect critical entities, such as energy, transport, banking, water and digital infrastructures, against major cyber incidents. 

Euronews reported in March that Croatia was the first, and only country, to have notified the Commission about their partial transposition. The status of the country remains the same. 

Fines up to €10 million

The Commission proposed the overhaul of NIS1 – aimed at beefing up the resilience of network and information systems across Europe against cybersecurity risks – with the aim to keep up with increased digitisation and an evolving cybersecurity threat landscape. 

According to a spokesperson for the EU executive, the first directive presented in 2016 failed until now to improve cyber resilience of businesses operating in the EU, and did not promote joint crisis response.

Companies need to issue a warning within 24 hours and deliver an incident report within 72 hours in case of incidents that cause serious operational disruptions.  

In case of non-compliance, companies face fines up to €10 million, or 2% of worldwide revenue, whichever is higher.

Companies lack awareness

The French joint parliamentary committee for Digital and Postal Affairs said in a report published earlier this month (3 October) that while NIS 1 concerned nearly 600 entities, NIS2 will change the scale to nearly 15,000 entities in scope.

The committee consulted stakeholders including the national cybersecurity office, software producers and cloud associations in the period March to May 2024, and concluded that the transposition deadline “raises a number of challenges” for companies that are now within the scope.

“The majority of the new entities concerned are not aware of the measures and the criteria that they will have to analyse themselves to determine their compliance,” it said.

It adds that “the bill has still not been presented to the Council of Ministers, and with the date of October 17, 2024 approaching, its future is uncertain.”

In Germany too, the planning for the adoption of the implementing law is foreseen in early 2025.