European companies anxious over non-implementation of EU cyber rules

Most EU member states are set to miss an implementation deadline falling today (17 October) to implement rules to protect critical entities against cyber-attacks and organisations are also concerned about fragmentation of such rules. 

Euronews reported last week that the European Commission had so far only received confirmations from Belgium and Croatia on transposition of the Network and Information Security Directive (NIS 2). A spokesperson for the Commission said on 16 October that as of this week Italy and Lithuania had also partially implemented rules. 

Countries including Germany, the Netherlands, Sweden and Czechia have draft laws pending, while others like Ireland, Greece and Spain are further behind in the process.

The rules were approved back in 2022 with the aim to protect critical entities, such as energy, transport, banking, water and digital infrastructures, against major cyber incidents. It will repeal NIS1 which – according to the Commission – failed to improve cyber resilience of businesses operating in the EU, and did not promote joint crisis response.

NIS2 introduces a new timeline for reporting incidents – with a warning to be given within 24 hours and an incident report delivered within 72 hours – whenever a company faces serious operational disruption.

Difficulties with compliance

Countries are adopting different approaches. Denmark for example will look at updating the rules on a sectoral basis and will start its compliance with the energy sector. 

Some governments, including the French, warned about the lack of awareness among companies that now fall within the rules, as well as the increased scope: rising from 500 entities concerned under NIS1, to 15,000 possibly affected under NIS2.

Businesses in turn are worried about the fragmented implementation of the rules, and challenges of compliance for providers operating in multiple markets. 

EurEau, the European Federation of National Associations of Water Services, which represents private and public national drinking and wastewater service providers, said that the member states’ delays cause some worries. 

Its Secretary General, Oliver Loebel, told Euronews that “it remains unclear in many countries which water operators will be covered by the directive, and we anticipate that it is likely that there will be significant variations between Member States, which is concerning.”

“The water sector may require financial support to implement all the necessary measures, but this support is far from guaranteed. Smaller operators, in particular, may struggle to access and engage cybersecurity experts. We also trust that existing resilience strategies, such as water safety plans, can be integrated into broader resilience frameworks,” he added.

Software lobby group BSA shares the concerns. It said in a statement to Euronews that its members are worried about the lack of alignment on timelines and entities to which the reporting should be done across Europe .

“There are some significant concerns. The EU Commission still has not published the implementing regulation on “incident reporting,” a major element of NIS2. Without that clarity, it is difficult for businesses to fully understand what is required of them, and the window for compliance is shrinking fast,” BSA said.

European DIGITAL SME Alliance worries about the tens of thousands SMEs that potentially will be affected if they are in the supply chain of larger companies that fall under the NIS2 rules.

“There is a lack of clarity regarding how companies should secure their supply chains. Without clear guidance, it is difficult for companies to prepare, and there is a concern that in the absence of other recommendations, entities needing to secure their supply chains will default to the same requirements as the NIS2, regardless of the inclusion of a risk-based approach,” the association said in a statement.

ADVERTISEMENT

NIS 2 also comes with penalties for non-compliance: fines of up to €10 million or 2% of global annual revenue. In addition, senior management can be held personally liable for security breaches caused by negligence, which means that responsibility for cybersecurity policy will go beyond IT departments.