The European Union’s new NIS 2 cybersecurity directive, aimed at strengthening the cyber defenses of businesses across Europe, is off to a sluggish start as many member states failed to meet a key enforcement deadline. The directive, which officially became enforceable last Thursday, sets new, tougher standards for cybersecurity, including risk management, transparency obligations, and business continuity planning in the event of a cyberattack. However, research indicates that most EU member states have yet to fully adopt the directive into their national laws, leaving gaps in enforcement and raising concerns about the effectiveness of the regulation.

A Slow Start for a Crucial Directive

The Network and Information Security Directive 2 (NIS 2) builds upon an earlier version of the EU’s cybersecurity law, expanding its scope to address the rapidly evolving threats that have emerged in recent years. From ransomware attacks to data breaches, businesses across Europe have been increasingly vulnerable to cybercriminals. NIS 2 aims to mitigate these risks by holding companies to higher standards of cybersecurity practices and introducing new obligations.

Yet despite the urgency, only a handful of EU member states have successfully integrated the directive into their national legislation. According to a tracker from the DNS Research Federation, Portugal and Bulgaria have not even begun the transposition process, leaving their businesses unprotected by the new rules. This delay has sparked concerns that the directive’s potential to bolster cybersecurity across Europe will be undermined by uneven implementation.

Tim Wright, partner and technology lawyer at Fladgate, noted the varying pace of implementation across the EU. “The implementation status varies significantly across the bloc,” Wright said. “Bad actors may target countries lagging in their NIS 2 transposition or look for weaknesses in supply chains, targeting smaller, less-secure vendors and suppliers to gain access to larger, better-protected organizations.”

New Cybersecurity Standards: A High Bar for Businesses

The NIS 2 directive applies to a broad range of essential services, from banks and energy providers to healthcare institutions, internet service providers, and waste management companies. These businesses are now required to adhere to a stringent set of cybersecurity practices, with failure to comply resulting in substantial fines or even suspension of services.

One of the key changes under NIS 2 is the obligation for companies to report cyber vulnerabilities and incidents more quickly and transparently. In the event of a cyber breach, businesses have just 24 hours to notify authorities, a significant reduction from the 72-hour window allowed under the General Data Protection Regulation (GDPR). The directive also places a heavy burden on companies to vet their technology vendors, ensuring that third-party suppliers are not a weak link in their cybersecurity defenses.

For large companies, failure to comply with NIS 2 could lead to fines of up to €10 million ($10.9 million) or 2% of global annual revenues, whichever is higher. “Important” businesses, such as food and chemical companies, could face fines of up to €7 million or 1.4% of their global revenues. In addition to financial penalties, firms could also face closer supervision or even temporary suspension of services if they fail to meet the new cybersecurity standards.

Carl Leonard, EMEA cybersecurity strategist at Proofpoint, emphasized that NIS 2 aims to make cybersecurity a top priority for organizations that provide critical services. “NIS 2 makes it clear – large fines, possible suspension of service, and monitoring of compliance are being used as levers to encourage organizations responsible for critical services to pay attention to cybersecurity threats and their response to those,” Leonard said.

Implementation Challenges Across the EU

Despite the high stakes, many businesses are still struggling to get their cybersecurity systems in line with the new regulations. A major challenge is the uneven enforcement across EU member states, with some countries moving more slowly to adopt the directive into national law. As a result, businesses operating in multiple countries face a complex regulatory landscape, where cybersecurity rules and expectations may differ from one country to another.

Chris Gow, EU public policy lead at Cisco, highlighted the difficulties businesses are facing due to this inconsistent implementation. “The spotty nature of NIS 2’s implementation has been exacerbated by local adaptation of the law,” Gow said. “This creates discrepancies that can prove difficult to navigate, especially for smaller organizations with limited resources.”

For smaller businesses, these discrepancies can be particularly challenging, as they may not have the financial or technical capacity to comply with varying regulations across different countries. Gow recommended that businesses focus on identifying core cybersecurity practices that can help them meet the directive’s requirements across the board, rather than getting bogged down by local variations. “Rather than being overwhelmed by discrepancies in local adaptations of NIS 2, organizations should identify a common core of security controls and processes that stand them in good stead to both meet and demonstrate compliance at scale,” he said.

The Threat of Cyberattacks Looms Large

As European businesses work to bring their cybersecurity systems up to standard, the threat of cyberattacks remains ever-present. Cybercriminals are increasingly targeting smaller, less-secure companies within supply chains as a way to access larger organizations that have stronger defenses. This tactic, known as supply chain attacks, poses a significant risk to businesses that rely on third-party vendors.

“The effectiveness of NIS 2 as a regulation will largely depend on consistent implementation and enforcement across EU member states,” said Wright. “Bad actors may target countries lagging in their NIS 2 transposition or look for weaknesses in supply chains, targeting smaller, less-secure vendors and suppliers.”

Supply chain vulnerabilities have already been exploited in numerous high-profile cyberattacks, such as the SolarWinds attack in 2020, which saw hackers gain access to the systems of major companies and government agencies through a compromised software supplier. As NIS 2 comes into force, businesses will need to pay greater attention to their supply chains, ensuring that all vendors meet the same rigorous cybersecurity standards.

Looking Forward: Can NIS 2 Deliver?

While the new directive promises to significantly enhance cybersecurity across Europe, its success will depend on how quickly and effectively member states can adopt and enforce the regulations. With some countries still lagging behind in the transposition process, businesses in those regions may remain vulnerable to cyberattacks for some time.

Leonard from Proofpoint underscored the importance of consistent enforcement to ensure that businesses take cybersecurity seriously. “A baseline has been set in terms of risk management and mitigation measures, including incident handling, staff training, leadership accountability, and many others,” Leonard said.

As businesses navigate the challenges of implementing NIS 2, they will need to focus on creating robust cybersecurity systems that can withstand the growing threat of cyberattacks. For many, this will mean investing in new technologies, strengthening internal processes, and working closely with regulators to ensure compliance. But with the potential for significant fines and service suspensions on the line, businesses cannot afford to ignore the new directive.

In the coming months, the success of NIS 2 will be closely watched as businesses, governments, and cybersecurity experts assess its impact on the EU’s cyber resilience. If implemented effectively, the directive could serve as a critical tool in safeguarding Europe’s essential services from the ever-evolving threat of cyberattacks.

(Adapted from CNBC.com)