How European countries are implementing new cybersecurity framework

Content-Type:

Analysis Based on factual reporting, although it Incorporates the expertise of the author/producer and may offer interpretations and conclusions.

News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources.

The NIS2 directive introduces additional security requirements for ICT products used by organisations that are considered essential or important to the functioning of society. Member states have until October 2024 to modernise the existing cybersecurity frameworks. [Wetzkaz Graphics / Shutterstock]

EU countries are implementing the updated Network and Information Security Directive (NIS2), in force since January, with varying degrees of progress. To provide an overview of the state of play, Euractiv interviewed Nicolas Sonder and Mailin von Knobelsdorff, PwC experts on cybersecurity.

Since state-sponsored cyber warfare has become increasingly prevalent and cyberattacks lead to financial losses, data breaches, reputational damage, and industrial espionage, more cyber resilience is needed.

The NIS2 directive introduces additional security requirements for ICT products used by organisations that are considered essential or important to the functioning of society. Member states have until October 2024 to modernise the existing cybersecurity frameworks.

To determine which products and services fall within the directive’s scope, companies must, among other things, check which laws apply in the EU member states and register with the local authorities.

Best performers

According to the two experts, Hungary currently demonstrates the most advanced state of transposition. The reason is that the country has expanded the scope under the first transposition of NIS1 and has thereby already partially transposed NIS2.

“Hungary has an existing law, ‘Cyber ​​Security Certification and Cyber ​​Security Supervision,’ which partially transposes NIS2 but is further being reviewed and amended to comply fully with NIS2 standards,” von Knobelsdorff said.

Many other states have published draft bills or have integrated the implementation into ongoing thematically linked legislative processes. 

The Czech Republic is also reviewing a draft bill but already had a solid basis. However, the draft bill outlines regulations beyond the obligations the NIS2 directive requires,” Sonder stated.

The Czech Republic is considering including lower government bodies, which is not necessary under NIS2 Directive, demonstrating a stricter approach.

Germany released its second draft bill on the NIS2 transposition in July. The latest draft only includes a few amendments, such as management liability and verification tests for essential companies that are required by the directive.

“Germany has over-fulfilled the requirements of NIS1 and has already anticipated many of the requirements of NIS2,” Sonder emphasised. 

With a third draft bill for German transposition currently being reviewed, the NIS2 criteria on reporting obligations, risk management measures, and the supervision regime require amendments in over 25 different laws and regulations. 

The country aims to tighten NIS2 by implementing reporting obligations for ‘important’ entities that do not meet the company size or turnover thresholds but belong to a specific sector, such as qualified trust service providers,” von Knobelsdorff added. 

EU, Ukraine strengthen cybersecurity cooperation

The EU’s cybersecurity agency, ENISA, announced on Monday (13 November) that it will work with Ukraine to enhance cybersecurity by exchanging best practices, information sharing, and capacity-building.

Mid-tier

In Ireland, the National Cyber Security Centre has released NIS compliance guidelines for operators of essential services (OES). NIS1’s guidelines cover identifying, protecting, detecting, responding to, and recovering from cybersecurity risks. 

“As such, the OES as of now don’t include the newly incorporated entities under NIS2,”  von Knobelsdorff clarified.

Denmark is likely to implement the directive through executive orders, with a compliance period of six months. Thereby, Denmark proceeds on a requirement-specific or sector-specific basis with the first implementation executive order expected for this winter in the energy sector.

In Finland, the NIS2 legislation has been in consultation from the beginning of October to the end of November. Key authorities have not commented on supervision or the required minimum level of cybersecurity. Still, the government aims to submit a proposal on the directive in the spring of next year.

The Dutch government will transpose the NIS2 Directive into an update of its local Security of Network and Information Systems Act, in effect since November 2018, setting out the statutory tasks of the Dutch National Cyber Security Centre.

The role of the overall competent authority has been assigned to the Dutch National Digital Infrastructure Inspectorate. According to the National Cyber Security Centre, an online consultation with organisations and individuals to respond to the draft legal text is set for early 2024.

EU Commission's "multi-cloud strategy" raises consistency questions

US cloud service Oracle advertised that the European Commission decided to include Oracle Cloud Infrastructure services into its offerings, raising consistency questions with its proposed cloud security schemes.

Laggards

Unlike the other countries, Poland has no draft legislation yet. The country is still working on the modification of the Polish Cyber Act.

“The Modification of the Polish Cyber Act aims for more cyber resilience through unifying cybersecurity incident reporting procedures and incorporating industry-led Information Sharing and Analysis Centers (‘ISACs’) into the national cybersecurity system,” von Knobelsdorff explained.

Norway’s implementation of NIS1 was expected this autumn by introducing the Norwegian “Digital Security Act”. While the Norwegian Justice Department indicated that the implementation process is going forward, Norway has not yet transposed NIS1 or NIS2

The Norwegian Parliament is in the legislative process of drafting a bill for both transpositions. The latest hearing debate was scheduled for 5. December.

The United Kingdom’s regulatory updates are led by the Department for Digital, Culture, Media & Sport (DCMS). In consultation with the EU, the UK intends to align itself with the NIS2. Still, it does not fully implement the directive since the proposed reforms to NIS1 are less extensive than the NIS2 directive obligations. 

“What they’re doing is making changes in their existing cybersecurity laws, such as adding managed service providers to the scope of the NIS regulations, including more supply chain security-related policies, or increasing the incident reporting-related obligations,” Sonder explained.

The British parliamentary transposition is expected in the summer of 2024.

[Edited by Luca Bertuzzi/Zoran Radosavljevic]

Subscribe to our newsletters

Subscribe