Market Intelligence
Cybersecurity EU Government, Law and Regulation

EU Cybersecurity NIS2 Directive to be transposed National Law by October 2024

EU Member States shall transpose Directive NIS2 to national law by October 17, 2024, and apply those measures from October 18, 2024. On January 16, 2023, the EU adopted Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2), updating the cybersecurity legal framework provided by Directive (EU) 2016/1148 (NIS1) of 2016 which strengthened the risk-management measures, streamlined incident-reporting obligations, and expanded the scope and targeted sectors.

Member States shall transpose Directive NIS2 to national law by October 17, 2024, and apply those measures from October 18, 2024. According to Article 1, obligations comprise:

a)    The adoption of national cybersecurity strategies and designation or establishment of competent authorities, cyber crisis management authorities, single points of contact on cybersecurity, and computer security incident response teams (CSIRTs);

b)    Cybersecurity risk-management measures and reporting obligations for entities covered in Annex I or II, and entities identified as critical entities under Directive (EU) 2022/2557;

c)    Rules and obligations on cybersecurity information sharing;

d)    Supervisory and enforcement obligations.

NIS2 applies to “entities concerned” which are classified into two categories, essential and important, based on the size of the entity and the services provided as defined in Annexes I and II. Annex I defines sectors of high criticality as: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management (business-to-business), public administration, and space. Annex II includes other critical sectors: postal and courier services; waste management; manufacturing, production, and distribution of chemicals; production, processing, and distribution of food; manufacturing; digital providers; and research. Member states must establish the list of essential and important entities by April 17, 2025. This list will be updated every two years, or more frequently if needed. In general, essential entities will be subject to more regular and strict monitoring than important entities.

Under NIS2, entities concerned must report significant incidents to the CSIRT or other designated competent authority within 24 hours of becoming aware of the incident; provide notification of severity, impact, and indicators of compromise (if available) within 72 hours; and deliver a final report not later than one month after the incident. An incident shall be considered significant if it has caused or is capable of causing severe operational disruption of the services or financial loss, and it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. Penalties for failure to meet security requirements and incident reporting include non-monetary remedies, criminal sanctions, and administrative fines.

Further Resources
•    To follow developments in cybersecurity in Europe, please visit EC Cybersecurity Policies and ENISA (the European Union Agency for Cybersecurity).

Compiled by CSEU on July 31, 2024. For additional information, please contact Office.BrusselsEC@trade.gov.