EU member states face cybersecurity directive deadline challenges
Businesses anxious over delayed cybersecurity regulations.
Many EU member states are set to miss the October 17 deadline to implement the Network and Information Security Directive (NIS 2), aimed at enhancing cybersecurity for critical sectors. Only Belgium, Croatia, Italy, and Lithuania have made partial progress, while others like Germany and the Netherlands have pending legislation, and countries such as Ireland and Spain lag further behind. The directive, approved in 2022, expands protections for sectors like energy, transport, banking, and water, and replaces the previous NIS1 directive, which failed to boost cyber resilience.
Businesses are concerned about the fragmented implementation and compliance challenges, particularly for companies operating across multiple markets. The European Federation of National Associations of Water Services (EurEau) warned that delays create uncertainty for water operators, who may need financial support to meet cybersecurity requirements. Similarly, the software lobby group BSA criticised the lack of guidance on incident reporting, a key aspect of NIS 2.
The European DIGITAL SME Alliance expressed worries for small and medium enterprises that might be impacted if they are part of larger companies’ supply chains under NIS 2. The directive mandates penalties for non-compliance, including fines of up to €10 million or 2% of global revenue, and holds senior management accountable for security breaches, signaling a shift in responsibility beyond IT departments.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.