Today was supposed to be the day. The NIS2 Directive, which has been in force since January 2023, was to be implemented into national law by all EU Member States by 17 October 2024. However, it has been clear for some time that Germany will not meet this deadline. And now?
So far, only Belgium, Hungary, Latvia and Croatia have adapted their national laws accordingly – meaning Germany is not the last among the 23 remaining EU Member States. Some, including France, Denmark and the Netherlands, have announced delays, meaning that implementation is unlikely to continue until early 2025 at the earliest. The reasons vary by country, ranging from political uncertainties to the scope of legislative adjustments required.
The difficulty is by no means – as one might assume – the complexity of the “new” regulations of the NIS2 Directive. On the contrary: organisations that have already been involved in information security and risk management can fall back on best practices. The catalogue of minimum requirements is largely in line with established standards such as ISO 27001 and other best practices. What is new, however, is that specific security measures are now laid down directly in the law – previously, individual Security Catalogues and industry standards were decisive for the regulation of critical infrastructures, while the law only required compliance with the “state of the art”. Now, the requirements for strengthening their cybersecurity will be imposed on the tens of thousands of obligated entities across all NIS2 sectors in an unambiguous and largely harmonised manner.
A climb to the executive level
NIS2 also unequivocally mandates unconditional management responsibility, making cybersecurity a top priority! While most companies already consider cybersecurity to be important, it is only with the NIS2 directive that responsibility for it can no longer be passed on to technical experts or IT departments alone but remains directly integrated into the management level. Managers and Boards are now legally obliged to monitor and take responsibility for the implementation of security measures. As with the General Data Protection Regulation, this also includes personal liability for Managing Boards if they fail to ensure that their company complies with the requirements. This means that cybersecurity is no longer just an operational task, but a strategic issue that is prioritised at the highest level. A real paradigm shift, as cybersecurity is now seen as an essential part of corporate governance.
Procrastination is costly
However, as long as the implementation of the NIS2 directive continues to be delayed, there are no important incentives to firmly anchor the necessary measures in companies and public institutions. The evaluation of the last IT security law carried out by the BSI in spring 2023 made it clear that the legal requirements are seen as a significant improvement in their security: 83 per cent of critical infrastructure operators considered the full implementation of all legal requirements for IT security to be “very important” or even “extremely important”.
The delay in embedding the NIS2 regulations into the German legal framework is creating uncertainty. Many internationally active companies do not know exactly which measures they need to take in which country and from which point in time in order to comply with the requirements. One example: If a security incident occurs in Germany but has to be reported to the Belgian supervisory authority because the company has its EU headquarters there, it could face a fine that a domestic competitor would be spared. With up to 10 million euros or 2 per cent of annual turnover at stake for non-compliance with safety requirements, this represents a considerable risk for Managing Boards.
The good comes before the perfect
Time is of the essence – not only from a technical, but also from a legal and economic perspective. In order to strengthen cybersecurity across Europe in a sustainable way, it is crucial that the NIS2 Directive is implemented as quickly as possible. Practice over the next few years will show where adjustments and improvements are necessary. In view of the draft implementing act currently being circulated by the EU Commission, which defines specific thresholds for the “materiality” of security incidents for the digital service provider sector, this practical test may well be painful. Some of the benchmarks are seen by industry representatives as unworldly and inappropriate, with outliers in both directions: either too lax, so that in practice there would never be an incident report, or too strict, with the risk of dozens of reports every day for which there would be no reason at all from an operational security perspective.
The cybersecurity landscape is dynamic and constantly evolving – regulatory measures must be flexible and adaptable in the same way. Only through rapid implementation of NIS2 and practical experience can we ensure that future threats are recognised and addressed in good time. The perfect should not become the enemy of the good!
