NIS2 Transposition – why are we (still) waiting?

The Network and Information Security Directive 2 (NIS2) is an EU-wide framework that represents a significant strengthening of cybersecurity defence across the EU in response to growing cyber threats. It expands the scope of covered entities and introduces stricter requirements for cybersecurity practices and incident reporting.

NIS2 was informed by many new and varying threats to key aspects of regional, national and supra-national infrastructure. Its origins in the EU came from a recognition of these threats and from surveys of the collective defences that exist across the Member States.

This much anticipated legislation update replaces the NIS1 directive, in place since 2016, and passed into EU law on January 16, 2023. Its passage into national legal corpuses has been sporadic. Member States were given until 17^th October 2024 to transpose NIS2. Only four met the deadline.[1]

Ireland, yet to comply, pre-paid a €4.5 million fine in July last year for its failure to meet the October deadline. When asked during a recent Parliamentary Questions session to confirm when the Irish transposition legislation (The National Cybersecurity Act) would be completed and passed into law, the responsible Dáil minister answered with refreshing honesty that could be interpreted as, who knows?

Recognising the importance of the NIS2 initiative, many IT professionals have been referring to the EU Official Journal document to inform strategic decisions and investments while awaiting transposition in their Member States. While we expect some additions, we have assumed that the detail and intent of the standard will remain relatively unchanged as it goes through the legislative process. A set of checklists derived directly from the directive and its accompanying implementing technical standard has been available within CalQRisk software for some time.

(Partial CalQRisk NIS2 Compliance Check)

Fully implementing NIS2 and establishing the controls to maintain and regularly verify compliance is not a simple process and will require coordinated effort between both IT and OT personnel. On the other hand, carrying out a gap analysis against the requirements may be all that is required to inform the body of work many organisations will have to do to achieve compliance.

The hard questions in this, as in any implementation plan, are the ‘All and Always’ ones:

• Do all the people always do things the way the process or control says it must be done?
• Are all the systems and the equipment that makes them up always fit for purpose?

Ireland is not the only EU nation that has, so far, not completed the transposition. At the time of writing, only 11 of the 27 are over the line—and three of those since the European Commission issued a ‘reasoned opinion’ (aka, a formal request to comply with EU law) to 19 Member States on May 7^th last.

Could there be a pan-European concern that the passing of this legislation makes legally binding the need to update and upgrade legacy systems, equipment and skills at a potentially enormous cost? Identifying the issues is only the first step in the process… there is much work to be done.

[1] https://ecs-org.eu/activities/nis2-directive-transposition-tracker/