Dr. Martin J. Kraemer, Security Awareness Advocate at Knowbe4, gives his advice on where to organisations can start to act now with the impending NIS2 regulation
While EU member states must introduce the Network and Information Systems Directive 2022 (NIS2) into their national law by October 2024, not all appear ready to meet this deadline. This directive imposes ten security measures intended to strengthen the cyber resilience of critical infrastructure, including business continuity management, cyber risk management, supply chain security and training and education.
Differences between EU countries in the implementation of the NIS2 Directive
Some member states have already transposed the directive into their national legislation and are preparing to apply compliance measures from October 2024. Others, such as France, Denmark and the Netherlands, have announced that they only implement it at the beginning of 2025. Germany, for its part, will very unlikely meet the deadline, due to pending national legislation.
The differences in the implementation of the directive are also significant. For example, France explicitly includes local authorities, which is not the case in Germany. As the UK has left the EU bloc, it also has divergences from NIS2, though those UK businesses operating in the EU will have to meet its requirements. The UK has extended the reach of its NIS legislations to include managed service providers (MSPs) in a bid to up the ante on cyber resilience, as well as include a broader scope of incidents that require reporting.
These variations have left many pan-European organisations struggling to understand the directive and its various implementations across the EU.
Organisational Confidence and Readiness
According to a study by directive imminent deadline insufficient preparation
