A rough start for NIS2

While the deadline for national transposition of NIS2 was set for October 17, 2024, France, through ANSSI, has decided to give the companies concerned three years to comply, subject to certain requirements.

This difficult start to compliance is not unique to France. A recent study indicates that critical security incidents could have been avoided by taking better account of the issue.

As a reminder, in order to comply with the NIS2 directive, companies must implement essential measures, such as defining incident response plans, securing the supply chain, and assessing vulnerabilities and overall security levels. This also applies to all branches and subsidiaries, partners, and members of the supply chain.

A recent study [1] conducted by Censuswide for Veeam reveals that 90% of European companies surveyed as part of this compliance exercise reported at least one security incident in the last twelve months that could have been prevented by the directive.

What remains worrying is that 44% of respondents have experienced more than three cyber incidents in recent months, 65% of which were described as “very critical.”

Key obstacles to the slow start of NIS2

Among the main challenges cited by IT decision-makers surveyed in this study are technical debt (24%), lack of understanding on the part of senior management (23%), and insufficient budgets and investment (21%).

The slow pace of NIS2 compliance is also likely linked to the multitude of commercial pressures and priorities facing businesses today.

The companies surveyed ranked the NIS2 directive lowest in terms of urgency and priority, well behind ten other issues such as skills shortages, profitability, and digital transformation.

Furthermore, 57% of them doubt that NIS2 will have a significant impact on the EU's overall cybersecurity posture.

France is not the worst...

Of course, France is not the only European country that has failed to meet the deadline for transposing the directive into national law.

Other bad performers include Bulgaria, Portugal, Spain, and Estonia (the European epicenter of cybercrime), which have yet to make any progress in the transposition process.

Next come Denmark, France, Ireland, and Romania, which have begun their transposition projects. In this regard, France, through ANSSI, has granted the organizations concerned a three-year period to fully comply with this directive, provided that the strict minimum is done.

This minimum requirement includes the notification of cyber incidents, the sharing of information on investments made in cybersecurity, and the registration of the organization with ANSSI.

The best performers in the EU

The countries that have already submitted their transposition plans are Austria, Cyprus, the Czech Republic, Finland, Germany, Greece, Italy, Lithuania, Luxembourg, the Netherlands, Poland, Slovakia, Slovenia, and Sweden.

Among the best performers, i.e. the countries that have transposed the directive into national law to date, are Belgium, Hungary, Croatia, and Latvia.

ENISA assistance for the implementation of the NIS2 Directive

ENISA (European Agency for Cybersecurity) has launched a consultation with relevant entities on the best practice guide to assist with the technical and methodological implementation of the NIS2 Directive.

To access the guidelines, click HERE

[1] This study was conducted among more than 500 IT and IT security decision-makers working in Germany, Belgium, France, the Netherlands, and the United Kingdom.