The NIS2 Directive: Strengthening Cybersecurity Across Europe

The NIS2 Directive (Directive (EU) 2022/2555) marks a significant step in improving cybersecurity resilience across the European Union. As cyber threats grow more sophisticated, the directive sets out new requirements for organizations providing essential and important services, ensuring a high level of cybersecurity across all member states. This post provides a high-level overview of the directive, its general requirements, and how its implementation varies across Europe, with a focus on Belgium’s approach.

General Overview of NIS2

The NIS2 Directive builds upon its predecessor, the NIS1 Directive, by addressing gaps and inconsistencies in cybersecurity measures across EU member states. The key goals of NIS2 include:

- Expanding the scope: NIS2 covers a broader range of sectors, including digital services, healthcare, and public administration.
- Stronger security requirements: Organizations must adopt risk-based security measures, including incident response, supply chain security, and access control.
- Harmonized reporting obligations: Entities must report significant cybersecurity incidents within 24 hours for early warnings and within 72 hours for full reports.
- Stricter enforcement: National authorities will have stronger supervisory and enforcement powers, including fines for non-compliance.

Under the directive, EU member states were given 36 months from its adoption (December 2022) to transpose it into national law. This means all member states were expected to fully implement NIS2 by October 17, 2024.

These measures aim to ensure that organizations across Europe adopt a proactive and resilient approach to cybersecurity.

Belgium’s Local Implementation

Belgium has fully integrated the NIS2 Directive into national law as of October 18, 2024. The Centre for Cybersecurity Belgium (CCB) oversees its implementation, ensuring compliance for entities operating in Belgium. Key elements of Belgium’s approach include:

- Scope & Registration: Organizations must determine if they fall under NIS2 obligations using the NIS2 Scope Test Tool provided by the CCB.
- Sector-Specific Deadlines: Digital sector entities must register by December 18, 2024, while other NIS2 entities have until March 18, 2025.
- Cybersecurity Risk Management: Organizations must adopt risk-based security measures, aligned with the CyberFundamentals (CyFun®) framework.
- Incident Reporting: Significant incidents must be reported to Belgium’s Computer Security Incident Response Team (CSIRT) promptly.

Belgium’s structured approach, with clear deadlines, places it ahead of many EU countries that have yet to finalize their national laws. This provides greater regulatory certainty for organizations operating in Belgium, while in other EU countries, businesses may face uncertainty or delays in compliance obligations.

Status of NIS2 Implementation in Other EU Countries

While Belgium has moved quickly to align with NIS2, other EU member states are at varying stages of implementation. Some countries have adopted national laws similar to Belgium’s, while others are still in the legislative process. Key updates include:

- Belgium: Adopted the law on **October 18, 2024**, with clear deadlines for compliance.
- Germany: The Federal Government approved the draft law transposing NIS2 on **July 24, 2024**. The law is currently under review by the Federal Parliament and is expected to take effect in **early 2025**.
- France: A draft law was presented to the **Council of Ministers on October 15, 2024**, but is still pending approval in Parliament.
- Netherlands: A draft bill to amend current laws was published for public consultation between May and June 2024, but further legislative processes are ongoing.
- Other EU Countries: As of November 2024, 23 member states, including Germany, France, and the Netherlands, received formal notices from the European Commission for failing to fully transpose NIS2 by the October 17, 2024 deadline.

Consequences for Countries Without a Finalized Bill

For countries that have not yet finalized their NIS2 transposition into national law, several challenges and consequences arise:

1. Regulatory Uncertainty: Businesses in these countries lack clarity on their specific compliance obligations, as national interpretations of NIS2 may vary. This creates difficulties in preparing for necessary security measures.
2. Potential EU Penalties: The European Commission has already issued formal notices to 23 member states for failing to meet the October 17, 2024, transposition deadline. If these delays persist, infringement procedures could follow, leading to fines or legal actions.
3. Competitive Disadvantage: Countries like Belgium, which have clear deadlines and structured compliance processes, offer businesses greater certainty and stability. Organizations in countries without finalized laws may face a slower compliance process, potentially leading to increased cybersecurity risks and regulatory burdens in the future.
4. Delayed National Enforcement: While the NIS2 Directive is legally binding at the EU level, enforcement at the national level requires proper legislation. Without it, authorities may lack the means to supervise compliance or impose penalties effectively.
5. Cross-Border Complexity: Multinational companies operating in both compliant and non-compliant countries may have to navigate different timelines and requirements, adding to administrative and operational challenges.

Belgium’s clear and structured implementation timeline puts it in a favorable position compared to other European countries still facing legislative delays. This gives Belgian companies a regulatory advantage, ensuring earlier compliance while other businesses in Europe may still be navigating legal uncertainties.

The European Commission and ENISA (European Union Agency for Cybersecurity) continue to monitor implementation efforts, ensuring all member states meet their obligations.

Key Takeaways for Organizations

1. Assess Your Status: Use national tools, such as Belgium’s NIS2 Scope Test, to determine if your organization falls under NIS2.
2. Register on Time: Meet national deadlines to avoid penalties.
3. Implement Cybersecurity Controls: Adopt risk-based security measures, including supply chain security and access control.
4. Prepare for Incident Reporting: Establish protocols to report incidents to national CSIRTs within the required timeframe.
5. Monitor EU-wide Updates: As regulations evolve, stay informed on how different countries implement NIS2 to ensure compliance.

The NIS2 Directive represents a major shift in Europe’s cybersecurity landscape. While implementation varies by country, the overarching goal remains the same: strengthening cybersecurity resilience across the EU. Organizations must act now to align with national regulations and enhance their cybersecurity posture.

Local Sources

- Centre for Cybersecurity Belgium (CCB): [https://ccb.belgium.be](https://ccb.belgium.be)
- Safeonweb\@Work - NIS2 Information: [https://atwork.safeonweb.be/nis2](https://atwork.safeonweb.be/nis2)
- ENISA (European Union Agency for Cybersecurity): [https://www.enisa.europa.eu](https://www.enisa.europa.eu)
- European Commission - NIS2 Directive: [https://digital-strategy.ec.europa.eu/en/policies/nis2-directive](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive)
- Hogan Lovells on NIS2 in Germany: [https://www.hoganlovells.com/en/publications/the-nis2-directive-in-germany-looking-ahead](https://www.hoganlovells.com/en/publications/the-nis2-directive-in-germany-looking-ahead)
- Wavestone on NIS2 Transposition in Europe: [https://www.wavestone.com/en/insight/nis-2-european-countries-transposing-directive](https://www.wavestone.com/en/insight/nis-2-european-countries-transposing-directive)
- European Commission Notice on Non-Compliance: [https://digital-strategy.ec.europa.eu/en/news/commission-calls-23-member-states-fully-transpose-nis2-directive](https://digital-strategy.ec.europa.eu/en/news/commission-calls-23-member-states-fully-transpose-nis2-directive)