As of October 18, 2024, the Network and Information Systems 2 Directive (NIS2) has become effective, aiming to improve cybersecurity across the European Union (EU). However, many member states are struggling to meet the deadlines for transposing the directive into their national laws, which has created significant uncertainty for companies operating under its scope.
Here are some insights into NIS2’s current status, its implementation challenges, and how we are navigating this evolving regulatory environment.
What is NIS2, and why does it matter?
NIS2 is a follow-up to the original NIS directive and seeks to expand and strengthen the security of critical infrastructure and essential services across the EU. In a previous article, we outlined NIS2 requirements for EU member states and our industry. In short, NIS2 sets security requirements for industry segments within critical infrastructure and raises the overall level of cybersecurity, making it more robust. It matters because every day, we hear new stories of businesses, banks, hospitals, energy, transport, and digital sectors where cyber breaches are more common than ever. This is just the tip of the iceberg.
But there’s a key difference between NIS2 and other forms of regulation in Europe. NIS2 is a directive, not a regulation. Directives require each EU member state to transpose them into national law, whereas regulations apply directly without local legislation. This difference is critical because while NIS2 is now in effect at the EU level, not all member states have completed implementing it at the national level.
Countries are falling behind in transposition
Many countries are behind schedule in transposing NIS2 into their legal frameworks, which has created uncertainty. But without national laws to follow, the exact requirements for businesses are often unclear.
This reminds me of a similar situation when implementing the 6 GHz spectrum regulation in Europe. The EU mandated that the spectrum must be made available across member states, but it was up to individual countries to implement the necessary laws. Many countries were slow to do so. This led to a confusing situation where businesses should be allowed to operate from a harmonized European perspective but still had to deal with all countries individually while the legal structures weren’t in place.
We’re seeing the same pattern for NIS2. But more importantly, while 6 GHz could simply be ‘switched off’ while countries were catching up, NIS2 is not an optional feature but is pervasive throughout a company’s operations. This leaves companies in a challenging position—wanting to comply but unable to do so because the legal framework is not yet complete.
The practical impact on our business and industry
So, what does this mean in practice? A simple example for the broadband industry is the requirement to register as an important entity. Under NIS2, important and essential companies must register with a national cybersecurity body. However, in many countries, the processes for this registration aren’t ready.
In the Netherlands, for instance, a consultation was conducted earlier this year to gather public feedback on implementing NIS2. However, with the directive now in effect, reviewing that feedback and creating the law is ongoing. This means that, despite the active directive, the legal infrastructure that would allow us to comply fully still needs to be put in place.
What this means for Genexis and our customers
At Genexis, the uncertainty surrounding NIS2 doesn’t fundamentally change how we approach cybersecurity. We’ve always prioritized and are fully committed to security as a core part of our business. The broader context of cybersecurity in Europe is also evolving. Other regulations, like the Cyber Resilience Act (CRA), were adopted on October 10, 2024, and complement NIS2. The CRA establishes mandatory requirements for the security of digital products, services, and processes over their entire lifecycle. While this regulation does not need to be transposed into national law once it enters into force, it offers a transitionary period for compliance of 24 months as well.
The fact that directives’ transposition is delayed and regulations define transitionary periods should not be used as an invitation to comply only at the last minute but rather an opportunity to implement what is possible already early on. After all, the intent of the regulation is not to create more administrative burden but to provide real cyber security benefits to our customers and European consumers. Since lifecycles in the broadband industry typically last longer than three years, we combine and work in parallel with NIS2 requirements and CRA.
Our continued focus on cybersecurity
The current delays in NIS2 implementation will likely be resolved over time. Once the national laws are in place, our industry can comply fully, and the transition should be relatively smooth. In the meantime, we continue to focus on maintaining robust security practices at Genexis. A recent example is our partnership with F-Secure, as we are integrating their cutting-edge Sense technology into Genexis residential gateways to enhance home network security. By doing the right thing now, we’ll be well-prepared for when NIS2 is fully implemented nationally.
Although NIS2’s current status may create some uncertainty, the directive is clearly necessary to ensure a more secure digital future for Europe. As we wait for the final legal frameworks to be implemented, we remain diligent in safeguarding the digital infrastructure that connects us all.
Author: Maarten Egmond