NIS2 Legislative Delays across Europe

It was recently announced by the government of the Netherlands that they will not introduce the necessary legislation to enact The Network and Information Systems Directive 2 (NIS2) before the deadline of 17^th October, 2024. This follows on from the news coming out of the UK in the King’s speech in November that the UK would most likely not be updating its new cyber laws, which would closely align to NIS2 in certain areas, before 2025.

In Ireland, the legislative landscape is unclear, with no draft legislation presented before the Daíl as of yet, making it uncertain whether the Irish government will meet the October deadline to legislate for the European Directive, as set out by Brussels.

Despite these delays across Europe, government officials have encouraged organisations that fall within the scope of NIS2 to begin preparing for the legislation immediately.

The Minister of Justice and Security in the Netherlands, Dilan Yesilgöz-Zegerius, outlined the position in the Dutch update on January 31^st, where it was announced that the legislation would not be ready in 2024. She said: “It also remains important that companies and organisations do not wait until the new laws and regulations are fully clear, but take measures now to protect the continuity of their business processes. Organisations that take action now will not only protect themselves against existing risks, but will also be better prepared for the arrival of the new legislation.”

“Some organisations are already subject to obligations under current laws and regulations, such as the Network and Information Systems Security Act (Wbni). In addition, the CER and NIS2 directives prescribe a number of concrete measures for which companies and organisations can already prepare,” she added.

With regard to the Irish position on NIS2, this is not the first time that the legislature has had difficulty in meeting its obligations with regard to EU Directives. The original NIS Directive was published in July 2016 and was signed into Irish law on the 18^th of September 2018 by way of Statutory Instrument, four months after the EU deadline to adopt and publish these regulations of 9^th May.

In addition, the implementation of the GDPR in 2018, was passed by the Daíl on the 18^th May, 2018 and signed into law by the President on 24^th May, just one day before the deadline of 25^th May set out by Brussels.

As with NIS, there is a potential for the Irish government to introduce a statutory instrument that would allow them to meet the deadline set out in NIS2 without having to enact legislation before this date.

Regardless of the legislative landscape, the Directive will come into force across the EU in October and all organisations that are in scope need to put plans in place to be compliant.

Read Our NIS2 Datasheet

To read the EU directive on NIS2 in full: https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333

The Government response on delaying NIS2 in the Netherlands can be found here (NL): Nieuwe Commissievoorstellen en initiatieven van de lidstaten van de Europese Unie | Tweede Kamer der Staten-Generaal