CÉLINE GAUTHIER-MAXENCE
EUROPEAN CYBERSECURITY AND AI FRAMEWORK
TOWARDS PROACTIVE REGULATION FOR A SECURE DIGITAL FUTURE ELIO MACHADO NETO
NIS 2 A BLUEPRINT FOR EU CYBERSECURITY HARMONISATION
European Cybersecurity and AI Framework: Towards Proactive Regulation for a Secure Digital Future
Céline Gauthier-Maxence 1
Introduction
Today, we evolve in a society where the number of connected devices is growing exponentially, reaching 1.8 billion in Europe.2 In correlation, cybersecurity risks are multiplying. Since 2015, the annual global cost of cybercrime is estimated to have doubled, reaching €5.5 trillion by 2020.3 The global market for artificial intelligence (AI) is already worth over $196 billion. And some experts in the field predict that the value of AI is set to increase 13-fold over the next 7 years, topping $1.81 trillion by 2030. Artificial intelligence is therefore expected to grow by 38.1% between 2022 and 2030.4 In view of these facts, the legislative framework for cybersecurity and AI is essential to secure the data used in these fields and prevent potential abuses.5 In this sense, European directives and regulations on cybersecurity and artificial intelligence play a crucial role in securing digital infrastructures and overseeing the use of emerging technologies (I). The rise of new digital technologies and the use of AI in ever wider fields means that the issues at stake are not only current, but will continue to be so in the future. It is vital to anticipate these challenges in both the short and long term (II).
1. Céline Gauthier-Maxence is a PhD student in law, specialising in health law and digital law, Université Jean Moulin Lyon 3, Ifross, CRDMS, a research engineer, CNRS, and a teaching assistant, Université Panthéon-Assas, Paris 2.
2. ‘Le monde de l’Internet des objets : des dynamiques à maîtriser’, Assessment of the environmental impact of digital technology in France and prospective analysis, study carried out by French ADEME (Agence de la transition écologique) & ARCEP (Autorité de régulation des communications électroniques, des postes et de la distribution de la presse), February 2022.
3. Virginie Bensoussan-Brulé et al, Le Data Protection Officer, 3e ed., Larcier, 2020.
4. ‘Les chiffres clés de l’IA en 2024 : Tendances et statistiques’, Vision IA by ITDM Group, 12 April 2024.
5. Céline Gauthier-Maxence, ‘Défis juridiques du droit de la santé à l’ère du numérique et de l’IA’, 2024, hal-04624585.
I. Cybersecurity and AI: The State of European Regulation
The European Union has introduced a number of legislative texts aimed at strengthening cybersecurity, including the Cybersecurity Act, the NIS Directive and the forthcoming NIS 2 Directive, as well as the REC Directive, the DORA Regulation, and the Digital Services Act and Digital Markets Act (A). The AI Act extends regulation to AI technologies and the services and organisations that use them (B).
A. European Cybersecurity Regulations
The European Union has developed a robust regulatory framework to enhance cybersecurity, operational resilience, and digital market governance across critical sectors. Three pivotal components have to be examined: the Cybersecurity Act, which establishes a certification framework for ICT products and services (1), the NIS and NIS2 Directives, which strengthen security measures for essential services and critical entities (2), and the DORA Regulation alongside the Digital Acts, which bolster digital resilience in the financial sector and regulate large online platforms (3). Together, these initiatives aim to secure digital ecosystems, protect vital services, and promote fair competition within the EU.
1. Cybersecurity Act
Regulation (EU) 2019/881 (Cybersecurity Act)6 establishes a European certification framework for ICT (Information and Communication Technology) products. The European Union Cybersecurity Agency (ENISA) is responsible for implementing this framework and evaluating its effectiveness every five years. Implementing Regulation (EU) 2024/482, adopted in January 2024,7 clarifies standards for the assessment and certification of ICT products according to ‘substantial’ or ‘high’ levels of assurance. More specifically, this regulation is aimed at companies that design, develop and sell information and communication technologies (ICT). This includes hardware manufacturers, software publishers and ICT service providers. Member States must designate national certification bodies to assess and monitor ICT products, in line with the European Cybersecurity Certification Framework. The Cybersecurity Act establishes a European certification framework for ICT products. This framework is mainly voluntary, but some certification schemes may become mandatory for certain critical sectors or products. For example, ICT products used in sectors such as critical infrastructure (transport, energy) may be subject to more stringent requirements. ICT products can be certified to different levels of assurance (low, substantial, high) depending on the risks associated with their use. Companies must therefore ensure that their products meet the specific requirements of these levels. The regulation has been in force since 27 June 2019, but certain provisions concerning certification became applicable from 28 June 2021. The first certification system (EUCC) will be mandatory from 27 February 2025.
2. The NIS and NIS 2 Directives and their Supplements
Directive (EU) 2016/1148 (NIS Directive) 8 requires Member States to improve the security of networks and information systems for essential services such as energy, transport, and banking. In 2022, the NIS2 Directive9 was introduced to strengthen and harmonise security standards within the EU. For the time being, the NIS Directive concerns operators of essential services, i.e. companies in critical sectors such as banking, transport infrastructure, energy and healthcare, as well as digital service providers, i.e. online platforms, search engines and cloud computing services. Companies must implement technical and organisational measures to secure their networks and information systems. They must also report significant security incidents to the competent national authorities. Member States must designate national authorities to monitor compliance with the directive and take action in the event of non-compliance. Companies that fail to comply with the requirements of the NIS or
6. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (European Union Agency for cybersecurity) and on cybersecurity certification of information and communication technologies and repealing Regulation (EU) No 526/2013 (Cybersecurity Regulation).
7. Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC).
8. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
9. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
NIS2 Directives are liable to penalties, which vary according to national regulations. The NIS2 Directive, adopted in 2022, strengthens these obligations by imposing enhanced security and stricter incident reporting. The NIS Directive has been in force since May 2018. The NIS2 Directive, adopted in 2022, is expected to come into force gradually, with compliance required by 2024 for most sectors. NIS2 consolidates its predecessor by targeting companies in critical sectors such as energy, transport, healthcare and digital infrastructure. However, it introduces a distinction between essential entities (EE), such as energy suppliers, and important entities (IE), such as postal services or agri-food companies. Covered entities must strengthen their cybersecurity measures, including supply chain risk governance. They are also required to promptly report any major cybersecurity incident to national authorities10
The BER Directive11 is aimed at companies and infrastructures that provide services essential to maintaining the vital functions of society, such as energy, transport and healthcare. This includes critical entities of national and European importance. Critical entities will have to draw up plans to strengthen resilience in the face of physical and cyber threats. This includes setting up infrastructure protection systems, risk management protocols, and regular stress tests. The REC Directive is being implemented in coordination with the NIS2 Directive, ensuring that physical and cyber security are strengthened consistently across the EU. Member States must designate critical entities and transpose the directive into their legislation by October 2024.
3. The DORA Regulation and the Digital Acts
The DORA (Digital Operational Resilience Act) Regulation is also a central piece of digital resilience regulation in the EU. DORA applies primarily to entities in the financial sector, including banks, insurance companies, asset management companies, financial services providers, and crypto-asset companies. Providers of services critical to these entities, such as cloud services, software or infrastructure services, are also covered. The DORA Regulation aims to ensure that EU financial institutions can withstand and respond to IT disruptions, cyber-attacks, and other digital risks. It sets harmonised standards across the EU for ICT risk management. Financial entities must put in place systems to manage ICT-related operational risks, including risk monitoring and mitigation procedures, business continuity plans, and resilience testing. DORA requires financial entities to closely monitor services provided by external providers, such as cloud services. Contractualization and verification obligations are in place to ensure that external providers comply with the same security standards. Companies must report any major incident affecting ICT to the relevant authorities within a defined timeframe. These incidents must be documented and rigorously followed up. DORA was published in the EU’s Official Journal in December 2022, and should be applicable from January 2025. Financial entities therefore have time to adapt their systems and procedures before digital resilience obligations are fully implemented. DORA is part of a broader set of measures to strengthen the digital operational resilience of financial institutions, complementing other cybersecurity frameworks such as NIS2. It focuses primarily on ICT risk management and the monitoring of third-party suppliers.
10. For more informations: Elio Machado Neto, “Transposing NIS 2: A Blueprint for EU Cybersecurity Harmonisation”, published alongside the present article.
11. Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC.
The Digital Services Act (DSA)12 and the Digital Markets Act (DMA) are also noteworthy. The DSA applies to large online platforms (social networks, online marketplaces, etc.) and aims to regulate digital services. The DMA targets large digital companies, known as gatekeepers, such as major technology platforms. The DSA imposes strict obligations to protect users against illicit content and enhance the transparency of algorithms, in addition to making platforms responsible for content moderation. As for the DMA, it limits the power of the major platforms by imposing rules to guarantee fair competition and prevent abuse of dominant position. The DSA has applied since February 2024, and the DMA has been in force since 2022, but the first obligations are being applied gradually.
B. European AI Regulations
When it comes to AI, European regulation has recently been structured around Regulation (EU) 2024/1689, also known as the ‘AI Act’13, which came into force on 1 August 2024. It is aimed at companies developing, deploying or using artificial intelligence systems in the European Union. It concerns large companies as well as start-ups and SMEs. Companies that integrate or use AI systems in their operations (e.g. AI for recruitment, medical care) are also concerned. The text is the world’s first comprehensive legal framework governing AI and is based on a risk-based approach, classified into four categories. AIs that threaten fundamental rights, such as social rating systems, are totally prohibited, as they fall under ‘unacceptable risk’. AI systems used in critical sectors (recruitment, medical diagnostics, security) are subject to strict requirements for transparency, human supervision and risk management, and fall under ‘high risk’. Systems such as chatbots, falling under ‘specific transparency risk’, must inform users that they are interacting with AI. Finally, low-risk AIs, such as video games or spam filters, are not subject to any obligation, but voluntary codes of conduct may be adopted, insofar as they fall under ‘minimal risk’. The regulation is accompanied by the establishment of a European AI Office, responsible for overseeing general-purpose AI models, in coordination with competent national authorities. The regulatory framework also includes measures to foster innovation while protecting the fundamental rights of European citizens.
European regulations and future technological developments therefore implies short- and long-term challenges for Member States and organisations subject to these future constraints
12.Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act).
13.Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act).
Although it came into force on 1 August 2024, not all its provisions are immediately applicable. Indeed, several deadlines are foreseen depending on the type of risk that AI systems may represent. For example, bans on certain AI systems deemed of ‘unacceptable risk’ are applicable within six months, while specific obligations for general purpose systems (GPAI) will come into force in 12 months. Other obligations, notably those concerning ‘high-risk’ systems, will be phased in over a period of up to 36 months.14 It should also be remembered that, as a regulation, the AI Act applies directly in all Member States without the need for formal transposition into national law, but competent national authorities will need to be designated to oversee its implementation. These authorities will work in coordination with the European Commission’s AI Office to ensure compliance with the regulation and manage market surveillance.15
These directives and regulations add to existing measures such as the GDPR16 and complete the European framework for cybersecurity and AI, digital risk management, and critical infrastructure protection. These texts impose strict compliance deadlines and concern a variety of sectors within the EU, with a gradual entry into force until 2025, under penalty of sanctions for States late in transposition or application (Commission v Belgium, Case C-543/1717; Commission v Republic of Austria, Case C-549/1818; Commission v Germany, Case C-270/0719). This consideration of European regulations and future technological developments therefore implies short- and longterm challenges for Member States and organisations subject to these future constraints.
II. Regulatory Developments in Cybersecurity and AI: Immediate and Future Challenges
In the face of rapidly evolving cybersecurity and artificial intelligence regulations, organisations are facing major challenges. We’ll look first at the issues looming a year or so ahead (A), then at the outlook for the next ten years and beyond (B), before exploring the example of a practical solution such as ‘by-design’ to comply with current standards while anticipating the future (C).
A. Challenges Over the Next Year: An Imminent Evolution
EU Member States must transpose the NIS 2 Directive into national law by 17 October 2024. Organisations must also prepare for new risk management and incident reporting obligations. Companies will need to step up staff training and awareness of cyber threats to comply with the enhanced standards. After national transposition, organisations will need to be fully compliant, or face sanctions. This includes implementing robust technical and organisational measures. Indeed, in addition to Member States, the Court of Justice of the European Union has
14. Directorate-General for Communication, ‘AI Act enters into force’, 1 August 2024.
15. Mia Hoffmann, ‘The Finalized EU Artificial Intelligence Act: Implications and Insights’, CSET, 1 August 2024.
16. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
17. Judgment of the Court of Justice of 8 July 2019, European Commission v Kingdom of Belgium, C 543/17.
18. Judgment of the Court of Justice of 16 July 2020, European Commission v Romania, C 549/18.
19. Judgment of the Court of Justice of 19 March 2009, Commission of the European Communities v Federal Republic of Germany, C 270/07.
The current challenge is therefore to identify the AI systems in use and assess the associated risks, in order to provide a framework for potential future requirements, firstly under the AI Act, and secondly under future AI regulations
no hesitation in directly sanctioning companies and organisations that fail to comply with European standards (Fashion ID, Case C-40/1720; Planet49, Case C-673/1721). Financial entities will also have to draw up plans to comply with the DORA, which will be applicable from 17 January 2025. On that date, the regulation will require a strengthening of digital operational resilience and ICT risk management.
As far as AI is concerned, the AI Act is already in force, and is being applied progressively according to the degree of risk presented by each AI system. The current challenge is therefore to identify the AI systems in use and assess the associated risks, in order to provide a framework for potential future requirements, firstly under the AI Act, and secondly under future AI regulations. Depending on the AI systems they use, organisations therefore have a transition period to comply, ranging from 0 to 36 months from 1 August 2024. They must therefore prepare or directly apply strategies to meet the requirements in terms of transparency, data governance and risk management. This requires engagement with stakeholders. Organisations should already be working with suppliers, customers and regulators to understand the future implications of the regulation and align practices22. For organisations using high-risk AI systems, adaptation time is minimal or non-existent. It was necessary to anticipate by preparing the processes that would enable the required certifications to be obtained rapidly, and to set up auditing and ongoing compliance mechanisms. Cross-functional issues can be identified, impacting cybersecurity and AI systems. The coming months are crucial for organisations as they navigate a rapidly changing regulatory landscape. A proactive approach is essential to ensure compliance, minimise risks and take advantage of the opportunities offered by new technologies, while complying with European directives and regulations. In the near future, this means strengthening risk management frameworks to incorporate new regulatory requirements for cybersecurity and AI. It’s also about striking a balance between technological innovation and regulatory compliance to maintain
20. Judgment of the Court of Justice of 29 July 2019, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV, C 40/17.
21. Judgment of the Court of Justice of 1 October 2019, Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH, C 673/17.
22. Christina Montgomery and Jean-Marc Leclerc, ‘The EU AI Act Is About to Hit the Books: Compliance Steps You Need to Know’, IBM, 30 May 2024.
competitiveness while respecting ethical and security standards.23 Finally, it’s a question of investing in the human and technological resources needed to meet the challenges, including recruiting specialist talent and upgrading infrastructures. What’s more, the regulations to come are not only the result of a desire to regulate the management and conventional use of IT and AI systems, but also of a rise in potential cyber-attacks in the years to come.
B. Challenges for the Next 10 Years and Beyond: Long-Term Developments
Within the next 5 years, cyberattacks are likely to become more sophisticated, exploiting emerging technologies such as AI to bypass defences. Indeed, a 2024 study by Deloitte in collaboration with NASCIO (National Association of State Chief Information Officers) highlights the growing risks of AI-powered cyberattacks.24 Experts note that AI-enabled attacks are rapidly becoming more sophisticated, notably through the creation of falsified content, the automation of information gathering, and real-time adaptation thanks to reinforcement algorithms. These advances are making attacks more complex to detect and outperforming conventional defences. The report also points out that many cybersecurity managers are struggling to keep up with the speed at which these threats are evolving, and only 35% say they are ready to effectively counter AI-enabled attacks in the next five years.25 This study joins the findings of other analyses, such as Keeper Security’s, which reveals that a large majority of cybersecurity professionals (84%) perceive an increase in AI-driven phishing and smishing attacks, making training campaigns and detection tools increasingly crucial to counter these threats.26
Companies will therefore need to invest in advanced security solutions and adopt a proactive approach to risk management. While compliance with the NIS 2 Directive and DORA Regulation will have to be fully achieved for all organisations subject to them, the continuous monitoring of critical infrastructures and increased operational resilience imposed by these directives and regulations will be all the more beneficial to organisations, in a context of increased cyber threats.27 In addition, new directives could extend cybersecurity obligations to other sectors, including small and medium-sized enterprises (SMEs), increasing the scope of compliance. Looking even further ahead, to around 8 years from now, the massive integration of the Internet of Things (IoT), 5G and 6G will increase the attack surface, requiring adapted regulatory frameworks to secure these technologies. Logic would dictate that the EU work more closely with other international jurisdictions to harmonise cybersecurity standards, leading to adjustments for companies operating on a global scale. The focus would then be on the resilience of systems as a whole, not just on the individual protection of organisations. It’s easy to imagine that, within 10 years, cybercriminals’ use of AI could automate large-scale attacks, requiring AI-based defences and regulations to frame these new threats. A fortiori, regulatory frameworks will need to be more dynamic to keep pace with the rapid pace of technological innovation, requiring companies to keep a constant regulatory watch and be more flexible.28
23. Amanda Lawson, ‘The EU AI Act Explained: Tracking Developments for Responsible AI’, Responsible artificial intelligence institute, 20 December 2022.
24. Cam Sivesind, ‘Deloitte-NASCIO Study: AI and Cyber Threats Reshape the Landscape’, SecureWorld, 2 October 2024.
25. Dilki Rathnayake, ‘Cybersecurity in the Age of AI: Exploring AI-Generated Cyber Attacks’, FORTRA, 11 March 2024.
26.Mike Vizard, ‘Survey sees cyberattacks gaining AI sophistication’, Barracuda, 15 October 2024.
27. Simon Toepper, ‘NIS 2 vs. DORA: Why there are two regulations for IT security in the EU’, IB Academy, 18 October 2024.
28. ‘NIS 2, AI Act, and more: How the EU’s digital strategy is driving the data-driven economy’, Device Insight, October 17, 2024.
Within 10 years, the regulation of AI systems capable of fully autonomous decision-making will become critical, with specific laws to guarantee the safety and ethics of these systems
In terms of AI, within 5 years, the AI Act should also be finalised and adopted. Companies will also have to comply with requirements for AI systems, including transparency, data management and bias prevention. It would also be legitimate for the EU to introduce additional guidelines to ensure the ethical use of AI, obliging organisations to integrate ethical considerations into the development and deployment of their systems. Furthermore, with the development of general AI or strong AI, new regulations could emerge to manage the risks associated with these powerful technologies. Stricter legal frameworks concerning liability for damage caused by AI systems could therefore be put in place, impacting insurance and corporate obligations. Within 10 years, the regulation of AI systems capable of fully autonomous decisionmaking will become critical, with specific laws to guarantee the safety and ethics of these systems.29 Intuitively, the EU should then strengthen individuals’ rights regarding their data and the impact of AI on their privacy, forcing companies to adopt increasingly stringent data protection measures. Companies will have to innovate while integrating security and compliance principles (‘Security by Design’ and ‘Compliance by Design’) right from the design stage.
C. Compliance in Practice: The Example of ‘By-Design’, Between Complying with Current Regulations and Anticipating the Future
The concept of ‘by-design’ refers to the principle of ‘compliance by design’, which encompasses two notions relating to privacy and security. The GDPR already devotes a specific article to ‘privacy-by-design’ (GDPR, Art. 25, para. 1). To effectively protect privacy, the European text provides for a non-exhaustive list of mandatory technical and organisational measures to secure personal data right from the processing design stage (GDPR, Art. 32). Technical measures include the pseudonymisation and encryption of data, the principle of minimisation, which limits the amount of data collected according to the purpose of the processing, and the implementation of control procedures to assess the security of the processing, such as penetration tests to identify any security breaches. Organisational measures must also make it possible to limit access to data and to the results obtained by cross-checking data within the company or institution. It is essential to train staff in the challenges of personal data protection and to involve the Data Protection Officer as early as possible in the design of a project. Furthermore, the data controller is obliged to carry out Privacy Impact Assessments in order to map the risks (GDPR, Art. 35). These are all obligations for the company, non-compliance with which exposes it to heavy fines of up to 10 million euros or 2% of the company’s worldwide annual sales (GDPR Art. 83, para. 5). This concept of ‘by-design’ is becoming increasingly popular, and will become an essential standard within the next 5 to 10 years.30
29.Vlerë Hyseni, ‘Securing Europe’s Digital Future: DORA and NIS 2 Directive’, PECB, 25 April 2024.
30. Christiane Féral-Schuhl, ‘Privacy-by-design, security-by-design, quand la compliance découle du code’, CIO, 27 September 2023.
Conclusion
Ultimately, the rapid evolution of digital technologies and artificial intelligence means that regulatory frameworks need to be constantly adapted to guarantee security, ethics and data protection. European directives and regulations such as NIS 2, DORA and the AI Act are crucial steps in framing these developments, but their effective implementation will depend on the proactivity of organisations and Member States. The adoption of ‘by-design’ as a fundamental principle illustrates the need to integrate compliance and security right from the design stage. As we approach an era where AI and ubiquitous connectivity will redefine our societies, it becomes essential not only to comply with current regulations, but also to anticipate future challenges. This raises a fundamental question: are we ready to rethink our traditional approaches to building a digital future that combines innovation, security and ethical responsibility?
Transposing NIS 2: A Blueprint for EU Cybersecurity Harmonisation
Elio Machado Neto 1
As the October 2024 deadline for the transposition of the NIS 2 Directive has come to an end, only a few countries have fully incorporated the directive into national law, despite the urgency of harmonising cybersecurity measures across the Union. The slow progress risks not only financial and legal consequences but also undermines the goal of creating a unified cybersecurity framework to protect critical infrastructure from evolving cyber threats.
NIS 2: Expanded Scope and New Requirements
The original NIS Directive (Directive 2016/1148)2 set the foundation for improving the cybersecurity position of essential services like energy, transport, and healthcare at the EU level. However, cyberattacks have become more frequent and complex, as seen in the ENISA 2024 Threat Landscape (ETL) report that confirms this growing trend of incident numbers and their consequences within a context of geopolitical escalation and hack-activism.3 This situation, coupled with inconsistency shown by Member States’ approaches, made apparent the need for an EU Cybersecurity Strategy4, in which NIS 2 (Directive 2022/2555)5, DORA (Regulation 2022/2554)6 and CER (Directive 2022/2557)7 are key elements. The NIS 2 Directive, which came into force in January 2023, aims to harmonise cybersecurity measures across Member States, ensuring that essential services and critical sectors are adequately protected from increasingly sophisticated attacks.
1. Elio Machado Neto is a European Master in Law, Data and Artificial Intelligence (EMILDAI) graduate.
2. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
3. ENISA Threat Landscape 2024, European Union Agency for Cybersecurity (ENISA), September 2024
4. ‘The Cybersecurity Strategy’, European Commission.
5. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148.
6. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
7. Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC.
Building upon the original NIS Directive, the NIS 2 framework expands the sectors covered, enhances risk management measures, strengthens incident reporting obligations, and imposes stricter penalties. In addition to sectors like energy and transport, NIS 2 now covers other vital areas such as food supply, digital infrastructure, and waste management, totalling eighteen sectors (Annexes I and II) and critical entities identified by the CER Directive benchmark. However, it is up to Member States to determine which entities fall within the scope of the new obligations. The deadline for providing a concrete list of essential and important entities, which can encompass private and public organisations, is the 17th April 2025 (Article 3).
Senior management of included entities will now have a direct role in overseeing cybersecurity measures, ensuring a culture of compliance by approving risk management strategies (Articles 20 and 21). To guarantee that management bodies are well-versed in the best practices regarding cybersecurity risk assessment and management, the directive stipulates that senior management be required to undertake specialised training, which can also be offered to other employees.
To demonstrate that their cybersecurity strategies are adequate, entities can rely on European Cybersecurity certification schemes adopted under the Cybersecurity Act8 (Article 24). Additionally, the use of European and international standards, for example, the well-known ISO/IEC 27001, and technical specifications is encouraged to strengthen network and information system security (Article 25). Although the use of certification schemes and recognised standards is encouraged, Member States cannot impose or discriminate in favour of the use of a particular type of technology. Thus, the NIS 2 Directive is neutral to ensure that the best current standards and practices are followed by the concerned entities.
The incident reporting mechanism established in Article 23 is one of the key features of the NIS 2 Directive and arguably the most critical obligation imposed on essential and important organisations. Under this obligation, entities must notify significant incidents to their respective Computer Security Incident Response Teams (CSIRT) or competent authorities within 24 hours. Incidents are understood as significant when they provoke serious operational disruption to the attacked entity, including financial loss, as well as causing considerable material or non-material damage to users and businesses, which in this case shall also be notified in the name of transparency. In October 2024, the European Commission released the first implementing act regarding digital service entities, providing detailed guidelines for the definition of significant incidents. These incidents may include incidents causing a loss of over half a million euros or 5% of the entity’s total turnover, death or considerable health damage, recurring incidents and exfiltration of trade secrets, amongst others.9 Furthermore, in line with the GDPR10,
8. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013.
9. Commission Implementing Regulation (EU) 2024/715 …/... laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.
10. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
cyber incidents entailing a personal data breach must be reported to the competent National Data Protection Authority under penalty of a fine (Article 35).
Within 72 hours after the attack, the affected entity must submit an initial assessment of the cyber incident, indicating its severity and impact. The incident reporting obligation extends up to one month after the initial incident report. By this time, entities must submit a final report compiling a detailed description of the incident, its root cause, applied mitigation measures, and a crossborder impact assessment, if relevant. However, if, due to the nature of the incident, it cannot be resolved in a month, a progress report is required, and the final report is expected to be submitted no later than one month after the incident is finally addressed.
A significant innovation presented by NIS 2 is the possibility of personal liability of members of management bodies in entities who demonstrate negligence in complying with the cybersecurity requirements and risk management strategies. The directive also established harsher fines in case of non-compliance with Article 21 or 23, going up to €10m or 2% of essential organisations’ annual global turnover, and €7m or 1.4%, for important entities (Article 34). Beyond financial measures, cybersecurity authorities can issue warnings about infringements of the directive’s obligations by the entities concerned, which can negatively affect the company’s credibility.
Another noteworthy feature of NIS 2 is the extraterritoriality measures found in Article 2. Entities based outside the EU that provide digital services or carry out digital activities within the single market shall designate a representative in the Union (Article 26).
With a deadline of October 2024, the directive established that the EU Member States must transpose its provisions into national law, ensuring uniformity throughout the single market in addressing cyber threats. The effectiveness of the cybersecurity framework created by the NIS 2 Directive depends on how well Member States transpose it into national law. Despite the guidelines, several countries have yet to fully transpose the directive.
A significant innovation presented by NIS 2 is the possibility of personal liability of members of management bodies in entities who demonstrate negligence in complying with the cybersecurity requirements and risk management strategies
Another noteworthy feature of NIS 2 is the extraterritoriality measures found in Article 2. Entities based outside the EU that provide digital services or carry out digital activities within the single market shall designate a representative in the Union
The Transposition Process
According to EU law, directives must be transposed into national law by Member States. The process allows tailored measures to adapt the NIS Directive 2 to their national legal frameworks and political contexts while maintaining a minimum EU-wide consistency and without affecting the application of sectorspecific EU legal acts (Articles 4 and 5). Each EU Member State had until the 17th October 2024 to implement the directive into their legal frameworks. Given the vast scope and complexity of the directive, which intersects with other EU laws, this process involves significant adjustments for national governments, regulatory bodies, and organisations.
The transposition process involves revising existing laws and introducing new ones to meet the requirements of the NIS 2 Directive, which can be affected by national political struggles. Additionally, the different levels of cybersecurity maturity11 throughout the EU may also be an influencing factor, demanding greater cybersecurity investments while still meeting budget constraints.
The directive dictates that Member States must adopt national cybersecurity strategies requiring coordination between multiple regulatory bodies to create the necessary infrastructure for enforcing compliance and processing incident reports, which may include expanding their national cybersecurity agencies or creating new reporting portals for each national authority sector (Article 7).
Such national cybersecurity strategies should be assessed regularly, or at least every 5 years. The strategies’ policies will cover cybersecurity in the supply chain for ICT products and services, technology development to implement state-of-the-art cybersecurity risk-management measures, training and education, and support for academic and research institutions. In other words, the policies will focus on providing foundations for cyber protection and hygiene, protecting network and information system infrastructures, which include hardware, software and online application security, and business or end-user data (Recital 49).
11.‘Global Cybersecurity Index 2024 (5th Edition)’, International Telecommunication Union.
Progress of Transposition
Despite the EU’s push for timely transposition, most Member States lag in the process. Only Belgium, Croatia, Hungary, Italy, Latvia, and Lithuania have adopted laws incorporating the NIS 2 Directive into their national framework within the established deadline. Moreover, only Belgium and Italy have notified full transposition, according to the European Commission.12
Member States are at different levels of the transposition process according to their own national legislative procedures, meaning that many transposition laws will enter into force possibly next year, thereby failing to comply with the directive’s deadline. In countries like Austria, Finland, Germany, Luxembourg, Ireland, and the Netherlands, draft laws have been published and are undergoing consultation processes or parliamentary scrutiny. The French draft law was only published by the Conseil des Ministres two days before the deadline and has a long legislative procedure to trail.13 On the other hand, little progress is shown by Malta, Bulgaria, Spain, and Estonia, a country known for its innovative digital policies.
Failure to transpose NIS 2 by the October 2024 deadline can have legal and financial implications for Member States. The European Commission, through an infringement procedure, can bring the matter under the scrutiny of the Court of Justice of the EU. The lack of initiative by Member States toward the NIS 2 Directive is not something new. It is a problem acknowledged by the EU, monitored yearly through the Transposition Scoreboard, which measures the transposition deficit (the gap between the number of Single Market directives adopted by the EU and the number of directives transposed by each Member State) and the conformity deficit (the percentage of those directives transposed incorrectly).14
Failure to transpose NIS 2 by the October 2024 deadline can have legal and financial implications for Member States
12. Ryan Browne, ‘A tough new EU cyber law is off to a messy start with many countries failing to adopt the rules’, CNBC, 17 October 2024. 13. Gabriel Thierry, ‘Directive NIS 2: avec sa présentation en conseil des ministres, le chantier de la transposition s’accélère enfin’, ZDNET, 16 October 2024.
14. Single Marker Scoreboard (Transposition), European Union.
From a business perspective, organisations in non-compliant countries may face difficulties integrating into the EU’s broader cybersecurity framework, leading to a patchwork of cybersecurity standards across the EU and undermining the directive’s goal of harmonisation. The transposition delay by most countries has a high chance of affecting another crucial deadline, the 17th April 2025, when Member States must publish the concrete list of essential and important entities.
In this context, organisations under the listed sectors and within the directive’s scope should adopt a proactive approach to prepare their risk management strategy to ensure a smooth transition under the new rules. Compliance with the directive should not be seen as a way to avoid penalties but as a crucial effort to build robust and resilient network and information system infrastructures. It will be necessary to adapt supply chain due diligence, incident reporting procedures and overall business plans to align themselves to recognised standards and guidelines, in addition to training senior management and employees. Attention has to be paid to the fine print of the transposition laws since the NIS 2 Directive adopts a minimal harmonisation approach, which does not prevent Member States from adopting more stringent obligations. However, on average, the transposed laws and draft bills released adhere to the NIS 2 overall standards.
The transposition of the NIS 2 Directive is a critical moment for Europe’s cybersecurity landscape and another step towards cyber capacity building and proactive risk management to strengthen Europe’s overall cybersecurity position. The directive presents an opportunity for Member States and essential entities to create a more resilient and secure digital infrastructure that can withstand the growing threat of cyberattacks.
Disclaimer: Since the submission of the text, Greece completed the transposition procedure in 28th November 2024 and Denmark partially implemented measures for some ICT providers into the financial sector. Meanwhile, Portugal published its draft and submitted it to public consultation in November.