Critical service providers across Europe are in for a bumpy ride later this year, and they have their governments to thank. These organisations are subject to the NIS Directive (Directive on security of network and information systems), which each EU member state was required to transpose into national law by 9 May 2018.
However, we’re now three months past that deadline and only 11 nations have complied: Cyprus, the Czech Republic, Estonia, Finland, Germany, Italy, Malta, Slovakia, Slovenia, Sweden and the UK.
The European Commission has sent a formal letter of notice to the remaining 17 member states, including France and Hungary, which claim to have “partially transposed” the Directive into national law, but even a swift transposition will cause organisations in those countries compliance headaches.
NIS Directive must become a priority
The NIS Directive has been in the shadow of the EU GDPR (General Data Protection Regulation) since its inception, but it’s time for the Directive to become a top priority. Its penalties are nearly as tough as the GDPR, with non-compliant organisations facing fines of up to €20 million.
Although fines of that magnitude will almost certainly be reserved for flagrant violations, the failure of national governments to transpose the legislation into national law has increased the possibility of serious breaches. As a directive, each member state has several areas of flexibility when adopting the legislation. The longer it takes to finalise those, the less time affected organisations have to prepare.
The delays have also led to a lack of implementation advice. Organisations in member states that have already transposed the NIS Directive into national law have been able to take advantage of compliance advice from regulators and consultancies such as ours. This guidance must be tailored to the variations in each member state’s version of the Directive, but if member states haven’t finalised their legislation, no one can be quite sure on the best way to prepare.
NIS Directive guidance
For comprehensive advice on the core elements of the NIS Directive, we recommend downloading our free compliance guide for DSPs. It covers:
- The six ‘essential’ sectors that must comply;
- Which DSPs (digital service providers) are covered and which are excluded;
- The functions of the CSIRTs Network;
- Organisations’ risk management and incident reporting obligations; and
- How cyber resilience helps organisations meet the Directive’s requirements.