NIS2 Legislative Delays across Europe
There have been legislative delays across Europe ahead of the NIS2 implementation deadline of 17th October 2024.
It was recently announced by the government of the Netherlands that they will not introduce the necessary legislation to enact The Network and Information Systems Directive 2 (NIS2) before the deadline of 17th October, 2024. This follows on from the news coming out of the UK in the King’s speech in November that the UK would most likely not be updating its new cyber laws, which would closely align to NIS2 in certain areas, before 2025.
In Ireland, the legislative landscape is unclear, with no draft legislation presented before the Daíl as of yet, making it uncertain whether the Irish government will meet the October deadline to legislate for the European Directive, as set out by Brussels.
Despite these delays across Europe, government officials have encouraged organisations that fall within the scope of NIS2 to begin preparing for the legislation immediately.
The Minister of Justice and Security in the Netherlands, Dilan Yesilgöz-Zegerius, outlined the position in the Dutch update on January 31st, where it was announced that the legislation would not be ready in 2024. She said: “It also remains important that companies and organisations do not wait until the new laws and regulations are fully clear, but take measures now to protect the continuity of their business processes. Organisations that take action now will not only protect themselves against existing risks, but will also be better prepared for the arrival of the new legislation.”
“Some organisations are already subject to obligations under current laws and regulations, such as the Network and Information Systems Security Act (Wbni). In addition, the CER and NIS2 directives prescribe a number of concrete measures for which companies and organisations can already prepare,” she added.
With regard to the Irish position on NIS2, this is not the first time that the legislature has had difficulty in meeting its obligations with regard to EU Directives. The original NIS Directive was published in July 2016 and was signed into Irish law on the 18th of September 2018 by way of Statutory Instrument, four months after the EU deadline to adopt and publish these regulations of 9th May.
In addition, the implementation of the GDPR in 2018, was passed by the Daíl on the 18th May, 2018 and signed into law by the President on 24th May, just one day before the deadline of 25th May set out by Brussels.
As with NIS, there is a potential for the Irish government to introduce a statutory instrument that would allow them to meet the deadline set out in NIS2 without having to enact legislation before this date.
Regardless of the legislative landscape, the Directive will come into force across the EU in October and all organisations that are in scope need to put plans in place to be compliant.
To read the EU directive on NIS2 in full: https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333
The Government response on delaying NIS2 in the Netherlands can be found here (NL): Nieuwe Commissievoorstellen en initiatieven van de lidstaten van de Europese Unie | Tweede Kamer der Staten-Generaal
Question?
Our specialists have the answer