A Joint Call for Harmonised Transposition of NIS2 to Safeguard the Single Market
A Joint Call for Harmonised Transposition of NIS2 to Safeguard the Single Market
The updated Directive on measures for a common level of cybersecurity throughout the EU (NIS2 Directive) is the cornerstone of European cybersecurity. Its enactment into national law on 17 October 2024 comes at a crucial moment for the EU single market.
Unfortunately, almost all Member States have chosen to depart from the common EU rules in their own way. They are extending the scope of the rules, introducing stricter minimum requirements, setting up a multitude of supervisory authorities and setting different deadlines for compliance.
The differences in Member States’ cyber laws, which translate the NIS Directive2 , lead to fragmentation and less cybersecurity in the Single Market.
- Maintain the boundaries of the NIS2: Going beyond common EU rules on scope and requirements will undermine the ability of companies to grow across Europe, especially small and medium-sized enterprises (SMEs). Measures to manage cyber risks should be limited to those that are strictly necessary, based on risk assessments that firms must carry out.
- Ensure a reliable classification of actors: Predictability is key for business planning. EU criteria for important and essential entities should be adopted without deviation and with the direct involvement of the firms concerned. If scope extension is necessary, clear reclassification criteria should be provided so that firms can prepare for compliance.
- Ensure compliance with the Directive: NIS2 introduces significant new obligations, particularly for entities that were previously outside the scope of the EU cyber rules. These companies will often have to build their cybersecurity compliance efforts from scratch. Member States should create an environment so that verifying compliance with the Directive imposes the least bureaucratic burden. Mutual recognition of compliance and a one-stop shop approach should be a priority for multinational companies.
- Have reduced the complexity of supervision: Involving multiple competent authorities in NIS2 enforcement can cause confusion and delays. Minimising the number of authorities is essential to streamline supervision and incident response. In addition to the one-stop-shop approach, going forward we advocate the creation of a 28th regime at EU level for future cyber legislation reforms to further harmonise regulations, enhance competitiveness and strengthen the single market.
- Allow sufficient time for adaptation: companies need sufficient time to implement cybersecurity measures. National legislations should allow for a phased approach, including the submission of systems security plans with action step milestones that will lead to compliance over time.
- Ensure consistency between the NIS2 Directive and the Critical Entity Resilience Directive (CER Directive): National authorities should coordinate the transposition of the NIS2 and CER Directives to avoid overlapping obligations and simplify cybersecurity and critical infrastructure protection for entities covered by both Directives.
By maintaining clear standards and adopting measures such as single points of contact to ensure compliance, we can improve cybersecurity across the EU while preserving the integrity of the single market. A coordinated approach, both now and as part of future reforms, is essential to strengthen Europe’s digital resilience and competitiveness.
