Ropes & Gray Logo
Page Translations
  • Home
  • Insights
  • The EU’s NIS2 Directive is in Force – but can it be Enforced?

The EU’s NIS2 Directive is in Force – but can it be Enforced?

Viewpoints
December 9, 2024
5 minutes
Printer-friendly Version
Authors:
Edward Machin

If a European Union member state hasn’t transposed a directive into its national law, are in-scope organisations liable for non-compliance with the directive from the date at which the member state should have done so?

That is the question that numerous clients have been asking in recent weeks, in light of the fact that only four of the EU’s 27 member states — Belgium, Croatia, Italy and Lithuania — fully transposed the NIS2 Directive into national law by the date on which they should have done, namely, 17 October 2024. (Hungary and Latvia have also adopted NIS2 into their respective laws, although as we shall see below, the European Commission does not appear to consider that these laws have “full[y]” implemented the Directive.)

Notwithstanding differing views on the status of implementation, the issue of NIS2 applicability is front of mind not only for organisations that are subject to NIS2 in their own right (e.g., telecoms companies and medical device manufacturers), but also for private equity funds that are considering whether to invest in such organisations and the risks of their current and future portfolio companies’ non-compliance with NIS2.

Unlike EU regulations, which are directly applicable in the same way across all member states from a certain date, EU directives require member states to achieve a set of goals by a specific date but leave it to each country to decide how to do so. And unlike regulations, which apply automatically and can be enforced from the day they enter into force, the situation is more complicated when a directive has not been transposed by the required date.

NIS2 in a nutshell 

By way of reminder, NIS2 is an EU law that aims to strengthen the cybersecurity posture of “essential” and “important” entities that operate in certain critical sectors in the EU, including energy and water, transport, banking and financial market infrastructures, healthcare and digital infrastructure. NIS2 repeals and replaces the NIS1 Directive, which came into effect on 10 May 2018 (i.e., two weeks before the GDPR) but ultimately proved ineffective and soon was overshadowed by the GDPR.

NIS2 introduces a range of new and enhanced obligations on in-scope entities, including in respect of:

  • Cybersecurity. Organisations must take appropriate technical, organisational and operational measures to manage cybersecurity risks faced by their network systems.
  • Governance. Boards of directors and other senior officers must approve and oversee, and can be liable for, the cybersecurity risk management measures taken by their organisations.
  • Incident Management. Reporting obligations differ between “incidents” and “cyber threats”, and entities are required to make an initial report of significant incidents within 24 hours, followed by a detailed report within 72 hours.

NIS2 will be enforced by national supervisory authorities, whose remit differs for essential and important entities. For a breach of its reporting obligations, an essential organisation can receive a maximum fine of the greater of €10 million or 2% of worldwide annual turnover for the previous financial year, while fines for important entities can be up to the greater of €7 million or 1.4% of worldwide annual turnover. In addition, members of the management at essential entities can be temporarily banned from discharging managerial functions if their organisation does not meet a supervisory authority’s deadlines.

The European Commission takes action

On 28 November, the European Commission opened infringement procedures against 23 member states for failing to fully transpose the NIS2 Directive into their national laws by 17 October 2024. The Commission gave the recalcitrant member states two months to complete their transposition. This timeline seems ambitious, however, given that at least half a dozen member states do not appear to have even begun the legislative process. To compound matters, some member states, such as the Netherlands, have publicly stated that their implementing legislation is not expected to enter into force before Q3 2025.

This is not the first time that member states have failed to implement an EU directive; indeed, it happens with some regularity. Ultimately, the Commission can bring proceedings before the Court of Justice of the European Union where member states do not transpose a directive. Among several data protection-related examples, readers may remember Spain being fined €15 million in February 2021 for failing to transpose the Law Enforcement Directive.

What does this mean for you?

The short answer is that (i) in-scope entities are not liable in respect of actions brought by the regulatory authorities of a member state that has not implemented the NIS2 Directive, but (ii) individuals and entities located in these member states may be able to enforce their rights under the Directive.

Taking these positions in turn:

  • The authorities in non-compliant member states do not have the scope to bring actions against organisations that would be subject to NIS2 had it been correctly transposed in their jurisdiction. Although this position applies to the majority of EU member states, in-scope entities established (or, in the case of non-EU based organisations, that offer services) in Belgium, Croatia, Italy and Lithuania should ensure that they are compliant with the Directive’s requirements.
  • Certain provisions of a directive may apply in member states that did not transpose it by the required date, but only where the directive’s provisions are clear, precise, unconditional and give rights to individuals. This is known as the principle of direct effect. For the purposes of EU law, however, a directive can only have vertical direct effect — meaning that an individual may rely on the directive against the member state that failed to implement the legislation, but not against another individual or entity.   

Provided that your organisation — or target company — is not located in one of the four member states that the Commission considers had transposed the Directive by 17 October 2024, the practical risks of enforcement for NIS2 non-compliance are therefore likely to be limited until those national laws take effect.

However, the member states’ failure to meet their implementation deadline shouldn’t be taken for granted — or as encouragement to do the same. If your organisation is in scope of NIS2 but hasn’t yet instituted a defensible compliance programme to meet its obligations under the Directive, you now have a second bite at the apple before the law comes into force across the EU. That said, the rate of progress among member states — at least three national implementing laws are expected to take effect in the next six months — means that the opportunity won’t last long, and addressing NIS2 compliance should be near the top of your resolutions for 2025.

Subscribe to Ropes & Gray Viewpoints by topic here.

Related Services

    Authors

    Edward Machin
    Edward Machin
    Counsel
    London+44 20 3847 9094
    Edward.Machin@ropesgray.com
    See Bio

    Stay Up To Date with Ropes & Gray

    Subscribe to Our Podcast

    Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.

    Subscribe on AppleSubscribe on Spotify
    Follow Us on Social

    Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.

    Follow Us on LinkedInFollow Us on X
    Join Our Mailing List

    We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.

    Join Our Mailing List