Policy Briefing — EU NIS2 transposition deadline drives final national implementations
Member States must transpose Directive (EU) 2022/2555 (NIS2) by 17 October 2024, extending cybersecurity risk-management and reporting duties to thousands of essential and important entities across the European Union.
Executive briefing: The transposition deadline for the NIS2 Directive falls on 17 October 2024. Each EU Member State must embed NIS2’s risk-management, supply-chain oversight, and 24-hour incident notification requirements into national law, expanding supervisory reach well beyond the original NIS regime.
Regulatory expectations
- Wider scope. NIS2 applies to essential entities (energy, transport, health, public administration) and important entities (digital platforms, food manufacturing, waste management), triggering mandatory registration with competent authorities.
- Risk management baseline. Article 21 obliges organisations to implement multifactor authentication, vulnerability disclosure, supply-chain assurance, and secure development processes, subject to fines of up to €10 million or 2% of global turnover.
- Coordinated supervision. Operators must prepare to engage with national CSIRTs, joint supervisory teams, and the EU-CyCLONe crisis network for cross-border incidents.
Program actions
- Jurisdiction mapping. Track national transposition laws and identify which competent authority (e.g., BSI in Germany, ANSSI in France) will supervise each EU entity.
- Incident rehearsal. Align incident response plans with NIS2’s 24-hour initial notification, 72-hour status update, and final report cadence.
- Supply-chain attestations. Extend vendor risk assessments to include software bill of materials, secure development practices, and subcontractor disclosure demanded under Article 21(2)(d).