26 Sep 2024

A call for harmonised NIS2 transposition to safeguard the single market

The updated Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)1 is the cornerstone of Europe’s cybersecurity. Its enactment into national laws, due 17 October 2024, comes at a pivotal moment for the EU’s single market. 

Unfortunately, nearly all Member States are choosing to diverge from the common EU rules in their own manner. They are expanding the rules’ scope, imposing stricter minimum requirements, establishing a multitude of overseeing agencies, and establishing different compliance timelines.  

Discrepancies in Member States’ cyber laws translating the NIS2 Directive result in a fragmented and less cybersecure single market.2 We call on Member States to: 

  • Preserve NIS2’s boundaries: Surpassing the common EU rules on scope and requirements will hurt companies’ ability to scale up across Europe, particularly SMEs. Cybersecurity risk management measures should be constricted to those strictly necessary, based on the risk assessment companies must carry out. 
  • Establish reliable entity classification: Predictability is vital for business planning. The EU criteria for important and essential entities should be adopted without deviation, and engaging directly with affected companies. If expanding the scope is necessary, clear reclassification criteria should be provided to allow companies to prepare for compliance. 
  • Keep compliance proportional: NIS2 introduces significant new obligations, especially for entities previously outside the scope of EU cyber rules. These companies will often need to build their cybersecurity compliance efforts from scratch. Member States should provide guidance to entities and establish clear, efficient and minimally burdensome compliance procedures. For multinational companies, mutual recognition of compliance and a one-stop-shop approach should be prioritised. 
  • Limit supervisory complexity: Involving multiple competent authorities in NIS2 enforcement can cause confusion and delays. Minimising the number of authorities is crucial to streamline oversight and incident response. In addition to a one-stop-shop approach, looking ahead we advocate for the exploration of a 28th regime at the EU level for future cyber legislation reforms to further harmonise regulations, enhance competitiveness and strengthen the single market. 
  • Provide adequate time for transition: Companies need sufficient time to implement cybersecurity measures. National laws should allow a phased approach, including submission of system security plans with action milestones to meet compliance over time. 
  • Ensure coherence between NIS2 and the Directive on the resilience of critical entities (CER Directive):3 National authorities should coordinate the transposition of NIS2 and CER to avoid overlapping obligations and streamline cybersecurity and critical infrastructure protections for entities covered by both Directives. 

By maintaining clear standards and adopting measures such as one-stop shops for compliance, we can enhance cybersecurity across the EU whilst preserving the integrity of the single market. A coordinated approach, both now and in future reforms, is essential to strengthening Europe’s digital resilience and competitiveness. 

Download the full document
27 Sep 2024 Position Paper
Protecting children online: response to the call for evidence
26 Sep 2024 Position Paper
Future directions for accelerating digital skills uptake across Europe
17 Sep 2024 The Download
The Download - Data Centres: A powerful enabler of Europe's twin transition
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept