Mark Young, Paul Maynard, and Aleksander Aleksiev of Covington and Burling write:
In six months’ time, on 17 October 2024, Member State laws that transpose the EU’s revised Network and Information Systems Directive (“NIS2”) will start to apply. As described in more detail in our earlier blog post (here), NIS2 significantly expands the categories of organizations that fall within scope of EU cybersecurity legislation. This new, cross-sector law imposes additional and more granular security and incident reporting rules, enhanced governance requirements that apply to organizations’ “management bodies,” and creates a stricter enforcement regime.
[…]
Some Member States (e.g., Croatia) have already passed their transposing legislation, and others (e.g., Germany and Belgium) have published draft laws that are going through the legislative process. Despite the October deadline, many Member States have not yet published drafts or started their legislative process. NIS2 is a “minimum harmonization” law, meaning that Member States’ implementing laws can impose additional obligations beyond those set out in the text of the Directive.
As we enter the last six months before national laws start to apply, establishing which Member States’ competent authorities will have jurisdiction to enforce NIS2 will also be a critical assessment for regulated entities.
Read more at Inside Privacy.