A call for harmonised NIS2 transposition to safeguard the single market

The updated Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)1 is the cornerstone of Europe’s cybersecurity. Its enactment into national laws, due 17 October 2024, comes at a pivotal moment for the EU’s single market. 

Unfortunately, nearly all Member States are choosing to diverge from the common EU rules in their own manner. They are expanding the rules’ scope, imposing stricter minimum requirements, establishing a multitude of overseeing agencies, and establishing different compliance timelines.  

Discrepancies in Member States’ cyber laws translating the NIS2 Directive result in a fragmented and less cybersecure single market.2 We call on Member States to: 

• Preserve NIS2’s boundaries: Surpassing the common EU rules on scope and requirements will hurt companies’ ability to scale up across Europe, particularly SMEs. Cybersecurity risk management measures should be constricted to those strictly necessary, based on the risk assessment companies must carry out. 

• Establish reliable entity classification: Predictability is vital for business planning. The EU criteria for important and essential entities should be adopted without deviation, and engaging directly with affected companies. If expanding the scope is necessary, clear reclassification criteria should be provided to allow companies to prepare for compliance. 

• Keep compliance proportional: NIS2 introduces significant new obligations, especially for entities previously outside the scope of EU cyber rules. These companies will often need to build their cybersecurity compliance efforts from scratch. Member States should provide guidance to entities and establish clear, efficient and minimally burdensome compliance procedures. For multinational companies, mutual recognition of compliance and a one-stop-shop approach should be prioritised. 

• Limit supervisory complexity: Involving multiple competent authorities in NIS2 enforcement can cause confusion and delays. Minimising the number of authorities is crucial to streamline oversight and incident response. In addition to a one-stop-shop approach, looking ahead we advocate for the exploration of a 28th regime at the EU level for future cyber legislation reforms to further harmonise regulations, enhance competitiveness and strengthen the single market. 

• Provide adequate time for transition: Companies need sufficient time to implement cybersecurity measures. National laws should allow a phased approach, including submission of system security plans with action milestones to meet compliance over time. 

• Ensure coherence between NIS2 and the Directive on the resilience of critical entities (CER Directive):3 National authorities should coordinate the transposition of NIS2 and CER to avoid overlapping obligations and streamline cybersecurity and critical infrastructure protections for entities covered by both Directives. 

By maintaining clear standards and adopting measures such as one-stop shops for compliance, we can enhance cybersecurity across the EU whilst preserving the integrity of the single market. A coordinated approach, both now and in future reforms, is essential to strengthening Europe’s digital resilience and competitiveness.