Skip to content
Regulation2022H5CybersecurityTranspositionTechnologyCyberattacks

Investigating the Legal Landscape of Cybersecurity Yields Benefits

Businesses ought to consider cybersecurity regulations less as a mandatory legal requirement, but rather as an essential strategic priority for long-term resilience.

 and  Administrator
3 min read

Streamlining Cybersecurity Regulation: Navigating the Challenges of NIS2 Transposition Across EU Member States

By Nadine Neumeier and Stephanie Giek *

In the face of escalating cyberattacks, businesses worldwide, particularly in Europe, are encountering unscheduled financial losses and irrecoverable reputational damage. With German companies seeing a staggering 203 billion euros in damages from cyberattacks in 2022, it's clear that comprehensive regulation and companies' proactive response are essential.

To address this crisis, the EU introduced the NIS2 Directive (EU) 2022/2555. However, this directive's requirements and their implementation across EU member states have proven challenging for many businesses.

Facing the consequences

Complying with the directive's stipulations should be a priority, as violations can result in fines of up to 10 million euros or 2% of the total worldwide turnover of the respective group in the previous year for essential facilities, and up to 7 million euros or 1.4% of the total worldwide turnover in the previous year for important facilities. Additionally, national transposition acts have provisions imposing hefty fines for non-compliance.

However, implementing the directive is fraught with obstacles for businesses. The deadline for EU member states to do so is October 17, 2024, yet seeing Germany's current political instability, there's speculation about the timely adoption of the NIS2UmsuCG.

Sizing up the landscape

Regardless of Germany's situation, globally active corporations must investigate whether their national NIS2 transposition acts are in force or are forthcoming and assess the impact of these laws on their operations. This task can be convoluted and confusing, as multiple factors come into play.

For instance, while the NIS2 Directive doesn't contain group regulations, the concept of a facility circumscribes an enterprise's obligations within a group. Meanwhile, corporate groups must consider whether they exceed the threshold values of the small and medium-sized enterprises (SME) definition when determining SME status.

International implications

Global corporations must also determine whether subsidiaries of foreign corporations are covered by the provisions of the NIS2 Directive. This is important, for example, when subsidiaries within the EU or providing services are under consideration. However, it's essential to note that national responsibility is generally based on the location of the facility.

Disparities in enforcements

Even requirements for cybersecurity and risk management measures, coupled with registration and notification obligations, create practical quandaries for international companies due to divergent implementations among EU member states. For example, Belgium's law grants affected companies a five-month registration period from the date of entry into force, while the draft of the NIS2 Implementation Act in that country lists a three-month registration period for essential and particularly essential facilities, starting from the date when the facility is first or newly deemed as such.

Additional differences may arise from the different designs of sectors, as demonstrated by Hungary's expansion of the implementing act, the "Act on the Certification and Supervision of Cybersecurity," to include public transport.

A matter of strategy

Corporations, especially international ones, should regard NIS2 requirements not only as a necessary legal obligation but also as a strategic necessity for their future viability. Being proactive and systematic in addressing cybersecurity requirements will better prepare companies for current and future challenges.

*) Nadine Neumeier is Counsel, Stephanie Giek is Associate at the law firm Clifford Chance in Frankfurt.

A Closer Look at the NIS2 Directive's Implementation

Current Status

  • Transposition Progress: Only 11 member states have passed implementing legislation as of April 2025, such as Croatia (January 2024), Finland, and Malta [2].
  • Germany: The implementation process, through the draft BSIG-E law, is delayed due to legislative backlog, with vague timelines and strict obligations requiring immediate compliance upon enactment [4].
  • Upcoming Deadlines: Denmark aims to implement its law by July 2025, while others, like Spain and France, have yet to finalize legislation.

[2] (source)[3] (source)[4] (source)[5] (source)

  1. The escalating cyberattacks have led to substantial financial losses and tarnished reputations for businesses worldwide, with German companies alone suffering 203 billion euros in damages in 2022.
  2. In an effort to mitigate these threats, the EU introduced the NIS2 Directive (EU) 2022/2555, which aims to strengthen cybersecurity regulation across EU member states.
  3. The deadline for the member states to transpose the NIS2 Directive is October 17, 2024, but Germany's current political instability is raising concerns about the timely adoption of the NIS2UmsuCG.
  4. International corporations must assess the impact of national NIS2 transposition acts on their operations, considering factors such as their SME status, the coverage of foreign subsidiaries, and the varying implementation of cybersecurity measures among EU member states.
Businesses should regard cybersecurity regulations as vital strategic imperatives for future competitive edge, rather than mere legal requirements.

Read also:

    Related

    Latest