October 17, 2024, is the final day for European Union (“EU”) Member States to implement the necessary measures for transposing the EU Directive on measures for a high common level of cybersecurity across the EU (the “NIS2 Directive”) into their national laws. The rules of the NIS2 Directive will then become applicable from October 18, 2024, onwards.

The NIS2 Directive repeals the current NIS Directive, increases the number of entities under scope, and creates a more extensive and harmonized set of rules on cybersecurity for organizations carrying out their activities within the EU. The new obligations include the requirement to register with competent authorities, and strict rules on governance, cyber risk management and incident reporting. Read our previous blog on the NIS2 Directive for further information.

Organizations in scope should confirm the status of transposition of the NIS2 Directive in the jurisdictions where they carry out activities. Although all Member States are required to finalize their transposition by October 17, 2024, a number of countries are unlikely to meet this deadline. However, it is recommended that organizations expedite the implementation of the necessary compliance measures to ensure that they meet applicable legal deadlines.

Read the NIS2 Directive.