The NIS2 Directive transposition deadline is today — Thursday the 17th of October 2024. Member-state-side legislation transposing the directive should, on the directive's text, be in force as of this date, with the operational compliance regime active from the same date. The customer-portfolio NIS2-affected organisations are, on the programme work that has been continuous since the 2022 adoption, in attestable position. The actual operational regime begins now.
The portfolio status. The manufacturer's overseas operations are NIS2-attestable — the risk-management-practices documentation, the incident-handling procedures, the supply-chain-security-programme integration, the encryption-and-access-control posture, and the various organisational-and-governance changes that the Article 21 obligations require are all in place. Northcott's overseas operations are NIS2-attestable. The retailer's various EU operations are NIS2-attestable on the relevant aspects of their operations that fall within scope. The financial-services firm has parallel obligations under DORA (Digital Operational Resilience Act) which is applicable from the 17th of January 2025 — three months from now — and the firm's DORA-readiness programme is on track for that deadline.
The actual transposition-pace across member states has been variable, which is operationally familiar from the GDPR transposition cycle. Some member states have completed the transposition with carefully-prepared legislation; some have completed the transposition with hastily-passed legislation that will need subsequent refinement; some have not completed the transposition by the deadline. The European Commission's enforcement posture against non-transposing member states will be a 2025 question. The customer-organisation operational posture across multiple jurisdictions has had to address the variable-transposition reality through differentiated programme work.
The substantive operational changes from today. The breach-notification cadence — initial notification within 24 hours, follow-up within 72 hours, final report within one month — is now active for in-scope customer-organisation activity in EU jurisdictions. The supply-chain-security-obligations are operationally in force, with the customer-organisation programme work on supply-chain-security that has been continuous since SolarWinds being substantively reflected in the NIS2-required documentation. The supervisory-authority engagement posture is now formalised, with named contact-and-escalation points at the customer-organisation in scope of the directive.
The wider regulatory environment. The post-NIS2 EU regulatory landscape continues to develop. DORA from January 2025. The EU AI Act came into force on the 1st of August 2024 with the staged compliance deadlines through 2025-2026 (EU AI Act regulatory text and timeline). The Cyber Resilience Act for product cybersecurity has been adopted and will apply from 2027. The aggregate regulatory environment is, in 2024, more demanding and more comprehensive than at any previous point in my career.
The UK situation. The UK government has published the Cyber Resilience Act consultation response in 2024 with substantive legislative output expected through 2025-2026. The customer-portfolio programme work for UK-and-EU customer organisations is parallel rather than aligned, with the UK-side framework converging on substantively comparable standards but with differentiated detailed requirements that the customer-organisation programme work has to address.
For the customer-portfolio briefings, the post-NIS2-deadline operational regime has been settled into the customer-organisation programme work. The Q4 customer-portfolio strategic conversation will pivot to the 2025 regulatory deadlines and the longer-arc regulatory environment progression. The customer-organisation programme work continues.
I will write more as the post-deadline operational picture develops. The 2024 retrospective will treat the NIS2 transposition as the year's principal regulatory milestone.