Transposing the NIS2 and CER Directives into national legislation is taking longer than expected due to its complexity. As a result, the Cabinet is not going to meet the implementation deadline of Oct. 24, 2024. Outgoing Minister of Justice and Security Dilan Yeşilgöz-Zegerius, who is directing the implementation of the directives, hopes to present the bills to the House of Representatives this fall. The minister writes this in a letter to the House of Representatives.
'NIS' stands for Network and Information Security. NIS2 is the successor to the first NIS directive, which took shape in our country in 2016 with the Network and Information Systems Security Act (Wbni). The new directive focuses on digital threats to network and information systems, such as cyber attacks, zeroday exploits and ransomware. With the NIS2 directive, the European Commission aims to equalize the security of network and information systems across the European Union.
Among other things, the directive stipulates a duty of care and notification for both private and public organizations in sectors such as healthcare, energy supply, finance, digital infrastructure and public administration. There are also agreements on the exchange of threat information between member states and a European database for vulnerabilities. Finally, companies and organizations must meet stricter obligations in the area of cybersecurity.
'CER' is an acronym that stands for Critical Entities Resilience. It focuses on protecting public and private organizations from physical risks such as terrorist attacks, sabotage and natural disasters.
Translating both directives into national legislation is taking more time than expected, Minister Yeşilgöz-Zegerius wrote today in a letter addressed to the House of Representatives. "The draft bills are expected to be submitted for consultation before the summer of 2024. Given the necessary follow-up steps in the legislative process, I conclude that the European Commission's implementation deadline for both directives, namely October 17, 2024, will not be met," the minister said.
Once the consultation round is completed, the bills are submitted to the Advisory Division of the Raad van State, one of the government's main advisory bodies. If it gives a positive opinion on the bills, they will be forwarded to the House of Representatives. Minister Yeşilgöz-Zegerius hopes to present the bills next fall.
The minister says she is doing everything possible to have the bills ready as soon as possible. She emphasizes that companies and organizations should not wait until the new laws and regulations are ready, but should take measures now to protect their business processes. "Organizations that take action now not only secure themselves against existing risks, but are also better prepared for the arrival of the new legislation soon," the minister wrote.
She lists several concrete measures that companies and organizations can already take now. "For example, they can conduct analyses of digital and physical risks, increase staff awareness of risks and security measures, and further tighten and supplement procedures in the event of incidents by detecting, monitoring, resolving and reporting them."
Minister Yeşilgöz-Zegerius promises to keep the House of Representatives informed about the progress of implementation.
