NIS 2: Where are European countries in transposing the directive?
Published November 25, 2024
- Cybersecurity
All European Union (EU) countries must transpose the NIS 2 (Network and Information Security) directive into their national law.
Cyber criminals are getting increasingly efficient as they develop better tools, affecting a growing number of organizations that are all too often inadequately prepared. NIS 2 consolidates the NIS framework for improved security. This new European regulation drastically broadens the range of entities covered. It affects companies in a wide range of sectors and sizes, from SMEs to large corporations. This wider scope is undoubtedly a challenge for national authorities, who must transpose the text and define security requirements that will apply to a diverse range of organizations.
Despite the transposition deadline set by the European Commission for October 17, 2024 , EU countries have achieved uneven levels of progress. They also have on occasion adopted different approaches to transposition (e.g. public vs. closed consultation, alignment with pre-existing national laws, varying degrees of communication including the provision of online help tools for entities).
This article compares the level of transposition in each member State as of October 18, 2024.
Heterogeneous progress in transposition
Countries at maturity level 4
Countries at maturity level 3
Countries at maturity level 1 & 2
Focus on selected European countries
Maturity level = 3
The NIS 2 bill (NIS2UmsuCG) was approved by the German Federal Government on July 24th, 2024. However, it still has to be passed by the Federal Parliament before it comes into force, estimated for March 2025.
Key stages
- April 2023: first version of the bill
- July 2023: second version of the bill
- December 2023: third version of the bill
- May 2024: fourth version of the bill
- July 2024: fifth version of the bill approved by the Federal Government (Bundesregierung)
- September 2024: the Federal Council (Bundesrat) publishes its opinion on the draft law transposing NIS 2
- October 2024: the bill is submitted to Parliament (Bundestag)
- March 2025: estimated entry into force (to be confirmed)
National specificities
In Germany, the BSI Act, adopted in 1991, gives the BSI the mandate to guarantee IS security.
The IT Security Act, enacted in 2015 and updated in 2021 with the IT Security Act 2.0, extends the responsibilities of the BSI and imposes security measures on operators of critical infrastructures. At the same time, the KRITIS regulation designates a list of critical sectors within the German economy (energy, water, food, health, etc.) and reinforces the security measures to be applied by these entities.
Germany has clarified the categories of entities that will be affected by NIS2 in relation to KRITIS. NIS 2 will concern 2 categories of entities:
- particularly important entities (made up of KRITIS entities and Essential Entities as designated by NIS 2 directive)
- important entities (made up of Important Entities as designated by NIS 2 directive).
BSI provides recommendations for anticipating the arrival of the German NIS 2, including the nomination of persons in charge of coordinating cybersecurity within the entity, and an initial assessment of cybersecurity maturity.
Competent authority(ies)
BSI (Bundesamt für Sicherheit in der Informationstechnik)
Maturity level = 4
The transposition law was passed by the Belgian Parliament on 26 April 26th, 2024. It is accompanied by a Royal Decree setting out the practical arrangements for implementing the law. The law officially came into force on October 18th, 2024. The accompanying cyber standard is CyFun, developed by the CCB. A presumption of compliance with ISO 27001 may be envisaged.
Key stages
- November 10th, 2023: The Belgian Council of Ministers approves, on first reading, the draft bill to transpose the European NIS 2 directive.
- November 16th, 2023 – December 21st 2023: the CCB organizes a public consultation on this preliminary project
- March 27th, 2024: the NIS 2 transposition bill is approved by the House of Representatives Interior Committee
- April 26th, 2024: the NIS 2 law is voted in plenary session by the House of Representatives and published in the Belgian Official Journal on May 17th, 2024. Official name of the law: law establishing a framework for the cybersecurity of networks and information systems of general interest for public security.
- June 9th, 2024: An implementing Royal Decree is published. This decree sets out the practical arrangements for implementing the law: the arrangements for regular assessment of entities (compulsory for EE and voluntary for IE) and the conditions for accreditation of inspection bodies.
- October 18th,2024: the law came into force
National specificities
- Compliance with the CyFun framework, like ISO 27001 certification, will act as a presumption of compliance with NIS 2.
- CyFun offers 4 levels of insurance (Small, Basic, Import, Essential) and comes with 4 tools:
- Assessment Tool: A questionnaire based on the CyFun mapping to assess whether an entity has achieved the targeted level of security.
- Risk Analysis Tool: assesses the risks specific to the business sector and determines the level of compliance required.
- Security Policy Templates: Provide a basis for entities with less experience in cybersecurity.
- CyberFundamentals Framework mapping: Provides an overview of requirements and links with other frameworks on the market.
Competent authority(ies)
CCB (Centre for Cybersecurity Belgium)
Maturity level = 3
The Resilience Bill, which includes the transposition of NIS 2, REC and DORA, was presented to the Council of Ministers on October 15th 2024. The next milestones linked to the approval of the law by Parliament are in the hand of the Parliament. The ANSSI shared a temporary version of a security measures repository in consultations at the end of 2023 (addressing the notion of Regulated Information Systems or RIS which may evolve in the final version). The project will subsequently be accompanied by around twenty implementing decrees. One of these decrees should specify the final version of the security measures.
Key stages
ANSSI has opted for a participatory approach, involving key players in the sector, including industry federations such as UFE (Union Française de l’Électricité), cybersecurity associations (CLUSIF, CESIN) and qualified service providers (PASSI, PRIS, PDIS etc.).
The consultation phase covered 3 themes:
- September: the scope of entities covered by the law
- October: the methods of interaction between ANSSI and the entities subject to the law
- November: cybersecurity requirements
May 21th, 2024: the CSNP (Commission Supérieure du Numérique et des Postes) issues an initial opinion containing 14 recommendations on the resilience bill, stressing in particular the importance of defining a clear list of critical and highly critical sectors, as well as prioritising the obligations for entities.
October 3rd, 2024: the CSNP issues a second opinion with 32 recommendations on the challenges of transposing the NIS 2 Directive, stressing the need to set the deadline for compliance December 31st, 2027, to conduct a targeted communication campaign aimed at the entities concerned, and to include in the law an adaptability clause for technological developments, particularly those linked to AI.
October 15th, 2024: A bill on the resilience of critical infrastructures and the strengthening of cyber security is presented to the Council of Ministers.
Coming soon: the bill must be approved by Parliament.
National specificities
ANSSI plans to set up several online help tools, some of which are available in beta version:
- A tool for assessing an organisation’s eligibility for NIS 2
- A support service for implementing a security approach
- A tool for managing security measures
Competent authority(ies)
ANSSI (French National Agency for Information Systems Security)
Maturity level = 1
Following Brexit, the UK is not directly affected by the NIS 2 directive. However, the Government announced its intention to update British current cybersecurity regulations, including the UK transposition of NIS 1.
Key stages
- 2018: The United Kingdom, then a member of the EU, transposes the European NIS Directive into national law. For each sector of activity concerned, a competent authority (NIS Regulator) has been identified. Guidance containing security measures has also been made available for each sector of activity.
- 2022: Following a public consultation on ways to increase the UK’s cyber resilience, the Government announces its intention to update the NIS Regulations to strengthen national cybersecurity.
- July 17th, 2024: The Government reaffirms its commitment to update existing UK cybersecurity regulations inherited from the EU (included NSI 1) through a Cyber Security and Resilience Bill.
National specificities
The changes envisaged by the Government specifically relates to:
- bringing managed service providers (MSPs) within the scope of regulation to ensure the security of digital supply chains
- improving the reporting of cybersecurity incidents to the authorities
- setting up a cost recovery system to enforce NIS regulations.
Competent authority(ies)
DSIT (Department for Science, Innovation and Technology)
1 regulator per business sector
Maturity level = 3
The transposition bill was submitted to the Chamber of Deputies on March 13th, 2024. The Council of State has published its opinion on the bill with a number of recommendations. The bill has yet to be approved. Information sessions are regularly organized by authorities.
Key stages
- March 2024: A bill transposing NIS 2 is introduced to the Chamber of Deputies.
- April 2024: The Luxemburg Regulatory Institute (LRI) organizes a generic public information-sharing session, followed by a session in September 2024.
- October 2024: The Conseil of State publishes its opinion on the draft law, making 25 recommendations. it specifically recommends coordination with the Directive on the Critical Entities Resilience (CER), warns against the risk of divergence between the LRI and the CSSF (financial sector supervisor) and stresses the need to clarify sanctions.
- Coming soon: The bill must be passed by Parliament.
National specificities
LRI is working on security measures, which should be aligned with or inspired by existing standards (e.g. ISO 270001) or practices in other countries (e.g. the Belgian CyFun standard).
Competent authority(ies)
LRI (Luxemburg Regulatory Institute)
Author
-
Ouala Barhoumi
Manager – France, Paris
Wavestone
LinkedIn