NIS 2: Where are European countries in transposing the directive?

Maturity level = 4

The transposition law was passed by the Belgian Parliament on 26 April 26th, 2024. It is accompanied by a Royal Decree setting out the practical arrangements for implementing the law. The law officially came into force on October 18th, 2024. The accompanying cyber standard is CyFun, developed by the CCB. A presumption of compliance with ISO 27001 may be envisaged.

Key stages

• November 10th, 2023: The Belgian Council of Ministers approves, on first reading, the draft bill to transpose the European NIS 2 directive.
• November 16th, 2023 – December 21st 2023: the CCB organizes a public consultation on this preliminary project
• March 27th, 2024: the NIS 2 transposition bill is approved by the House of Representatives Interior Committee
• April 26th, 2024: the NIS 2 law is voted in plenary session by the House of Representatives and published in the Belgian Official Journal on May 17th, 2024. Official name of the law: law establishing a framework for the cybersecurity of networks and information systems of general interest for public security.
• June 9th, 2024: An implementing Royal Decree is published. This decree sets out the practical arrangements for implementing the law: the arrangements for regular assessment of entities (compulsory for EE and voluntary for IE) and the conditions for accreditation of inspection bodies.
• October 18th,2024: the law came into force

National specificities

• Compliance with the CyFun framework, like ISO 27001 certification, will act as a presumption of compliance with NIS 2.
• CyFun offers 4 levels of insurance (Small, Basic, Import, Essential) and comes with 4 tools:
• Assessment Tool: A questionnaire based on the CyFun mapping to assess whether an entity has achieved the targeted level of security.
• Risk Analysis Tool: assesses the risks specific to the business sector and determines the level of compliance required.
• Security Policy Templates: Provide a basis for entities with less experience in cybersecurity.
• CyberFundamentals Framework mapping: Provides an overview of requirements and links with other frameworks on the market.

Competent authority(ies)
CCB (Centre for Cybersecurity Belgium)

Maturity level = 3

The Resilience Bill, which includes the transposition of NIS 2, REC and DORA, was presented to the Council of Ministers on October 15th 2024. The next milestones linked to the approval of the law by Parliament are in the hand of the Parliament. The ANSSI shared a temporary version of a security measures repository in consultations at the end of 2023 (addressing the notion of Regulated Information Systems or RIS which may evolve in the final version). The project will subsequently be accompanied by around twenty implementing decrees. One of these decrees should specify the final version of the security measures.

Key stages

ANSSI has opted for a participatory approach, involving key players in the sector, including industry federations such as UFE (Union Française de l’Électricité), cybersecurity associations (CLUSIF, CESIN) and qualified service providers (PASSI, PRIS, PDIS etc.).

The consultation phase covered 3 themes:

• September: the scope of entities covered by the law
• October: the methods of interaction between ANSSI and the entities subject to the law
• November: cybersecurity requirements

May 21th, 2024: the CSNP (Commission Supérieure du Numérique et des Postes) issues an initial opinion containing 14 recommendations on the resilience bill, stressing in particular the importance of defining a clear list of critical and highly critical sectors, as well as prioritising the obligations for entities.

October 3rd, 2024: the CSNP issues a second opinion with 32 recommendations on the challenges of transposing the NIS 2 Directive, stressing the need to set the deadline for compliance December 31st, 2027, to conduct a targeted communication campaign aimed at the entities concerned, and to include in the law an adaptability clause for technological developments, particularly those linked to AI.

October 15th, 2024: A bill on the resilience of critical infrastructures and the strengthening of cyber security is presented to the Council of Ministers.

Coming soon: the bill must be approved by Parliament.

National specificities
ANSSI plans to set up several online help tools, some of which are available in beta version:

• A tool for assessing an organisation’s eligibility for NIS 2
• A support service for implementing a security approach
• A tool for managing security measures

Competent authority(ies)
ANSSI (French National Agency for Information Systems Security)

Maturity level = 1

Following Brexit, the UK is not directly affected by the NIS 2 directive. However, the Government announced its intention to update British current cybersecurity regulations, including the UK transposition of NIS 1.

Key stages

• 2018: The United Kingdom, then a member of the EU, transposes the European NIS Directive into national law. For each sector of activity concerned, a competent authority (NIS Regulator) has been identified. Guidance containing security measures has also been made available for each sector of activity.
• 2022: Following a public consultation on ways to increase the UK’s cyber resilience, the Government announces its intention to update the NIS Regulations to strengthen national cybersecurity.
• July 17th, 2024: The Government reaffirms its commitment to update existing UK cybersecurity regulations inherited from the EU (included NSI 1) through a Cyber Security and Resilience Bill.

National specificities
The changes envisaged by the Government specifically relates to:

• bringing managed service providers (MSPs) within the scope of regulation to ensure the security of digital supply chains
• improving the reporting of cybersecurity incidents to the authorities
• setting up a cost recovery system to enforce NIS regulations.

Competent authority(ies)
DSIT (Department for Science, Innovation and Technology)
1 regulator per business sector

Maturity level = 3

The transposition bill was submitted to the Chamber of Deputies on March 13th, 2024. The Council of State has published its opinion on the bill with a number of recommendations. The bill has yet to be approved. Information sessions are regularly organized by authorities.

Key stages

• March 2024: A bill transposing NIS 2 is introduced to the Chamber of Deputies.
• April 2024: The Luxemburg Regulatory Institute (LRI) organizes a generic public information-sharing session, followed by a session in September 2024.
• October 2024: The Conseil of State publishes its opinion on the draft law, making 25 recommendations. it specifically recommends coordination with the Directive on the Critical Entities Resilience (CER), warns against the risk of divergence between the LRI and the CSSF (financial sector supervisor) and stresses the need to clarify sanctions.
• Coming soon: The bill must be passed by Parliament.

National specificities
LRI is working on security measures, which should be aligned with or inspired by existing standards (e.g. ISO 270001) or practices in other countries (e.g. the Belgian CyFun standard).

Competent authority(ies)
LRI (Luxemburg Regulatory Institute)