NIS 2: Where are European countries in transposing the directive?
Published November 21, 2024
- Cybersecurity
All European Union (EU) countries must transpose the NIS 2 (Network and Information Security) directive into their national law.
Cyber criminals are getting increasingly efficient as they develop better tools, affecting a growing number of organizations that are all too often inadequately prepared. NIS 2 consolidates the NIS framework for improved security. This new European regulation drastically broadens the range of entities covered. It affects companies in a wide range of sectors and sizes, from SMEs to large corporations. This wider scope is undoubtedly a challenge for national authorities, who must transpose the text and define security requirements that will apply to a diverse range of organizations.
Despite the transposition deadline set by the European Commission for October 17, 2024 , EU countries have achieved uneven levels of progress. They also have on occasion adopted different approaches to transposition (e.g. public vs. closed consultation, alignment with pre-existing national laws, varying degrees of communication including the provision of online help tools for entities).
This article compares the level of transposition in each member State as of October 18, 2024.
Heterogeneous progress in transposition
This map, updated on October 18, 2024, shows the maturity levels of all European countries with regard to the NIS2 Directive.
Maturity level 1: Little progress or limited information available on the transposition process
The countries concerned are: United Kingdom, Spain
Maturity level 2: A mid-term advancement and significant key events
The countries concerned are: Sweden, Ireland, Netherlands, Portugal, Estonia, Poland, Slovakia, Slovenia, Bulgaria, Greece, Cyprus, Malta
Maturity level 3: Ongoing analysis of a draft law by legislative authorities
The countries concerned are: Denmark, Luxembourg, France, Austria, Finland, Germany, Czech Republic, Romania
Maturity level 4: Law approved
The countries concerned are: Belgium, Italy, Latvia, Lithuania, Hungary, Croatia
Countries at maturity level 4
This map, updated on October 18, 2024, shows the maturity levels of all European countries with regard to the NIS2 Directive.
Maturity 4 countries are those that have approved their NIS2 transposition before the European Commission’s deadline (law approved)
The countries concerned are: Belgium, Italy, Latvia, Lithuania, Hungary, Croatia
Belgium
- The law was approved by the Federal Parliament on April 18th, 2024 and the implementing Royal Decree, which sets out the practical details of its implementation, was signed on June 9th, 2024.
- The law came into force on October 18th, 2024, and the compliance deadlines range from 5 to 30 months.
- Security measures are based on the CCB’s CyFun® standard.
Italy
- Legislative Decree No. 138 transposing the NIS 2 Directive was approved on September 4th and came into force on October 16th, 2024.
- Once their registration has been validated by ACN, entities will have 9 months to comply with the obligation to report incidents and 18 months to implement security measures.
Latvia
- The National Cyber Security Law was passed by Parliament on June 20th and came into force on September 1st , 2024.
- Entities will have to register before April 1st, 2025 and start reporting incidents from July 1st, 2025.
Lithuania
- Cybersecurity Act N°XII-1428 was passed on July 11th and came into force on October 17th, 2024.
- The government will have to provide implementing regulations for this law.
Hungary
- On May 15th, 2023, the Hungarian Parliament enacted Act XXIII on cybersecurity certification and cybersecurity supervision.*
- The law was subsequently completed by a regulation specifying IS classification criteria and the security measures associated with each level.
- By the end of 2024, entities must notify and select an audit body from the list provided by the authority. A first audit must be carried out by December 31st, 2025 at the latest, followed by subsequent audits every two years.
Croatia
- Coming into force on February 15th 2024, the Croatian Cyber Security Act (CSA or Zakon o kibernetičkoj sigurnosti no. 14/2024) partially transposes NIS 2.
- The competent authorities for each sector of activity must notify the entities affected by the law by February 2025 at the latest. Thereafter, these entities have a statutory period of 30 days to report their security incidents and a period of 1 year to comply with the other requirements.
- In order to complete the transposition of NIS 2, the Croatian Government must enact additional regulations.
Countries at maturity level 3
This map, updated on October 18, 2024, shows the maturity levels of all European countries with regard to the NIS2 Directive.
Countries at maturity level 3 are those that have made significant progress in the transposition process (draft legislation currently being proposed to the legislative authorities).
The countries concerned are: Denmark, Luxembourg, France, Austria, Finland, Germany, Czech Republic, Romania
Denmark
In July 2024, the Ministry of Defence put a draft law out to consultation aimed at implementing NIS 2 in various sectors (excluding energy, telecommunications and finance). For the latter 3 sectors, respective bills are either currently being examined or have already been approved by Parliament.
Luxembourg
- A bill was submitted to the Chamber of Deputies on March 13th, 2024, which issued an opinion. The Council of State also published its opinion in October 2024. These include recommendations and requests for clarification, such as the clarification of deadlines and sanctionable behaviour.
- The Luxemburg Regulatory Institute also organizes regular public information sessions.
France
- The transposition of NIS 2 is planned through a draft law on resilience, which also aims to implement the CER (critical entities resilience) and DORA directives.
- Following the dissolution of the National Assembly in June 2024, the timetable has been affected. The project was presented to the Council of Ministers on October 15th, 2024 and the subsequent stages are in the hands of Parliament.
Austria
The first bill to transpose the NIS 2 Directive was rejected by the National Council on July 4th, 2024. Following this, the text was revised and resubmitted to the National Council in September 2024.
Finland
- A bill has been before Parliament since May 2024.
- The obligations applicable to private companies and those for the public sector should be detailed in 2 specific laws. Similarly, 2 regulators will be responsible for monitoring these entities.
Germany
- The 5th version of the transposition bill (NIS2UmsuCG) was accepted by the federal government on July 24th, 2024 and still has to be approved by the federal parliament.
- These regulations will reinforce the IT Security Act 2.0, the current German law on critical entities.
Czech Republic
- The transposition bill was approved by the government on July 17th, 2024 and submitted to Parliament. Once approved by the Chamber of Deputies, it will need to be also approved by the Senate and signed by the President of the Republic.
- It is accompanied by three proposals for decrees to clarify, among other things, the security rules and registration procedures for entities.
Romania
The bill was submitted to Parliament on August 15th, 2024. This law will repeal the existing one (Law 362/2018).
Countries at maturity level 1 & 2
This map, updated on October 18, 2024, shows the maturity levels of all European countries with regard to the NIS2 Directive.
Countries at maturity levels 1 and 2 are those at the beginning (1) or middle (2) of the transposition process.
Maturity level 1: Little progress or limited information available on the transposition process
The countries concerned are: United Kingdom, Spain
Maturity level 2: A mid-term advancement and significant key events
The countries concerned are: Sweden, Ireland, Netherlands, Portugal, Estonia, Poland, Slovakia, Slovenia, Bulgaria, Greece, Cyprus, Malta
Sweden
A Committee of Inquiry, appointed by the Government to study the adaptation of NIS 2 to Swedish legislation, issued a report in March 2024. One of its recommendations was to replace Law 2018:1174, which implements NIS 1, with a new law to better incorporate the directive’s developments.
Ireland
A draft bill is currently being prepared. The broad outline of the bill was published on the Department of the Environment, Climate and Communications (DECC) website in September 2024.
United-Kingdom
The UK plans to develop its local NIS even though it is no longer a member of the EU.
Netherlands
Transposition would require an amendment to the current Wbni law. A draft bill has been published for public consultation from May to June 2024.
Portugal
The Council of Ministers approved an initial draft bill on 24 October 2024, which will be the subject of a public consultation in November before being submitted to Parliament.
Spain
Spain organised a public consultation at the end of 2023. The National Cryptologic Centre (CNN-CERT) published a compliance profile in April 2024 to help companies prepare for the transposition.
Estonia
Following a series of public consultations in June 2023, Estonia is expected to present a draft amendment to the 2018 Cybersecurity Act to Parliament in the near future.
Poland
A bill to amend the existing law on the National Cybersecurity System has been put out to public consultation until May 2024.
Slovakia
The transposition of NIS 2 will require an update of the current law No. 69 on cybersecurity. A draft amendment to this law was submitted by the National Security Authority on May 30th, 2024 for interministerial consultation.
Slovania
The bill was put out to public consultation in February and again in May 2024.
Bulgaria
Amendments to the Cybersecurity Act 2018 were subject to public consultation over the summer of 2024.
Greece
NIS 2 is being transposed by means of a draft law that will repeal and replace Law No. 4577/2018. The Minister for Digital Governance presented this draft to the Council of Ministers on August 28th, 2024.
Cyprus
At the end of 2023, the Digital Security Authority (DSA) publicly announced the amendments it was considering to the Network and Information Systems Security Act No. 89 of 2020.
Malta
A draft bill has been shared for public consultation from September to October 2024.
Focus on selected European countries
Maturity level = 3
The NIS 2 bill (NIS2UmsuCG) was approved by the German Federal Government on July 24th, 2024. However, it still has to be passed by the Federal Parliament before it comes into force, estimated for March 2025.
Key stages
- April 2023: first version of the bill
- July 2023: second version of the bill
- December 2023: third version of the bill
- May 2024: fourth version of the bill
- July 2024: fifth version of the bill approved by the Federal Government (Bundesregierung)
- September 2024: the Federal Council (Bundesrat) publishes its opinion on the draft law transposing NIS 2
- October 2024: the bill is submitted to Parliament (Bundestag)
- March 2025: estimated entry into force (to be confirmed)
National specificities
In Germany, the BSI Act, adopted in 1991, gives the BSI the mandate to guarantee IS security.
The IT Security Act, enacted in 2015 and updated in 2021 with the IT Security Act 2.0, extends the responsibilities of the BSI and imposes security measures on operators of critical infrastructures. At the same time, the KRITIS regulation designates a list of critical sectors within the German economy (energy, water, food, health, etc.) and reinforces the security measures to be applied by these entities.
Germany has clarified the categories of entities that will be affected by NIS2 in relation to KRITIS. NIS 2 will concern 2 categories of entities:
- particularly important entities (made up of KRITIS entities and Essential Entities as designated by NIS 2 directive)
- important entities (made up of Important Entities as designated by NIS 2 directive).
BSI provides recommendations for anticipating the arrival of the German NIS 2, including the nomination of persons in charge of coordinating cybersecurity within the entity, and an initial assessment of cybersecurity maturity.
Competent authority(ies)
BSI (Bundesamt für Sicherheit in der Informationstechnik)
Maturity level = 4
The transposition law was passed by the Belgian Parliament on 26 April 26th, 2024. It is accompanied by a Royal Decree setting out the practical arrangements for implementing the law. The law officially came into force on October 18th, 2024. The accompanying cyber standard is CyFun, developed by the CCB. A presumption of compliance with ISO 27001 may be envisaged.
Key stages
- November 10th, 2023: The Belgian Council of Ministers approves, on first reading, the draft bill to transpose the European NIS 2 directive.
- November 16th, 2023 – December 21st 2023: the CCB organizes a public consultation on this preliminary project
- March 27th, 2024: the NIS 2 transposition bill is approved by the House of Representatives Interior Committee
- April 26th, 2024: the NIS 2 law is voted in plenary session by the House of Representatives and published in the Belgian Official Journal on May 17th, 2024. Official name of the law: law establishing a framework for the cybersecurity of networks and information systems of general interest for public security.
- June 9th, 2024: An implementing Royal Decree is published. This decree sets out the practical arrangements for implementing the law: the arrangements for regular assessment of entities (compulsory for EE and voluntary for IE) and the conditions for accreditation of inspection bodies.
- October 18th,2024: the law came into force
National specificities
- Compliance with the CyFun framework, like ISO 27001 certification, will act as a presumption of compliance with NIS 2.
- CyFun offers 4 levels of insurance (Small, Basic, Import, Essential) and comes with 4 tools:
- Assessment Tool: A questionnaire based on the CyFun mapping to assess whether an entity has achieved the targeted level of security.
- Risk Analysis Tool: assesses the risks specific to the business sector and determines the level of compliance required.
- Security Policy Templates: Provide a basis for entities with less experience in cybersecurity.
- CyberFundamentals Framework mapping: Provides an overview of requirements and links with other frameworks on the market.
Competent authority(ies)
CCB (Centre for Cybersecurity Belgium)
Maturity level = 3
The Resilience Bill, which includes the transposition of NIS 2, REC and DORA, was presented to the Council of Ministers on October 15th 2024. The next milestones linked to the approval of the law by Parliament are in the hand of the Parliament. The ANSSI shared a temporary version of a security measures repository in consultations at the end of 2023 (addressing the notion of Regulated Information Systems or RIS which may evolve in the final version). The project will subsequently be accompanied by around twenty implementing decrees. One of these decrees should specify the final version of the security measures.
Key stages
ANSSI has opted for a participatory approach, involving key players in the sector, including industry federations such as UFE (Union Française de l’Électricité), cybersecurity associations (CLUSIF, CESIN) and qualified service providers (PASSI, PRIS, PDIS etc.).
The consultation phase covered 3 themes:
- September: the scope of entities covered by the law
- October: the methods of interaction between ANSSI and the entities subject to the law
- November: cybersecurity requirements
May 21th, 2024: the CSNP (Commission Supérieure du Numérique et des Postes) issues an initial opinion containing 14 recommendations on the resilience bill, stressing in particular the importance of defining a clear list of critical and highly critical sectors, as well as prioritising the obligations for entities.
October 3rd, 2024: the CSNP issues a second opinion with 32 recommendations on the challenges of transposing the NIS 2 Directive, stressing the need to set the deadline for compliance December 31st, 2027, to conduct a targeted communication campaign aimed at the entities concerned, and to include in the law an adaptability clause for technological developments, particularly those linked to AI.
October 15th, 2024: A bill on the resilience of critical infrastructures and the strengthening of cyber security is presented to the Council of Ministers.
Coming soon: the bill must be approved by Parliament.
National specificities
ANSSI plans to set up several online help tools, some of which are available in beta version:
- A tool for assessing an organisation’s eligibility for NIS 2
- A support service for implementing a security approach
- A tool for managing security measures
Competent authority(ies)
ANSSI (French National Agency for Information Systems Security)
Maturity level = 1
Following Brexit, the UK is not directly affected by the NIS 2 directive. However, the Government announced its intention to update British current cybersecurity regulations, including the UK transposition of NIS 1.
Key stages
- 2018: The United Kingdom, then a member of the EU, transposes the European NIS Directive into national law. For each sector of activity concerned, a competent authority (NIS Regulator) has been identified. Guidance containing security measures has also been made available for each sector of activity.
- 2022: Following a public consultation on ways to increase the UK’s cyber resilience, the Government announces its intention to update the NIS Regulations to strengthen national cybersecurity.
- July 17th, 2024: The Government reaffirms its commitment to update existing UK cybersecurity regulations inherited from the EU (included NSI 1) through a Cyber Security and Resilience Bill.
National specificities
The changes envisaged by the Government specifically relates to:
- bringing managed service providers (MSPs) within the scope of regulation to ensure the security of digital supply chains
- improving the reporting of cybersecurity incidents to the authorities
- setting up a cost recovery system to enforce NIS regulations.
Competent authority(ies)
DSIT (Department for Science, Innovation and Technology)
1 regulator per business sector
Maturity level = 3
The transposition bill was submitted to the Chamber of Deputies on March 13th, 2024. The Council of State has published its opinion on the bill with a number of recommendations. The bill has yet to be approved. Information sessions are regularly organized by authorities.
Key stages
- March 2024: A bill transposing NIS 2 is introduced to the Chamber of Deputies.
- April 2024: The Luxemburg Regulatory Institute (LRI) organizes a generic public information-sharing session, followed by a session in September 2024.
- October 2024: The Conseil of State publishes its opinion on the draft law, making 25 recommendations. it specifically recommends coordination with the Directive on the Critical Entities Resilience (CER), warns against the risk of divergence between the LRI and the CSSF (financial sector supervisor) and stresses the need to clarify sanctions.
- Coming soon: The bill must be passed by Parliament.
National specificities
LRI is working on security measures, which should be aligned with or inspired by existing standards (e.g. ISO 270001) or practices in other countries (e.g. the Belgian CyFun standard).
Competent authority(ies)
LRI (Luxemburg Regulatory Institute)
Author
-
Ouala Barhoumi
Manager – France, Paris
Wavestone
LinkedIn