NIS2 in EU Countries
The EU NIS2 directive has to be transposed by EU member states into national law until October 17, 2024. State of completion of NIS2 law differs significantly between EU member states. Some countries have final drafts or enacted law, others have scant public information.
Implementations of NIS2 diverge between member states in many details – sectors and entities are defined differently, obligations are interpreted in multiple ways. Audit obligations will sometimes be fulfilled by operators, sometimes by authorities, sometimes not at all.
EU NIS2 Implementation in EU Member States
Discussion on NIS2 implementations: CZ, FI, FR, DE, HU, PL
Webinar ∙ Register on LinkedIn ∙ English ∙ August 29, 2024
National legislation for NIS2 varies a lot throughout EU member states. Some laws and acts are available or already implemented, others are still in draft and non-public. We will add country-specific pages in English as information becomes available.
Implementation in EU member states
| Country | National implementation | Country-specific |
|---|---|---|
| Austria | Public draft published, implementation until October National implementation through Federal Interior Ministry BMI (Bundesminister für Inneres) |
Extensive FAQ pages, initiatives for SMEs |
| Belgium | Published in Belgian Official Journal, entry into force on October 18, 2024 |
Different options to provide evidence, evidence deadline 18 months, registration deadlines 2 - 5 months |
| Croatia | Final draft published, consultation finished National implementation by the Office of the National Security Council. |
Many obligations also for important entities, no 24/74h reporting obligations, transition period 9 months |
| Czech Republic | Final draft published, consultation finished National implementation by Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB), national agency for cyber and information security. |
Law in two parts, many specific requirements for risk management measure, entities + strategic services |
| Germany | Multiple drafts, consultation with businesses ongoing, commencement of law might be delayed Federal interior ministry responsible for NIS2UmsuCG amending existing law (KRITIS), regulated by Bundesamt für Sicherheit in der Informationstechnik, BSI. |
More sectors, additional KRITIS operators, some audits, no transition periods |
| Hungary | Commenced since May 2023, additional decrees until October 2024. Cyber security oversight through Szabályozott Tevékenységek Felügyeleti Hatósága (SZTFH). |
Many separate government decrees, deadlines from June 2024, security classes instead of essential und important |
| Finland | Final draft published and submitted to parliament by the Ministry of Transport and Communications (LVM) | No regular audits, registration starts January 2025 |
| France | One draft, few public information National implementation through Agence nationale de la sécurité des systemes d'information (ANSSI). |
FAQ available on scope and obligations |
| Italy | No draft known, timeline unknown Regulation through Agenza per la cybersicurezza nazionale (ACN). |
|
| Netherlands | Draft in progress, consultation Q1/2024 National implementation by Rijksinspectie Digitale Infrastructuur (RDI), probably by extending the existing NIS law. |
NIS2 evaluation tool |
| Poland | One draft from April 2024 Amends the existing NCSSA (NIS) law, steered by the Ministry of Digital Affairs currently awaiting comments from many other authorities |
ISO 27001 and 22301 standards mentioned, audit obligations, complex regulation structure, many sector-specific government bodies involved in supervision |
| Sweden | Draft expected February 2024 National implementation through Swedish Post and Telecom Authority (PTS). |
National differences
There are differences between countries in implementing NIS2 as well as differences to the EU directive itself. Some examples for country-specific differences as follows.
Sectors
EU NIS2 defines economic sectors in Annex I and II that are implemented differently in national implementations. Some countries define additional sectors like Croatia and Czech Republic.
| Sector | Differences | |
|---|---|---|
| Germany | IT and Telco | Includes Digital Infrastructure and ICT Service Management (and more) |
| Public Administration | Only parts of the federal government | |
| Subsector Gasversorgung | Combines Gas and Hydrogen | |
| KRITIS sectors | Additional sector definitions | |
| Finland | Banking, Financial market infrastructure | Definition missing |
| Croatia | EducationSustav Obrazovanja |
Additional sector |
| Czech Republic | Military industryVojenský Průmysl |
Additional sector |
Water administrationVodní Hospodářství |
Combines Water and Waster water | |
Financial marketFinanční Trh |
Combines Banking and Financial market infrastructures | |
Digital infrastructure and servicesDigitální Infrastruktura a Služby |
Combines Digital infrastruktur and ICT service management | |
| Hungary | Public transportationTömegközlekedés |
Additional sector |
| Banking, Financial market infrastructures, Public administration | Definition missing | |
Water serviceVíziközmű szolgáltatás |
Combines Water and Waste water | |
Digital infrastructureDigitális infrastruktúra |
Implements partially Digital infrastructure | |
Communication servicesHírközlési szolgáltatás |
Implements partially Digital infrastructure | |
Production of cement, lime, plasterCement-, mész-, gipszgyártás |
Additional sector | |
| Poland | EnergyEnergia |
Additional subsectors Oil and fuel, Supplies and services for the Energy sector, wider scope in Mineral extraction subsector. |
Banking and financial market infrastructure Bankowość i infrastruktura rynków finansowych |
Sectors combined | |
Public administrationAdministracja publiczna |
Wide scope of government bodies | |
Production, manufacture and distribution of chemicalsProdukcja, wytwarzanie i dystrybucja chemikaliów |
Moved to Annex I | |
Food production, processing and distributionProdukcja, przetwarzanie i dystrybucja żywności |
Moved to Annex I | |
ProductionProdukcja |
Moved to Annex I |
Obligations
National NIS2 implementations contain very similar definitions of NIS2 obligations for entities. The following table lists important articles and paragraphs from the national laws (drafts).
| Scope | Measures | Reporting | Registration | Audits | |
|---|---|---|---|---|---|
| Belgium | Art. 3, 9, 10 | Art. 30 | Art. 34 | Art. 13, 14 | Art. 39, 41 |
| Croatia | §§ 9, 10 | § 30 |
§ 37 | §§ 20, 23 | § 34 |
| Czech Republic | §§ 3, 4, 5, 7, 8 | §§ 13, 14 + decrees |
§§ 15, 16, 17 | § 6, 11 | § 17 decree for essential |
| Finland | § 3 | §§ 7, 8, 9 | §§ 11 - 18 | §§ 41 | § 30 |
| Germany | § 28 | § 30 | § 31 | §§ 32, 33 | § 34 |
| Hungary | § 17 | §§ 19, 20 + more |
§ 27 | § 26 + edict |
§§ 23, 26 (3) |
| Poland | §§ 4, 5 | §§ 8, 9, 10 | §§ 11, 12, 13 | § 7 | §§ 15, 16 |
Further Information
Literature
- NISD 2 Tracker, Bird & Bird LLP, 24.11.2023
- NIS 2 Directive Transposition, Cyber Risk GmbH, 24.11.2023