NIS2 in EU Countries
The EU NIS2 directive has to be transposed by EU member states into national law until October 17, 2024. State of completion of NIS2 law differs significantly between EU member states. Some countries have final drafts or enacted law, others have scant public information.
Implementations of NIS2 diverge between member states in many details – sectors and entities are defined differently, obligations are interpreted in multiple ways. Audit obligations will sometimes be fulfilled by operators, sometimes by authorities, sometimes not at all.
EU NIS2 Implementation in EU Member States
Discussion on NIS2 implementations: CZ, FI, FR, DE, HU, PL
Webinar ∙ Register on LinkedIn ∙ English ∙ August 29, 2024
National legislation for NIS2 varies a lot throughout EU member states. Some laws and acts are available or already implemented, others are still in draft and non-public. We will add country-specific pages in English as information becomes available.
Implementation in EU member states
| Country | National implementation | Country-specific |
|---|---|---|
| Austria | Public draft published, implementation expected in 2025 National implementation through Federal Interior Ministry BMI (Bundesminister für Inneres) |
Extensive FAQ pages, initiatives for SMEs |
| Belgium | Published in Belgian Official Journal, entry into force on October 18, 2024 |
Different options to provide evidence, evidence deadline 18 months, registration deadlines 2 - 5 months |
| Croatia | Published in Croatian Offical Journal in Febuary 2024 National implementation by the Office of the National Security Council. |
Many obligations also for important entities, no 24/74h reporting obligations, transition period 9 months |
| Czech Republic | Final draft published, pending further deliberation National implementation by Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB), national agency for cyber and information security. |
Law in two parts, many specific requirements for risk management measure, entities + strategic services |
| Germany | Government draft published, adoption pending Federal interior ministry responsible for NIS2UmsuCG amending existing law (KRITIS), regulated by Bundesamt für Sicherheit in der Informationstechnik, BSI. |
More sectors, additional KRITIS operators, some audits, no transition periods |
| Hungary | Commenced since May 2023, additional decrees in force since October 2024. Cyber security oversight through Szabályozott Tevékenységek Felügyeleti Hatósága (SZTFH). |
Many separate government decrees, deadlines from June 2024, security classes instead of essential und important |
| Finland | Final draft published and submitted to parliament by the Ministry of Transport and Communications (LVM), consultations ongoing, further timeframe unknown | No regular audits, registration starts January 2025 |
| France | One draft, few public information National implementation through Agence nationale de la sécurité des systemes d'information (ANSSI). |
FAQ available on scope and obligations, draft on concrete security measures leaked |
| Italy | In force since October 2024 Regulation through Agenza per la cybersicurezza nazionale (ACN). |
More sectors, sector-specific authorities, annual registration periods, registration start January 2025 |
| Netherlands | Public consultation ended, consultation by Council of State next National implementation by Rijksinspectie Digitale Infrastructuur (RDI), probably by extending the existing NIS law. |
NIS2 evaluation tool |
| Poland | One draft from April 2024, under review by several committees Amends the existing NCSSA (NIS) law, steered by the Ministry of Digital Affairs currently awaiting comments from many other authorities |
ISO 27001 and 22301 standards mentioned, audit obligations, complex regulation structure, many sector-specific government bodies involved in supervision |
| Sweden | Recommendation report published in march 2024, draft law expected spring 2025, enforcement in summer 2025 (earliest) National implementation through Swedish Post and Telecom Authority (PTS). |
National differences
There are differences between the member states in implementing NIS2 as well as differences to the EU directive itself. Some examples for country-specific differences as follows.
Sectors
EU NIS2 defines economic sectors in Annex I and II that are implemented differently in national implementations. Some countries define additional sectors.
| Sector | Differences | |
|---|---|---|
| Germany | IT and Telco | Includes Digital Infrastructure and ICT Service Management (and more) |
| Public Administration | Only parts of the federal government | |
| Subsector Gasversorgung | Combines Gas and Hydrogen | |
| KRITIS sectors | Additional sector definitions | |
| Finland | Banking, Financial market infrastructure | Definition missing |
| Croatia | EducationSustav Obrazovanja |
Additional sector |
| Czech Republic | Military industryVojenský Průmysl |
Additional sector |
Water administrationVodní Hospodářství |
Combines Water and Waster water | |
Financial marketFinanční Trh |
Combines Banking and Financial market infrastructures | |
Digital infrastructure and servicesDigitální Infrastruktura a Služby |
Combines Digital infrastruktur and ICT service management | |
| Hungary | Public transportationTömegközlekedés |
Additional sector |
| Banking, Financial market infrastructures, Public administration | Definition missing | |
Water serviceVíziközmű szolgáltatás |
Combines Water and Waste water | |
Digital infrastructureDigitális infrastruktúra |
Implements partially Digital infrastructure | |
Communication servicesHírközlési szolgáltatás |
Implements partially Digital infrastructure | |
Production of cement, lime, plasterCement-, mész-, gipszgyártás |
Additional sector | |
| Italy | Public AdministrationAmministrazioni centrali, regionali, locali e di altro tipo |
Listed in separate Annex III Only central government will become essential |
Local public transport servicesSoggetti che forniscono servizi di trasporto pubblico locale |
Additional sector; Annex IV | |
Researching educational institutionsIstituti di istruzione che svolgono attività di ricerca |
Additional sector; Annex IV | |
Activities of Cultural InterestSoggetti che svolgono attività di interesse culturale |
Additional sector; Annex IV | |
In-house companies, subsidiaries, and publicly controlled companiesSocietà in house, società partecipate e società a controllo pubblico |
Additional sector; Annex IV | |
| Poland | EnergyEnergia |
Additional subsectors Oil and fuel, Supplies and services for the Energy sector, wider scope in Mineral extraction subsector. |
Banking and financial market infrastructure Bankowość i infrastruktura rynków finansowych |
Sectors combined | |
Public administrationAdministracja publiczna |
Wide scope of government bodies | |
Production, manufacture and distribution of chemicalsProdukcja, wytwarzanie i dystrybucja chemikaliów |
Moved to Annex I | |
Food production, processing and distributionProdukcja, przetwarzanie i dystrybucja żywności |
Moved to Annex I | |
ProductionProdukcja |
Moved to Annex I |
Obligations
National NIS2 implementations contain very similar definitions of NIS2 obligations for entities. The following table lists important articles and paragraphs from the national laws (mostly drafts).
| Scope | Measures | Reporting | Registration | Audits | |
|---|---|---|---|---|---|
| Belgium | Art. 3, 9, 10 | Art. 30 | Art. 34 | Art. 13, 14 | Art. 39, 41 |
| Croatia | §§ 9, 10 | § 30 |
§ 37 | §§ 20, 23 | § 34 |
| Czech Republic | §§ 3, 4, 5, 7, 8 | §§ 13, 14 + decrees |
§§ 15, 16, 17 | § 6, 11 | § 17 decree for essential |
| Finland | § 3 | §§ 7, 8, 9 | §§ 11 - 18 | §§ 41 | § 30 |
| France | § 8 | §§ 11, 12 + guideline |
§§ 13, 14 | § 9 | §§ 17 - 24 |
| Germany | § 28 | § 30 | § 31 | §§ 32, 33 | § 34 |
| Hungary | § 17 | §§ 19, 20 + more |
§ 27 | § 26 + edict |
§§ 23, 26 (3) |
| Italy | Art. 3, 6 | Art. 24 | Art. 25 | Art. 7 | Art. 35 |
| Poland | §§ 4, 5 | §§ 8, 9, 10 | §§ 11, 12, 13 | § 7 | §§ 15, 16 |
Further Information
Literature
- NISD 2 Tracker, Bird & Bird LLP, 24.11.2023
- NIS 2 Directive Transposition, Cyber Risk GmbH, 24.11.2023
- Navigating cybersecurity compliance - EU NIS2 Directive, Eversheds Sutherland, 19.11.2024
- NIS2 Article 28 Tracker, DNS Research Federation, 19.11.2024