As the updated NIS2 directive takes effect, this article examines how each EU country is progressing in implementing these new cybersecurity measures.
TL;DR
- Stage 4 - Transposed: Countries like Belgium, Hungary, Croatia, and Latvia have successfully transposed NIS2 into national law, meeting the EU requirements.
- Stage 3 - Drafts Submitted: Austria, Cyprus, Czech Republic, Finland, Germany, Greece, Italy, Lithuania, Luxembourg, Netherlands, Poland, Slovakia, Slovenia, and Sweden are in various stages of submitting and approving legislative drafts.
- Stage 2 - Initial Progress: Denmark, France, Ireland, and Romania have started developing their transposition drafts but face delays and incomplete progress.
- Stage 1 - Minimal Progress: Bulgaria, Estonia, Malta, Portugal, and Spain have made little to no progress in the transposition process, with limited information available.
Transposition status of the NIS2 directive: A country-by-country breakdown
As the updated NIS directive comes into force this fall, its implementation marks a significant stride towards bolstering cybersecurity standards across the European Union (EU). This article examines the transposition status of the NIS2 directive in each EU country.
The directive mandates that member states ensure the adoption of appropriate and proportionate measures across various industries to manage risks to the security of network and information systems. One such industry is domain registration. For more information on how these regulations impact domain registrars, visit this article.
Although the implementation deadline is soon, the path to full adoption varies widely across the EU. To provide a comprehensive overview, our analysis breaks down the transposition status into four distinct stages.
Stage 4 - Transposition of NIS2 into national law
The following countries have made the most progress in the transposition process and already have national regulations compliant with EU requirements.
Belgium
On April 18, 2024, the Belgian Parliament adopted an Act compliant with the eu directive (the Transposition Act), with a royal decree subsequently expected to specify the practical details of the law's implementation.
Hungary
The NIS2 law commenced on May 23, 2023, following a consultation phase in February. Specific security measures and further regulations were drafted and reviewed in February 2024, with the remaining parts of the NIS2 implementation set to become effective by October 2024.
Croatia
Cybersecurity Act (Zakon o kibernetičkoj sigurnosti NN 14/2024) came into effect on February 15, 2024.
Latvia
On June 20, 2024, the Latvian Saeima adopted the National Cyber Security Law. This law, which aims to strengthen Latvia's cybersecurity framework, is set to enter into force on September 1, 2024, provided it is approved by the Saeima in three readings.
Stage 3 - Draft has been submitted, waiting for feedback or approval
The following countries are in the process of transposing the directive and have submitted drafts of new legislation or proposed changes to existing laws. These drafts may range from initial submissions to final versions awaiting feedback or approval.
Austria
On June 19, 2024, Austria's Parliament announced the implementation of the eu legislation through the enactment of the Information System Security Act 2024 (NISG 2024) and amendments to both the Telecommunications Act and the Health Telematics Act.
Cyprus
The proposed changes based on Directive (EU) 2022/2555 have been incorporated into the text of Law 89(I)/2020 and have been open for public consultation since August 21, 2023.
Czech Republic
The bill was submitted to the government's Legislative Council at the end of 2023, and the new Act on Cyber Security is expected to come into force in the second half of 2024.
Finland
The first bill was shared for public consultation in November 2023, and on May 23, 2024, the government submitted to Parliament a proposal concerning the national implementation of the EU Directive.
Germany
Germany is making progress with the NIS2UmsuCG (NIS-2 Implementation and Cybersecurity Strengthening Act). A fourth draft bill was published on June 26, 2024, which introduced some key updates and clarifications, including the removal of certain liability provisions for management.
Despite previous expectations of a significant delay, the Federal Ministry of the Interior (BMI) is expediting the process, scheduling cabinet discussions for July 24, 2024. Whether the act will meet the October 17, 2024 deadline remains uncertain and depends on the extent of debates in the Bundestag and Bundesrat.
Greece
A draft law titled "National Cybersecurity Authority and Other Provisions" was made available for public consultation on January 3, 2024.
Italy
On June 10, 2024, the Italian Council of Ministers approved a draft legislative decree to comply with the EU regulation. However, the proposal must undergo further stages, including discussions, potential amendments, and approval by both chambers of Parliament before it becomes law.
Lithuania
A draft amendment to cybersecurity law n°XII-1428 was presented in April 2024 and was open for public consultation until May 7, 2024. The Ministry of National Defence aims to complete the transposition process by the EU deadline.
Luxembourg
On March 13, 2024, a draft law (n°8364) was submitted to the Luxembourg Parliament and is currently under discussion in a committee.
Netherlands
The bill to implement the directive, through what will be called the “Cybersecurity Act”, was shared for public consultation on May 21, 2024 and ended on July 1, 2024. Given the earlier announcement of a delay, it remains uncertain whether the Netherlands will meet the transposition deadline.
Poland
The Polish Ministry of Digital Affairs published a draft amendment to the National Cybersecurity System Act (NCSSA) on April 24, 2024. Public consultations and inter-ministerial agreements for this draft law took place until May 24, 2024.
Slovakia
On May 31, 2024, the National Security Authority (NBU) published the draft legislation. This proposed legislation seeks to amend Act No. 69/2018 Coll. on cybersecurity and related legislation, with the changes anticipated to come into effect on January 1, 2025.
Slovenia
The draft law, known as the new Act on Information Security (ZInfV-1), has been published and was under public consultation until March 18, 2024.
Sweden
On February 23, 2023, the Swedish government appointed a special investigator to propose necessary adjustments to Swedish law.
An interim report, titled "New Rules on Cybersecurity" (SOU 2024:18), was published on March 5, 2024, detailing the proposed adjustments and the introduction of a new law called the Cybersecurity Act. The new Cybersecurity Act, intended to replace the current NIS act, is set to come into force on January 1, 2025.
Stage 2 - Initial stages of development and some progress made
The following countries have made some progress in their transposition process. They are actively working on developing initial drafts of proposed amendments to existing legislation or creating new legislation. These countries have demonstrated a commitment to advancing their compliance efforts.
Denmark
Denmark initially aimed for early adoption of the NIS2 regulations but announced a delay on February 5, 2024. The Ministry of Defense, responsible for the implementation and oversight of the NIS2 transposition, had planned to present the proposed legislation to the Danish Parliament in the first quarter of 2024.
However, due to the complexity and scope of the legislative work, this has been postponed to the next parliamentary session in October 2024. Consequently, Denmark is expected to miss the implementation deadline.
France
Led by the French National Cybersecurity Agency (ANSSI), France is still working on structuring its initial draft, but is yet to propose regulatory amendments covering all decrees of the NIS2 regulatory framework.
Ireland
A bill was initially planned for year-end 2023 but is now delayed until late summer. While no specific dates are available yet, the aim is still to meet the EU transposition deadline.
Romania
The National Cyber Security Directorate, which is responsible for drafting the legislation for the directive’s implementation, initiated a public consultation on certain aspects of the directive until May 10, 2024. However, a fully covering draft is yet to be published.
Stage 1 - Limited information available or minimal progress made
The following countries have either provided little to no public information on their transposition process or have made minimal progress. This may be due to the early stages of development or the scarcity of data found when the analysis was conducted.
Bulgaria
Bulgaria has not yet published a draft bill for the implementation of the cybersecurity directive. The Bulgarian Ministry of Electronic Governance is in charge of the transposition process.
Estonia
Information is limited, but the Estonian Ministry of Economic Affairs and Communications (EMEAC) leading the transposition is reportedly still in the process of drafting legislation to incorporate the EU directive into national law.
Malta
Malta has not yet transposed the NIS2 legislation into domestic law, and the parliamentary legislative process for its approval and implementation has not commenced. The Critical Information Infrastructure Protection Unit (CIIP Unit) is anticipated to oversee the directive's implementation.
Portugal
Portugal is in the early stages of developing regulatory compliance. While the country has begun evaluating the necessary changes to align with the directive, a draft bill has not yet been published.
Spain
The legislative process has not started, and there have been no significant updates or public consultations regarding the directive's transposition into Spanish law.