NIS2: Where do European Countries Stand on Implementing Cybersecurity Strategies?


5 minute read | October.31.2024

The Network and Information Security 2 Directive (“NIS2”) was implemented into law in the EU on 17 October 2024 (implementing legislation available here). NIS2 expands the scope of the original NIS legislation to include new sectors that the EU deems critical (Annexes I and II of NIS2 Directive set out a list of services covered by the legislation). For more information about the scope of NIS2, read our “5 Things You Need to Know About NIS2” here.

EU Member States had until 17 October 2024 to implement NIS2 into national law. So where do countries stand on implementing NIS2? Here’s a country-by-country look at the status of implementation, current as of this article’s publication date but subject to change.

Country

Status

Legislation*

Commentary

Austria

yellow watch icon

Available here

Austria has submitted the “Network and Information Security Act” for Parliament’s consideration. It is anticipated that the “Network and Information Security Act” will take effect in June 2025.

Belgium

green check icon

Available here

Belgium adopted the “Law establishing a framework for the cybersecurity of network and information systems of general interest for public security” on 18 October 2024, implementing NIS2.

Bulgaria

yellow watch icon

Available here

Bulgaria has submitted the “Cybersecurity Act” for consideration by Parliament at a national level.

Croatia

green check icon

Available here

Croatia adopted the “Cyber Security Act” on 15 February 2024, implementing NIS2.

Cyprus

yellow watch icon

Available here

Cyprus intends to transpose NIS2 into local law under the amended “Security of Networks and Information Systems Act 2020.” A public consultation closed on 29 September 2023.

Czech Republic

yellow watch icon

Available here

The Czech Republic has submitted the “Cybersecurity Act” for consideration by Parliament at a national level.

 

Denmark

red warning icon

N/A

Denmark has held a public consultation on a proposed draft law. Parliament is expected to consider an updated version of the draft law in February 2025. If passed, the law is anticipated to be effective from 1July 2025.

Estonia

red warning icon

N/A

The implementation of NIS2 has been delayed. No legislation (draft or otherwise) has been made public.

Finland

yellow watch icon

Available here

The implementation of NIS2 has been delayed. Legislators have not approved legislation.

France

yellow watch icon

Available here

France has submitted “Resilience of Critical Infrastructures and the Strengthening of Cybersecurity” act for consideration by Parliament and the Senate at a national level. It may take legislators months to finalise this.

Germany

yellow watch icon

Available here

Germany has submitted the “NIS2 Implementation and Cybersecurity Enhancement Act” for consideration by Parliament at a national level. We expect the Act to go into effect in March 2025.

Greece

yellow watch icon

Available here

Greece intends to transpose NIS2 into local law. A public consultation on the draft legislation will close on 2November 2024.

Hungary

yellow watch icon

Available here

Hungary adopted the “Cybersecurity Certification and Cybersecurity Supervision Act,” implementing NIS2. Supporting rules and legislation are under consideration or waiting to be adopted.

Iceland

red warning icon

N/A

Iceland intends to transpose NIS2 into local law, but no draft legislation has been prepared, and there is no timeline for completion.

Ireland

yellow watch icon

Available here

Ireland has submitted the “National Cyber Security Bill” for Parliament to consider. It is listed in the autumn 2024 legislative programme. However, it is unclear when the bill will be approved.

Italy

green check icon

Available here

Italy adopted a legislative decree implementing NIS2 on 1 October 2024.

Latvia

yellow watch icon

Available here

Latvia adopted the “National Cybersecurity Law” on 1 September 2024, implementing NIS2. Supporting rules and legislation are under consideration.

Lichtenstein

yellow watch icon

Available here

Lichtenstein has submitted the “Cybersecurity Law” for consideration by Parliament at a national level.

Lithuania

green check icon

Available here

Lithuania adopted the “Law on Cyber Security” on 18 October 2024, implementing NIS2.

Luxembourg

yellow watch icon

Available here

Luxembourg has submitted a bill for consideration by Parliament at a national level.

Malta

yellow watch icon

Available here

Malta intends to transpose NIS2 into local law under the “Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order.” A public consultation closed on 7 October 2024.

Netherlands

yellow watch icon

Available here

The Netherlands intends to transpose NIS2 into local law under the “Cybersecurity Act.” It is anticipated that the “Cybersecurity Act” will be effective from Q3 2025.

Norway

red warning icon

N/A

Norway intends to transpose NIS2 into local law under the “Digital Security Act.” A public consultation will close on 11 December 2024. No draft legislation has been published.

Poland

yellow watch icon

Available here

Poland has submitted amendments to the “National Cyber Security System Act” (and certain other acts) for consideration by Parliament at a national level. If passed, the legislation should take effect in Q1 2025.

Portugal

red warning icon

N/A

Portugal has not yet circulated draft legislation, and it is not clear where Portugal stands in the implementation process.

Romania

yellow watch icon

Available here

Romania intends to transpose NIS2 into local law under the “Law on the establishment of a framework for the cyber security of networks and information systems in the national civil cyberspace.” A public consultation is open.

Slovakia

yellow watch icon

Available here

Slovakia intends to transpose NIS2 into local law under the "Cybersecurity Act". The proposed date of effect is 1 January 2025, however the next step is for the legislation to be considered by Parliament.

Slovenia

yellow watch icon

Available here

Slovenia intends to transpose NIS2 into local law under the “Information Security Act.” Legislators are expected to adopt the implementing legislation in December 2024 or January 2025.

Spain

red warning icon

N/A

Spain has not yet circulated draft legislation, and it is not clear where Spain stands in the implementation process.

Sweden

red warning icon

N/A

Sweden intends to transpose NIS2 into local law through a new “Cyber Security Regulation.” It is anticipated that the “Cyber Security Regulation” will be transposed into local law by 1 January 2025.

* Please note that in some instances, legislation (or draft legislation) is only available in local language.

green check icon

NIS2 implementing legislation has been approved and adopted.

yellow watch icon

NIS2 implementing legislation is progressing. Legislation has been proposed, but legislation has not yet been approved, and a final copy of the legislation is not available.

red warning icon

NIS2 implementing legislation has not been published, and timelines for implementation of NIS2 are not clear.