NIS2: Where do European Countries Stand on Implementing Cybersecurity Strategies?
Updated July 2, 2025
5 minute read | October.31.2024
The Network and Information Security 2 Directive (“NIS2”) was implemented into law in the EU on 17 October 2024 (implementing legislation available here). NIS2 expands the scope of the original NIS legislation to include new sectors that the EU deems critical (Annexes I and II of NIS2 Directive set out a list of services covered by the legislation). For more information about the scope of NIS2, read our “5 Things You Need to Know About NIS2” here.
EU Member States had until 17 October 2024 to implement NIS2 into national law. On 7 May 2025 the Commission sent reasoned opinions to several Member States for failing to notify the full transposition, giving the relevant states two months to respond and take the necessary measures. If they miss this deadline, the Commission may refer the cases to the Court of Justice of the European Union (CJEU). So where do countries stand on implementing NIS2? Here’s a country-by-country look at the status of implementation, current as of this article’s publication date but subject to change.
|
Country |
Status |
Legislation* |
Commentary |
|
Austria |
 |
Available here |
Austria has submitted the “Network and Information Security Act” for Parliament’s consideration. Progress is expected to increase but implementation timeline is unclear. |
|
Belgium |
|
Available here |
Belgium adopted the “Law establishing a framework for the cybersecurity of network and information systems of general interest for public security” on 18 October 2024, implementing NIS2. |
|
Bulgaria |
|
Available here |
Bulgaria has submitted the “Cybersecurity Act” for consideration by Parliament at a national level. After strong criticism at Parliament, heavy amendments are expected. |
|
Croatia |
|
Available here |
Croatia adopted the “Cyber Security Act” on 15 February 2024, implementing NIS2. Awaiting the security authority to issue notices to businesses. |
|
Cyprus |
|
Available here |
Cyprus intends to transpose NIS2 into local law under the amended “Security of Networks and Information Systems Act 2020.” A public consultation closed on 29 September 2023. |
|
Czech Republic |
|
Available here |
The Czech Republic has submitted the “Cybersecurity Act” for consideration by Parliament at a national level. Expected to be passed by Parliament soon. |
|
Denmark |
 |
N/A |
Denmark has held a public consultation on a proposed draft law. Parliament is expected to consider an updated version of the draft law in February 2025. If passed, the law is anticipated to be effective from 1 July 2025. |
|
Estonia |
|
N/A |
The implementation of NIS2 has been delayed. No legislation (draft or otherwise) has been made public. |
|
Finland |
|
Available here |
The Finnish Cyber Security Act was passed by Parliament and entered into force on 8 April 2025. |
|
France |
|
Available here |
France has submitted “Resilience of Critical Infrastructures and the Strengthening of Cybersecurity” act for consideration by Parliament and the Senate at a national level. The Senate adopted the text on 12 March 2025. The text must now be examined by the National Assembly (in principle before July 2025). |
|
Germany |
|
Available here |
Germany has submitted the “NIS2 Implementation and Cybersecurity Enhancement Act” for consideration by Parliament at a national level. |
|
Greece |
|
Available here |
Greece adopted 'Law No.5160/2024' on 29 November 2024, implementing NIS2. |
|
Hungary |
|
Available here |
Hungary adopted the ‘Cybersecurity Act’ on 18 December 2024, implementing NIS2. A secondary piece of legislation dealing with provisional transition will enter into force separately. |
|
Iceland |
|
N/A |
Iceland intends to transpose NIS2 into local law, but no draft legislation has been prepared, and there is no timeline for completion. |
|
Ireland |
|
Available here |
Ireland has submitted the “National Cyber Security Bill” for Parliament to consider. It is listed in the autumn 2024 legislative programme. However, it is unclear when the bill will be approved. |
|
Italy |
|
Available here |
Italy adopted a legislative decree implementing NIS2 on 1 October 2024. |
|
Latvia |
|
Available here |
Latvia adopted the “National Cybersecurity Law” on 1 September 2024, implementing NIS2. Supporting rules and legislation are under consideration. |
|
Lichtenstein |
|
On 1 February 2025, the new Cyber Security Act (CSG) as well as the corresponding Cyber Security Regulation (CSV) entered into force, implementing NIS2 into local law. |
|
|
Lithuania |
|
Available here |
Lithuania adopted the “Law on Cyber Security” on 18 October 2024, implementing NIS2. |
|
Luxembourg |
|
Available here |
Luxembourg has submitted a bill for consideration by Parliament at a national level. |
|
Malta |
|
Available here |
In April 2025, the Maltese Government published a draft order titled "Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order", transposing NIS2 into local law. It is not yet passed. |
|
Netherlands |
|
Available here |
The Netherlands intends to transpose NIS2 into local law under the “Cybersecurity Act.” It is anticipated that the “Cybersecurity Act” will be effective from Q3 2025. |
|
Norway |
|
N/A |
Norway intends to transpose NIS2 into local law under the “Digital Security Act.” A public consultation will close on 11 December 2024. No draft legislation has been published. |
|
Poland |
|
Available here |
Poland has submitted amendments to the “National Cyber Security System Act” (and certain other acts) at a national level. The latest version of the draft was published in April 2025. The draft awaits approval by the Council of Ministers and the Parliament. |
|
Portugal |
|
N/A |
Portugal intends to transpose NIS2 into local law. A public consultation on the draft legislation closed on 31 December 2024, following which the legislation will be approved by the Portuguese Government and Parliament. |
|
Romania |
|
Available here |
Romania adopted the ‘Government Emergency Ordinance (GEO) 155/2024’ on 30 December 2024, implementing NIS2. Note the legislation linked here is to a prior draft of the Government Emergency Ordinance (GEO) 155/2024. Deadlines have been set, but registration process has not been opened by authority. |
|
Slovakia |
|
Available here |
Slovakia transposed NIS2 into local law under the "Cybersecurity Act". The Act came into force on 1 January 2025. |
|
Slovenia |
|
Available here |
Slovenia intends to transpose NIS2 into local law under the “Information Security Act.” On 10 April 2025, the Slovenian government approved the proposal. It is not yet passed. |
|
Spain |
|
Available here |
In January 2025, the Spanish Ministry of Interior approved and published the draft Law on Cybersecurity Coordination and Governance transposing the NIS2 Directive. It is not yet passed. |
|
Sweden |
|
N/A |
According to a Swedish Governmental Official Report dated 5 March 2024, Sweden intends to transpose NIS2 into local law mainly through a new cyber security act. It was anticipated that the new regulation would be transposed into local law by 1 January 2025. However, the formal proposal for the new law is not yet published. |
* Please note that in some instances, legislation (or draft legislation) is only available in local language.
NIS2 implementing legislation has been approved and adopted.
NIS2 implementing legislation is progressing. Legislation has been proposed, but legislation has not yet been approved, and a final copy of the legislation is not available.
NIS2 implementing legislation has not been published, and timelines for implementation of NIS2 are not clear.