NIS2 in EU Countries
The EU NIS2 directive has to be transposed by EU member states into national law until October 17, 2024. State of completion of NIS2 law differs significantly between EU member states. Some countries have final drafts or enacted law, others have scant public information.
- Overview
- Belgium
- Croatia
- Czech Republic
- Finland
- France
- Germany
- Hungary
- Italy
- Poland
- United Kingdom
- Differences
Implementations of NIS2 diverge between member states in many details – sectors and entities are defined differently, obligations are interpreted in multiple ways. Audit obligations will sometimes be fulfilled by operators, sometimes by authorities, sometimes not at all.
EU NIS2 Implementation in EU Member States
Discussion on NIS2 implementations: CZ, FI, FR, DE, HU, PL
Webinar ∙ Register on LinkedIn ∙ English ∙ August 29, 2024
National legislation for NIS2 varies a lot throughout EU member states. Some laws and acts are available or already implemented, others are still in draft and non-public. We will add country-specific pages in English as information becomes available.
Implementation in EU member states
| Country | National implementation | Country-specific |
|---|---|---|
| Austria | Public draft published, implementation expected in 2025 National implementation through Federal Interior Ministry BMI (Bundesminister für Inneres) |
Extensive FAQ pages, initiatives for SMEs |
| Belgium | Published in Belgian Official Journal, entry into force on October 18, 2024 |
Different compliance options, evidence deadline 18 months, registration deadlines |
| Bulgaria | Draft law available from December 2024. First reading of draft law took place in February 2025, second vote report is pending. Entry into force currently unknown. | |
| Croatia | Published in Croatian Offical Journal in Febuary 2024. | Many obligations for important entities, no 24/74h reporting obligations, transition period |
| Cyprus | Implementation entered into force in April 2025. | |
| Czech Republic | Signed by the president and delivered to the chamber of deputies on June 26, pending publication in official journal. |
Law in two parts, many specific requirements for risk management measures, entities + strategic services |
| Denmark | Implementation in force since July 1, 2025. | |
| Estonia | Planned entry into force in July 2025 missed due to coalition breakup. | |
| Finland | In force since April 8, 2025 | No regular audits, registration starts January 2025 |
| France | Draft law available from March 2024. | National implementation of NIS2, RCE and DORA in a single regulation. |
| Germany | Many drafts published, adoption pending government formation. NIS2UmsuCG amends existing KRITIS law. |
More sectors, additional KRITIS operators, some audits, no transition periods |
| Greece | Implementation in force since November 2024. Article 3 on affected entities enters into force in November 2025. | |
| Hungary | Commenced since May 2023, additional decrees in force since October 2024. Not yet completely implemented. |
Many separate government decrees, deadlines from June 2024, security classes instead of essential und important |
| Ireland (Republic of Ireland) | General scheme published in August 2024. Transposition in planned by the end of 2025. | |
| Italy | In force since October 2024, after very few public drafts. | More sectors, sector-specific authorities, annual registration periods, registration started January 2025 |
| Latvia | Tranposition entered into force in September 2024. | |
| Lithuania | National implementation in force since October 18, 2024. | |
| Luxembourg | Draft law was published in March 2025 and is under development. Committee report and subsequent first vote in Chamber of Deputies pending. | |
| Malta | Transposition published in Official Journal, though entry into force is currently unknown. | |
| Netherlands | Expected entry into force in Q2 2026, ongoing examination by standing committee of the House of Representatives. Likely amendment of the existing NIS law. Draft law available from June 2, 2025. | NIS2 evaluation tool |
| Poland | One draft from April 2024, under review by several committees. Amends the existing NCSSA (NIS) law. | ISO 27001 and 22301 standards mentioned, audit obligations, complex regulation structure, many sector-specific bodies |
| Portugal | Draft law from November 2024 approved by Council of Ministers in February 2025. Legislative process got disrupted due to failed confidence vote. | |
| Romania | Transposition initially enforced through emergency ordinance on December 30, 2024. Emergency ordinance approved by parliament and published in official gazette in July 2025. | |
| Slovakia | Transposition adopted by parliament in November 2024, published in the Official Gazette in December 2024 and in force since January 1, 2025. | |
| Slovenia | National Implementation was published in the Official Journal and entered into force in June 2025. | |
| Spain | Public consultation ended in February 2025. The draft law is currently processed under the accelerated procedure. No official information on expected entry into force, though multiple sources state the end of 2025. | |
| Sweden | Draft law published in June 2025 and submitted to council on legislation, enforcement expected on Jan 15, 2026. | |
| United Kingdom | UK NIS Regulations implemented since 2018 (NIS1), follow-on EU NIS2 hampered by Brexit. UK Cyber Security and Resilience Bill (CS&R) will harmonize Great Britain with EU NIS2 in several regulations. | Not all sectors and entities covered. Cybersecurity through NCSC CAF framework. |
National differences
There are differences between the member states in implementing NIS2 as well as differences to the EU directive itself. Some examples for country-specific differences as follows.
Sectors
EU NIS2 defines economic sectors in Annex I and II that are implemented differently in national implementations. Some countries define additional sectors.
| Sector | Differences | |
|---|---|---|
| Finland | Banking, Financial market infrastructure | Definition missing |
| Croatia | EducationSustav Obrazovanja |
Additional sector |
| Czech Republic | Military industryObranný Průmysl |
Additional sector |
Water administrationVodní Hospodářství |
Combines Water and Waster water | |
Financial marketFinanční Trh |
Combines Banking and Financial market infrastructures | |
Digital infrastructure and servicesDigitální Infrastruktura a Služby |
Combines Digital infrastruktur and ICT service management | |
| Germany | IT and Telco | Includes Digital Infrastructure and ICT Service Management (and more) |
| Public Administration | Only parts of the federal government | |
| Subsector Gasversorgung | Combines Gas and Hydrogen | |
| KRITIS sectors | Additional sector definitions | |
| Hungary | Public transportationTömegközlekedés |
Additional sector |
| Banking, Financial market infrastructures, Public administration | Definition missing | |
Water serviceVíziközmű szolgáltatás |
Combines Water and Waste water | |
Digital infrastructureDigitális infrastruktúra |
Implements partially Digital infrastructure | |
Communication servicesHírközlési szolgáltatás |
Implements partially Digital infrastructure | |
Production of cement, lime, plasterCement-, mész-, gipszgyártás |
Additional sector | |
| Italy | Public AdministrationAmministrazioni centrali, regionali, locali e di altro tipo |
Listed in separate Annex III Only central government will become essential |
Local public transport servicesSoggetti che forniscono servizi di trasporto pubblico locale |
Additional sector; Annex IV | |
Researching educational institutionsIstituti di istruzione che svolgono attività di ricerca |
Additional sector; Annex IV | |
Activities of Cultural InterestSoggetti che svolgono attività di interesse culturale |
Additional sector; Annex IV | |
In-house companies, subsidiaries, and publicly controlled companiesSocietà in house, società partecipate e società a controllo pubblico |
Additional sector; Annex IV | |
| Poland | EnergyEnergia |
Additional subsectors Oil and fuel, Supplies and services for the Energy sector, wider scope in Mineral extraction subsector. |
Banking and financial market infrastructure Bankowość i infrastruktura rynków finansowych |
Sectors combined | |
Public administrationAdministracja publiczna |
Wide scope of government bodies | |
Production, manufacture and distribution of chemicalsProdukcja, wytwarzanie i dystrybucja chemikaliów |
Moved to Annex I | |
Food production, processing and distributionProdukcja, przetwarzanie i dystrybucja żywności |
Moved to Annex I | |
ProductionProdukcja |
Moved to Annex I |
Obligations
National NIS2 implementations contain very similar definitions of NIS2 obligations for entities. The following table lists important articles and paragraphs from the national laws (mostly drafts).
| Scope | Measures | Reporting | Registration | Audits | |
|---|---|---|---|---|---|
| Belgium | Art. 3, 9, 10 | Art. 30 | Art. 34 | Art. 13, 14 | Art. 39, 41 |
| Croatia | §§ 9, 10 | § 30 |
§ 37 | §§ 20, 23 | § 34 |
| Czech Republic | §§ 3, 4, 5, 7, 8 | §§ 13, 14 + decrees |
§§ 15, 16, 17 | § 6, 11 | § 17 decree for essential |
| Finland | § 3 | §§ 7, 8, 9 | §§ 11 - 18 | §§ 41 | § 30 |
| France | §§ 8 - 11 | §§ 13 - 16 + guideline |
§§ 17 | § 12 | §§ 25 - 34 |
| Germany | § 28 | § 30 | § 31 | §§ 32, 33 | § 34 |
| Hungary | § 17 | §§ 19, 20 + more |
§ 27 | § 26 + edict |
§§ 23, 26 (3) |
| Italy | Art. 3, 6 | Art. 24 | Art. 25 | Art. 7 | Art. 34 - 37 |
| Poland | §§ 4, 5 | §§ 8, 9, 10 | §§ 11, 12, 13 | § 7 | §§ 15, 16 |
Further Information
Literature
- Directive NIS2: How is the implementation progress across the EU?, Cybrela s.r.o., 18.10.2024
- NISD 2 Tracker, Bird & Bird LLP, 24.11.2023
- NIS 2 Directive Transposition, Cyber Risk GmbH, 24.11.2023
- Navigating cybersecurity compliance - EU NIS2 Directive, Eversheds Sutherland, 19.11.2024
- NIS2 Article 28 Tracker, DNS Research Federation, 19.11.2024