- Tobiáš Trnka
The NIS2 directive is a groundbreaking part of European legislation in the field of cybersecurity. It was adopted back in 2022, and the EU member states had until October 17, 2024, to pass their own law, known as the transposition act, to implement the directive. Along with this, they were required to introduce at least the minimum cybersecurity standards set by the directive into their legislation.
Most states missed the transposition deadline
Since the transposition deadline has passed, we looked at the status of implementing the directive into local laws across EU member states. Our research shows that many states will not meet this obligation on time. The usual process for drafting local law follows these steps:
Most EU states have at least a draft transposing law or amendment available, but some states have not even begun, and very few have fully adopted and enforced the law. Below, we provide a summary of the status of each member state’s transposition process.
Member States categorized by whether the relevant legislation has been adopted, a draft is available, or if the state has not started implementation. Where publicly available, links to the relevant drafts are provided. Unfortunately, no draft is available in English in any member state.
States where the NIS2 transposing law has been adopted
Belgium
On April 18, 2024, the Belgian parliament passed a law aligned with the EU directive (transposition law). The issuance of a royal decree to specify practical details for the law's implementation is currently expected. Belgium has reportedly expanded the range of obliged entities and added new obligations, such as risk management requirements.
Croatia
The Cybersecurity Act, which transposes the NIS2 directive, was adopted in February 2024.
Hungary
The law transposing the NIS2 directive took effect on May 23, 2023. Additionally, the registration deadline for entities in the Hungarian registry passed on June 30, 2023.
NIS2 in the Czech Republic
States where draft of the NIS2 law is available
Denmark
The draft law is available here.
Denmark aims to complete implementation by March 2025. A good summary of how the Cybersecurity Act will function in Denmark can be found here.
Finland
The draft law is available here.
Finland has already prepared a draft law that transposes NIS2. The law must be approved by parliament, but it is expected to take effect by October 18, 2024.
France
France has reportedly prepared a draft of local legislation, but elections in the summer delayed its consideration. Information on the status of the French legislation and NIS2, including a questionnaire to determine if your company will fall under NIS2, has already been communicated. However, the final adoption date of the law is not yet determined.
Netherlands
The draft law is available here.
The Netherlands is already preparing its law, but they admit they won’t meet the October 2024 deadline. The draft law underwent public consultation, with 112 comments submitted. However, it has not yet been discussed in parliament and is likely to undergo significant changes. When the law is adopted is unpredictable, as it depends on how quickly it passes through parliament.
Italy
The draft law is available here.
On June 10, 2024, the Italian parliament approved a legislative decree in line with the EU directive. However, the decree must still go through additional stages, including consideration, possible amendments, and approval by both chambers of parliament before becoming law. When it is finalized, it is uncertain, depending on how quickly it moves through parliament.
Ireland
A summary of the draft law is available here.
Ireland has already introduced its draft version and is expected to meet the deadline of October 17, 2024. The draft is available for download here (instant download link).
Cyprus
The draft amendment is available here.
In Cyprus, NIS2 provisions were transposed into the already existing “Security of Networks and Information Systems Law (89(1)(2020)”. The amendment to this law is expected to be adopted by October 18, 2024.
Luxembourg
The draft law is available here.
Luxembourg will amend its existing cybersecurity law, which originally transposed the NIS directive. The law is currently under consideration by parliament, so it is not yet clear when it will be adopted.
Malta
The draft law is available here.
On September 6, Malta unveiled a draft law transposing the NIS2 directive, which is now in the public consultation phase. Malta will not meet the October 17 deadline, and how quickly the draft law will pass through the legislative process remains uncertain.
Germany
The draft law is available here.
Germany is progressing with the implementation of NIS2. On June 26, 2024, the fourth draft law was published, introducing key updates and clarifications, including the removal of certain provisions related to leadership liability. Despite previous expectations of significant delays, the Federal Ministry of the Interior (BMI) is speeding up the process. However, they will miss the October deadline, and the exact adoption date is unknown. A government draft law has already been adopted, so significant changes are unlikely.
Poland
The draft law is available here.
On April 24, 2024, Poland’s Ministry of Digital Affairs published a draft amendment to the National Cybersecurity System Act (NCSSA). Public consultations and interdepartmental agreements on the draft law were completed by May 24, 2024. The law is now awaiting its passage through parliament. The Polish security agency reports that the law should be adopted by the end of the year..
Romania
The draft law is available here.
Romania has published a draft cybersecurity law. This draft must still go through the legislative process, so it will not be adopted by the October 17 deadline, and when it will be it is still unclear.
Greece
The draft law is available here.
In Greece, public consultation is currently underway for the draft law transposing NIS2. The final adoption date of the law is not yet set.
Slovakia
The draft law is available here.
On May 30, Slovakia submitted a draft amendment to the Cybersecurity Act for interdepartmental consultation. The Slovak government is currently considering this proposal, and it is not entirely clear how they will proceed or when the law will be finalized.
Slovenia
The draft law is available here.
The draft law transposing NIS2 has already been published, but the legislative process is still ongoing. The initial plan was to adopt the law by the end of 2024, but it is uncertain whether this will be met.
Sweden
On February 23, 2023, the Swedish government appointed a special investigator to propose the necessary changes to Swedish law. On March 5, 2024, an interim report entitled "New Cybersecurity Rules" (SOU 2024:18) was published, detailing the proposed changes and the introduction of a new law called the Cybersecurity Act. The new Cybersecurity Act, which will replace the existing NIS law, is set to take effect on January 1, 2025.
States where no draft law for NIS2 is available
Bulgaria
No draft law is available yet, and the first steps for transposition have not been taken.
Estonia
No draft law is available yet, and the first steps for transposition have not been taken.
Portugal
No draft law is available yet, and the first steps for transposition have not been taken.
Spain
No draft law is available yet, and the first steps for transposition have not been taken.
Special cases
Lithuania
We were unable to find confirmation whether the law transposing NIS2 has been adopted. Most online sources suggest Lithuania is in an advanced stage, but we couldn’t verify this claim. The Lithuanian Ministry of Security, which is responsible for drafting the law, has not provided information, nor has the Lithuanian parliament.
Austria
Austria’s cybersecurity law was already in the legislative process but was not passed during the second reading and will therefore need to be revised before it re-enters the legislative process. This proposal also impacted on the constitutional order, requiring a higher quorum for adoption, which it did not achieve. As of now, there is only an unapproved draft law.