Directive NIS2: How is the implementation progress across the EU?

Directive NIS2 How is the implementation progress across the EU
The NIS2 directive is a groundbreaking part of European legislation in the field of cybersecurity. It was adopted back in 2022, and the EU member states had until October 17, 2024, to pass their own law, known as the transposition act, to implement the directive. Along with this, they were required to introduce at least the minimum cybersecurity standards set by the directive into their legislation.
Most states missed the transposition deadline

Since the transposition deadline has passed, we looked at the status of implementing the directive into local laws across EU member states. Our research shows that many states will not meet this obligation on time. The usual process for drafting local law follows these steps:

A state authority presents a draft amendment or new law that will transpose NIS2.
This draft undergoes a public consultation process, during which it is often revised.
It then moves through the legislative process, which varies from state to state.
Only after that is it adopted, and following adoption, a so-called vacatio legis period often follows before the law takes effect.
1
2
3
4

Most EU states have at least a draft transposing law or amendment available, but some states have not even begun, and very few have fully adopted and enforced the law. Below, we provide a summary of the status of each member state’s transposition process.

Member States categorized by whether the relevant legislation has been adopted, a draft is available, or if the state has not started implementation. Where publicly available, links to the relevant drafts are provided. Unfortunately, no draft is available in English in any member state.

States where the NIS2 transposing law has been adopted
Belgium

The law is available.

On April 18, 2024, the Belgian parliament passed a law aligned with the EU directive (transposition law). The issuance of a royal decree to specify practical details for the law's implementation is currently expected. Belgium has reportedly expanded the range of obliged entities and added new obligations, such as risk management requirements.

Croatia

The law is available.

The Cybersecurity Act, which transposes the NIS2 directive, was adopted in February 2024.

Hungary

The law is available.

The law transposing the NIS2 directive took effect on May 23, 2023. Additionally, the registration deadline for entities in the Hungarian registry passed on June 30, 2023.

NIS2 in the Czech Republic

How does the implementation of NIS2 look in Czech legislation? Read the article where we analyze the new Cybersecurity Act.
States where draft of the NIS2 law is available
Denmark

The draft law is available here.

Denmark aims to complete implementation by March 2025. A good summary of how the Cybersecurity Act will function in Denmark can be found here.

Finland

The draft law is available here.

Finland has already prepared a draft law that transposes NIS2. The law must be approved by parliament, but it is expected to take effect by October 18, 2024.

France

More information here.

France has reportedly prepared a draft of local legislation, but elections in the summer delayed its consideration. Information on the status of the French legislation and NIS2, including a questionnaire to determine if your company will fall under NIS2, has already been communicated. However, the final adoption date of the law is not yet determined.

Netherlands

The draft law is available here.

The Netherlands is already preparing its law, but they admit they won’t meet the October 2024 deadline. The draft law underwent public consultation, with 112 comments submitted. However, it has not yet been discussed in parliament and is likely to undergo significant changes. When the law is adopted is unpredictable, as it depends on how quickly it passes through parliament.

Italy

The draft law is available here.

On June 10, 2024, the Italian parliament approved a legislative decree in line with the EU directive. However, the decree must still go through additional stages, including consideration, possible amendments, and approval by both chambers of parliament before becoming law. When it is finalized, it is uncertain, depending on how quickly it moves through parliament.

Ireland

A summary of the draft law is available here.

Ireland has already introduced its draft version and is expected to meet the deadline of October 17, 2024. The draft is available for download here (instant download link).

Cyprus

The draft amendment is available here.

In Cyprus, NIS2 provisions were transposed into the already existing “Security of Networks and Information Systems Law (89(1)(2020)”. The amendment to this law is expected to be adopted by October 18, 2024.

Luxembourg

The draft law is available here.

Luxembourg will amend its existing cybersecurity law, which originally transposed the NIS directive. The law is currently under consideration by parliament, so it is not yet clear when it will be adopted.

Malta

The draft law is available here.

On September 6, Malta unveiled a draft law transposing the NIS2 directive, which is now in the public consultation phase. Malta will not meet the October 17 deadline, and how quickly the draft law will pass through the legislative process remains uncertain.

Germany

The draft law is available here.

Germany is progressing with the implementation of NIS2. On June 26, 2024, the fourth draft law was published, introducing key updates and clarifications, including the removal of certain provisions related to leadership liability. Despite previous expectations of significant delays, the Federal Ministry of the Interior (BMI) is speeding up the process. However, they will miss the October deadline, and the exact adoption date is unknown. A government draft law has already been adopted, so significant changes are unlikely.

Poland

The draft law is available here.

On April 24, 2024, Poland’s Ministry of Digital Affairs published a draft amendment to the National Cybersecurity System Act (NCSSA). Public consultations and interdepartmental agreements on the draft law were completed by May 24, 2024. The law is now awaiting its passage through parliament. The Polish security agency reports that the law should be adopted by the end of the year..

Romania

The draft law is available here.

Romania has published a draft cybersecurity law. This draft must still go through the legislative process, so it will not be adopted by the October 17 deadline, and when it will be it is still unclear.

Greece

The draft law is available here.

In Greece, public consultation is currently underway for the draft law transposing NIS2. The final adoption date of the law is not yet set.

Slovakia

The draft law is available here.

On May 30, Slovakia submitted a draft amendment to the Cybersecurity Act for interdepartmental consultation. The Slovak government is currently considering this proposal, and it is not entirely clear how they will proceed or when the law will be finalized.

Slovenia

The draft law is available here.

The draft law transposing NIS2 has already been published, but the legislative process is still ongoing. The initial plan was to adopt the law by the end of 2024, but it is uncertain whether this will be met.

Sweden

On February 23, 2023, the Swedish government appointed a special investigator to propose the necessary changes to Swedish law. On March 5, 2024, an interim report entitled "New Cybersecurity Rules" (SOU 2024:18) was published, detailing the proposed changes and the introduction of a new law called the Cybersecurity Act. The new Cybersecurity Act, which will replace the existing NIS law, is set to take effect on January 1, 2025.

States where no draft law for NIS2 is available
Bulgaria

No draft law is available yet, and the first steps for transposition have not been taken.

Estonia

No draft law is available yet, and the first steps for transposition have not been taken.

Portugal

No draft law is available yet, and the first steps for transposition have not been taken.

Spain

No draft law is available yet, and the first steps for transposition have not been taken.

Special cases
Lithuania

We were unable to find confirmation whether the law transposing NIS2 has been adopted. Most online sources suggest Lithuania is in an advanced stage, but we couldn’t verify this claim. The Lithuanian Ministry of Security, which is responsible for drafting the law, has not provided information, nor has the Lithuanian parliament.

Austria

Austria’s cybersecurity law was already in the legislative process but was not passed during the second reading and will therefore need to be revised before it re-enters the legislative process. This proposal also impacted on the constitutional order, requiring a higher quorum for adoption, which it did not achieve. As of now, there is only an unapproved draft law.

Get ready

We will help you create the foundations, principles and documentation for the effective security of your business.

More articles

Deepfakes have become a common tool in the hands of attackers due to rapid advancements in artificial intelligence. How can companies effectively defend themselves against them?
Bigger responsibility for top management in cybersecurity also means stricter penalties. What will attract the highest fines?
The new Cybersecurity Act will significantly affect the responsibilities and duties of top management. What will top management be responsible for?

Newsletter

Do you want to be sure that your company is protected from cyber threats and at the same time comply with the applicable legislation? Sign up for the newsletter and get practical advice from our legal consultants.

By clicking submit, you consent to the processing of your personal data for marketing purposes.