About NIS2 – NIS2 Cyber Security

NIS2, officially known as EU Network and Information Security Directive No. 2022/2555 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555 , was published in December 2022 and came into force at the start of 2023. Its goal is to harmonize and improve cybersecurity measures throughout the EU. This Directive replaces the previous NIS1 Directive, which had been in effect since 2016.

The key objectives of the NIS2 Directive are to:

Establish a standard set of cybersecurity requirements across all EU member states.
Expand the scope of the directive to cover more sectors and entities.
Introduce stricter incident reporting obligations and enforcement measures.
Promote better collaboration and information sharing between member states.
Ensure a high level of cybersecurity resilience as a standard across the EU.

Each member state (e.g. Poland, Germany, France, …) must individually adapt the NIS2 directives into their national laws. They have until to adopt and publish all necessary measures for NIS2 compliance until October 2024. After this deadline, organizations will be legally required to adhere to these regulations.

Sectors and entities under the directive

The new law covers significantly more key entities crucial to national security. Previously, the process of implementing the NCS (National Cybersecurity System) began with a survey classifying organizations. Now, the “size-cap” principle applies—if you meet the criteria, you are required to comply with the law. It is the entities themselves that must be prepared rather than waiting for inquiries from central authorities.

Only micro-enterprises are exempt from this obligation.

The NIS2 Directive applies to both the public and private sectors, dividing entities into essential (Annex I) and important (Annex II) categories (see the document). The new regulations will cover all medium and large companies in specified sectors, as well as small enterprises if they play a significant role in the economy, society, or critical supply chains.

Annex I identifies the following key sectors:

energy

transport

banking

financial market infrastructure

health

drinking water

waste water

digital infrastructure

ICT-service management (B2B)

public administration entities

space

In Annex II, important sectors include:

postal and courier services

waste management

chemicals

food

manufacturing

digital providers

research

Status of the NIS2 Directive in the European Union

As of March 2026.
The NIS2 Directive Implementation Tracker is based on information from public sources that are regularly checked.
The information provided may not be fully complete or up to date.

POLAND

Implementation status
Law adopted (published and entering into force).

Name of the local law
Act of 23 January 2026 amending the Act on the National Cybersecurity System and certain other acts.

Link: https://api.sejm.gov.pl/eli/acts/DU/2026/252/text.pdf – the act was published in the Journal of Laws in early March 2026.
Date of entry into force: The act enters into force on 3 April 2026 (after a one-month vacatio legis from publication).

Essential and important sectors

Division into essential entities (e.g., energy, transport, banking, healthcare, digital infrastructure, public administration) and important entities (e.g., manufacturing, food, waste management, postal services, chemicals).

Technical measures

Firewalls and IDS/IPS: Mandatory as part of network and information systems security.
MFA (Multi-Factor Authentication): The act explicitly requires strong authentication, especially for remote and administrative access.
Encryption tools and SIEM: Required to ensure data confidentiality and continuous incident monitoring (anomaly detection).
Endpoint protection (EDR/XDR) and vulnerability management: Key elements of proactive defence, required by Polish supervisory authorities.
Backup and recovery: A direct statutory requirement related to business continuity and crisis management.
Supply chain security: New in the amended National Cybersecurity System Act – entities must technically and contractually verify the cybersecurity of ICT suppliers.
High-Risk Supplier (HRS) mechanism: Allows exclusion of hardware/software suppliers deemed a threat to national security (this provision was referred by the President to ex post review by the Constitutional Tribunal, but it currently remains in force).

Organisational measures

Security management and incident handling: Establish permanent reporting channels to the national-level CSIRTs (NASK, GOV, MON) and procedures for immediate analysis and containment of attacks on a 24/7 basis.
Supply chain oversight: Introduce rigorous vetting of ICT service and product suppliers, including resilience assessment and enforcing security requirements in contracts (including procedures for phasing out solutions from “high-risk suppliers”).
Systematic testing and effectiveness verification: Perform mandatory security audits (every 2 years for essential entities) and conduct cyclical penetration tests verifying real-world resilience.
Continuous vulnerability identification and patch management: Run ongoing monitoring of software and infrastructure vulnerabilities, combined with a prioritised update schedule (Patch Management).
Formalised access control and use of cryptography: Implement procedures granting privileges only to necessary resources, plus management-approved rules for encrypting data at rest and in transit.
Privileged Access Management (PAM): Introduce enhanced oversight of administrator and technical staff access to prevent privilege abuse and insider attacks.
Business continuity and disaster recovery (BCP/DRP): Maintain up-to-date contingency plans and data recovery procedures based on backups to enable rapid restoration after an incident.
Education and awareness (Cyber Hygiene): Deliver recurring training programmes for employees at all levels, covering safe work practices, phishing recognition, and protection against social engineering.
Asset management and removable media: Maintain an inventory of all IT/OT equipment and procedures for secure use of external storage and physical protection of data media.
Personnel security rules: Implement screening processes for key roles before hiring and procedures for immediate revocation of access upon termination.

Mandatory and recommended training

End-user resilience programmes (Cyber Hygiene): Run recurring workshops for all employees focused on recognising manipulation attempts (social engineering, phishing), secure remote work practices, and physical protection of information assets.
Specialist training for IT and Cybersecurity teams: Systematically develop technical competencies of staff responsible for infrastructure. This includes certified courses in incident response, malware analysis, and advanced administration of security systems.
Training on operating and configuring deployed cybersecurity solutions: Mandatory technical sessions dedicated to specific tools used in the organisation (e.g., EDR/XDR, SIEM, next-generation firewalls, PAM). This ensures tool owners fully leverage capabilities and correctly interpret generated alerts.
Operational and response procedure workshops: Practical exercises for technical teams based on simulations of real attacks, aimed at building incident-handling habits aligned with the organisation’s operating playbooks.
Management awareness building: Board-level training is mandatory (annual) and covers legal liability, risk management, and crisis response. In addition, leadership must complete the same programme as all employees-from phishing recognition to password hygiene-to set an example and understand real internal threats.
Continuous threat knowledge updates (Threat Intelligence): Provide IT specialists with access to current information on new attack methods (TTPs) and training on deploying adequate controls against newly discovered zero-day vulnerabilities.

AUSTRIA

Implementation status
Law adopted (adopted at the end of 2025).

Name of the local law

Official name: Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026).
Link: https://www.ris.bka.gv.at/eli/bgbl/I/2025/94/20251223 “NISG 2026”.
Date of entry into force: The main provisions enter into force on 1 October 2026.

Essential and important sectors
Austria closely follows the NIS2 Annexes, dividing entities into “Wesentliche Einrichtungen” (essential) and “Wichtige Einrichtungen” (important):

Essential sectors: Energy (electricity, gas, hydrogen, heat), transport (air, rail, water, road), banking and financial market infrastructure, healthcare, drinking water and wastewater, digital infrastructure (IXP, DNS, TLD, cloud, data centres), public administration (federal level), space.
Important sectors: Postal and courier services, waste management, chemicals, food (production and distribution), manufacturing of medical devices, machinery and vehicles, digital service providers (search engines, social media), scientific research.

Technical measures
Austria places strong emphasis on “state of the art” technical measures:

MFA (Multi-Factor Authentication): Mandatory for all administrative access and remote access.
Cryptography: Requirement to use strong encryption for data at rest and in transit.
Network segmentation: Physical or logical isolation of industrial control systems (OT) from corporate networks (IT).
Physical security: Strict access control to server rooms and critical infrastructure.

Organisational measures

Risk management: Requirement to perform periodic risk analyses based on standards such as ISO/IEC 27001 or the national standard ÖNORM L 1090.
Supply chain management: Requirement to verify the security posture of IT and OT suppliers (Supply Chain Risk Management).
Incident handling: Three-step reporting model (early warning within 24h, incident notification within 72h, final report within one month).
BCP/DR: Business continuity and disaster recovery plans, including regular backup restore tests.

Mandatory and recommended training
Austria introduced a very strict approach to education as part of governance:

Management (Geschäftsführung): Mandatory training on cyber risks and their management. NISG 2026 explicitly states that management cannot delegate responsibility for lack of training.
IT and Cybersecurity staff: Specialist trainings (recommended certifications such as CISM, CISSP) and incident response training.
All users: Regular cyber hygiene training (phishing, strong passwords). The employer must maintain a record of completed trainings (a “Training Log”).

GERMANY

Implementation status
Law adopted. After intensive legislative work in 2024 and 2025, Germany fully implemented the provisions, tightening some EU requirements (so‑called “gold‑plating”).

Name of the local law

Official name: Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung
Link: https://www.recht.bund.de/bgbl/1/2025/301/VO – official federal law gazette.
Date of entry into force: Fully applicable from 2025/2026.

Essential and important sectors
Germany divides entities into “Besonders wichtige Einrichtungen” (essential) and “Wichtige Einrichtungen” (important).

Essential: Energy, Transport, Banking, Financial market infrastructure, Healthcare, Water, Digital infrastructure, Public administration, Space.
Important: Postal services, Waste, Chemicals, Food, Manufacturing (machinery, vehicles, electronics), Digital services, Scientific research.
Additionally: Germany also brought some medium-sized enterprises in strategic sectors into scope, which in other countries might be omitted.

Technical measures
Germany puts strong emphasis on the BSI IT-Grundschutz standard:

Attack Detection Systems: Mandatory implementation of IDS/IPS/SIEM-class systems for essential entities.
MFA and strong authentication: Standard for all privileged access.
Supply chain security: Restrictions for “critical components” (ban on using equipment from suppliers from countries with elevated political risk).
Encryption: Requirement to use algorithms resilient to future quantum computing (BSI recommendations).

Organisational measures

Incident management: Reporting integrated with the BSI portal (24h/72h obligations).
Business continuity: Mandatory contingency plans (“Wiederanlaufpläne”).
Vulnerability management: Active scanning and remediation based on the CVE database.
Audits: Security audits every 2 years by BSI-certified auditors.

Mandatory and recommended training

Management: Legal obligation to complete training (Art. 38 NIS2uomsüG). Board members can be personally liable for gross negligence in cybersecurity oversight.
IT/Cyber: Required familiarity with the BSI IT-Grundschutz methodology or ISO 27001.
Users: Mandatory periodic social engineering tests (e.g., controlled phishing).

FRANCE

Implementation status

Draft law. The draft law, which aims to implement the NIS2 directive (together with the CER and DORA directives), is currently being processed in parliament. Official adoption of the provisions is expected in the second quarter of 2026 (July 2026 is most often indicated as the realistic date for full entry into force).

Name of the local law

Official name: Résilience des infrastructures critiques et renforcement de la cybersécurité (transposing NIS2 into the Defence Code and the Internal Security Code).
Link: https://www.senat.fr/dossier-legislatif/pjl24-033.html
Supervisory authority: ANSSI (Agence nationale de la sécurité des systèmes d’information).

Essential and important sectors
France takes a very broad approach, dividing entities into “Entités Essentielles” (EE) and “Entités Importantes” (EI).

Essential (EE): All sectors from NIS2 Annex I, plus an expanded list of public administration and local government entities (above a defined population threshold).
Important (EI): Sectors from Annex II, with a strong emphasis on the agri-food sector and industrial production.

Technical measures
France stands out with a strong requirement for solution certification:

ANSSI-approved products (“visa”): Recommendation (and in some sectors a requirement) to use solutions with SecNumCloud certification (for cloud) and ANSSI security visas for firewalls and VPNs.
Zero Trust Architecture: Promotion of a zero-trust architecture.
Encryption: Only algorithms approved by ANSSI (RGS – Référentiel Général de Sécurité).
System isolation: Very strict requirements to separate IT networks from operational networks (OT) in industry.

Organisational measures

Governance: Appointment of a cybersecurity liaison officer available 24/7.
Crisis management: Mandatory participation in national cyber exercises (e.g., Cyber Europe).
Risk analysis: Use of the EBIOS Risk Manager methodology developed by ANSSI.
Incident reporting: Via a dedicated ANSSI platform, integrated with the European CyCLONe system.

Mandatory and recommended training

Management: Mandatory training modules on civil and criminal liability in relation to incidents.
IT/Cyber: Recommended completion of courses delivered through “Cyber-campuses” (local education hubs).
Users: France relies on the “Cybermalveillance.gouv.fr” platform, which provides standardised training materials for employees.

SPAIN

Implementation status
Draft law. The Act has passed through the stage of public consultations and amendments submitted, among others, by the Spanish Data Protection Authority. Although the government originally planned full implementation by the end of 2025, the parliamentary process has taken a little longer. According to the latest communications, the provisions are expected to enter into force in the second quarter of 2026.

Name of the local law

Official name: Real Decreto-ley de Seguridad de las Redes y Sistemas de Información (NIS2 update) and related Royal Decrees for the Esquema Nacional de Seguridad (ENS).
Link: https://www.boe.es/diario_boe/txt.php?id=BOE-A-2021-1192
Supervisory authorities: CCN-CERT (public sector and strategic entities) and INCIBE-CERT (private sector and citizens).

Essential and important sectors
Spain divides entities into “Entidades Esenciales” (essential) and “Entidades Importantes” (important):

Essential sectors: Energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, public administration, space.
Important sectors: Postal services, waste management, chemicals, food, manufacturing (electronics, machinery, vehicles), digital service providers, scientific research.
Specificity: Spain places special emphasis on the public-sector supply chain, meaning many smaller technology firms fall under NIS2 requirements as subcontractors.

Technical measures
The technical foundation is ENS (Esquema Nacional de Seguridad), which defines specific security levels (Bajo, Medio, Alto):

MFA: Mandatory for all remote and administrative access (ENS standard).
Encryption: Requirement to use certified cryptographic modules (aligned with the CCN-STIC catalogue).
Network segmentation: Strict rules for separating production networks from office networks.
Logging and monitoring: Mandatory log retention and correlation to detect anomalies.

Organisational measures

Security policy (PNS): Each entity must have a formally approved national security policy document.
Risk management: Mandatory use of MAGERIT (Spain’s official risk analysis method) and the PILAR tool.
Incident management: Reporting via the LUCIA platform (CCN-CERT’s incident management tool).
Business continuity: Requirement for regular recovery tests (DRP) with certified outcomes.

Mandatory and recommended training

Management: Mandatory training on legal liability. In Spain, boards must sign a statement acknowledging the organisation’s cyber risks.
IT/Cyber: Recommended national certifications issued by CCN (e.g., CCN-STIC expert courses). Mandatory familiarity with MAGERIT and LUCIA.
All users: Mandatory awareness programmes at least once per year. INCIBE provides free “Kit de concienciación” toolkits for companies.

PORTUGAL

Implementation status
Law adopted. Portugal completed the legislative process in 2025, updating the earlier Régime Jurídico da Segurança Ciberespacial.

Name of the local law

Official name: Nova Lei da Cibersegurança (Decreto‑Lei transposing the NIS2 Directive).
Link: https://diariodarepublica.pt/dr/detalhe/decreto-lei/125-2025-962603401
Supervisory authority: Centro Nacional de Cibersegurança (CNCS).

Essential and important sectors
The division into “Entidades Essenciais” (essential) and “Entidades Importantes” (important) follows the EU standard, but with a strong emphasis on the maritime economy:

Essential sectors: Energy, transport (including a strong maritime and port sector), banking, healthcare, water, digital infrastructure, public administration, space.
Important sectors: Postal services, waste management, chemicals, food, manufacturing (medical and industrial technologies), digital providers, scientific research.
Specificity: Portugal brought a large number of entities in maritime logistics into scope due to the strategic importance of ports (e.g., Sines).

Technical measures
Portugal promotes the Quadro Nacional de Referência para a Cibersegurança (QNRC) framework:

MFA: Mandatory for privileged and remote access (QNRC standard).
Encryption: Requirement to use algorithms approved by CNCS to protect data at rest and in transit.
Hybrid cloud environments: Specific guidance on securing connections between on‑premise infrastructure and public cloud.
Identity and Access Management (IAM): Strong emphasis on centralised identity management systems.

Organisational measures

Risk management: Requirement to use methodologies aligned with ISO/IEC 27001 or the national QNRC standard.
Incident handling: Mandatory incident reporting via the CERT.PT portal (24h for the initial notification).
Business continuity: Requirement to have a “Plano de Continuidade de Negócio” (PCN) and regularly test system restoration after ransomware scenarios.
Supply chain: Mandatory verification of the security level of IT suppliers (Vendor Risk Management).

Mandatory and recommended training

Management (C‑level): Mandatory trainings on civil liability and crisis management. Board members should take part in periodic briefings organised by CNCS for critical sectors.
IT/Cyber staff: Technical trainings on vulnerability detection. CNCS offers certification programmes such as “C‑Academy”.
All users: Basic cyber hygiene training. Portugal promotes free online courses such as “Cidadão Ciberinformado” available on the CNCS platform, recommended as a standard for office staff.

IRELAND

Implementation status
In Ireland, the NIS2 transposition has been based on a document titled General Scheme of the National Cyber Security Bill.

Status: The bill passed public consultation and government drafting, but the final Act was still going through the Oireachtas (parliament) in late 2025 / early 2026.
Challenge: Ireland was formally urged by the European Commission to accelerate work; as a major tech hub (EU bases of Google, Meta, Microsoft), Ireland is critical for the security of the entire Union.

Name of the local law

Official name: The National Cyber Security Bill 2024 (transposing the NIS2 Directive and repealing the 2018 provisions).
Link: https://www.gov.ie/en/department-of-justice-home-affairs-and-migration/publications/general-scheme-of-the-national-cyber-security-bill-2024/
Supervisory authority: National Cyber Security Centre (NCSC-IE), operating under the Department of the Environment, Climate and Communications.

Essential and important sectors
The division into Essential Entities and Important Entities is particularly relevant due to Ireland’s concentration of data centres and cloud providers:

Essential sectors: Energy, transport, banking, healthcare (HSE), water, digital infrastructure (including IXP, DNS, TLD, cloud computing, data centres—Ireland is a key EU hub in this area), public administration.
Important sectors: Postal services, waste, chemicals, food, manufacturing (especially pharmaceuticals and medical devices—strategic for the Irish economy), digital service providers (search engines, online marketplaces).

Technical measures
NCSC-IE promotes standards based on the NIST Cybersecurity Framework and its own “Public Sector Cyber Security Baseline” guidance:

MFA (Multi-Factor Authentication): A strict requirement for all internet-facing systems and administrative accounts.
Encryption and key management: Standards for data at rest and in transit, with particular focus on secure key management in cloud environments.
Segmentation and micro-segmentation: Required especially in data centres and in the healthcare sector (HSE).
Endpoint security (EDR/XDR): Strong focus on active monitoring of endpoints.

Organisational measures

Risk management: Mandatory use of ISO 27001 or NIST-aligned frameworks. Each entity must appoint a CISO (Chief Information Security Officer).
Incident handling: Reporting via the NCSC-IE portal. Ireland applies strict Incident Notification Guidelines (24h/72h).
Supply chain security: Due to the economic model, companies must perform cybersecurity audits of their IT suppliers (SaaS/IaaS).
Business continuity: Obligation to have tested recovery plans for ransomware scenarios.

Mandatory and recommended training

Management (Boards of Directors): Legal obligation to complete training. Ireland’s implementation of Art. 20 requires boards to have the knowledge necessary to assess cyber risks and approve risk management measures.
IT and Cybersecurity: Recommended certification paths (SANS, GIAC, ISC2) and regular red teaming exercises.
All users: Mandatory cyber awareness training. NCSC-IE provides resources for organisations through initiatives such as “Cyber Aware” and related awareness campaigns.

NETHERLANDS

Implementation status
Draft law. (Expected entry into force: Q2 2026). The Netherlands does not yet have a fully applicable new act. Intensive work is underway on the Cyberbeveiligingswet (Cbw), which is intended to replace the current Wbni act (from the NIS1 era).

Status: The draft bill was submitted to the Tweede Kamer (lower house of parliament) in 2025. The plenary debate was scheduled for March 2026.
Expected timeline: Official government communications and the NCSC indicate Q2 2026 as the point when the act is expected to start applying.

Name of the local law

Official name: Cyberbeveiligingswet (Cbw) – the Cybersecurity Act.
Link: https://www.internetconsultatie.nl/cyberbeveiligingswet/b1
Supervisory authorities: NCSC-NL (for essential entities) and dedicated sector regulators (e.g., RDI – Rijksinspectie Digitale Infrastructuur for important entities).

Essential and important sectors
The Netherlands closely follows the EU catalogue but places particular emphasis on logistics and internet infrastructure:

Essential sectors: Energy, transport (especially the Port of Rotterdam and Schiphol Airport), banking, healthcare, drinking water, digital infrastructure (the Netherlands is one of Europe’s largest data centre hubs), central government administration.
Important sectors: Waste management, chemicals, food, manufacturing (machinery, electronics), postal services, digital service providers (marketplaces, search engines).
Specificity: A very broad scope for the water management sector (due to the system of locks and polders, which is critical for the country’s resilience).

Technical measures
The Netherlands promotes standards based on “Cyberhygiëne” and the ISO/IEC 27001 framework:

MFA (Multi-Factor Authentication): Mandatory for all critical systems and remote access.
Cryptography: Requirement to use strong encryption (NCSC-NL guidance for TLS and cryptographic algorithms).
Vulnerability management: Active scanning and rapid patching (the “patch or mitigate” principle).
Supply chain security: Mandatory supplier risk assessment (Third-Party Risk Management).

Organisational measures

Risk management: Requirement to perform periodic risk assessments and maintain a formal Information Security Management System (ISMS).
Incident reporting: Two-step model (24h initial notification of a significant-impact incident, 72h detailed report). Reports go to NCSC-NL or the competent supervisory authority (e.g., RDI).
Business continuity (BCP): Requirement to have Disaster Recovery plans and run regular simulation exercises.
Coordinated Vulnerability Disclosure (CVD): Promotion of CVD policies—each organisation should have a procedure to accept vulnerability reports from security researchers.

Mandatory and recommended training

Management (Bestuurders): Mandatory trainings (duty of care). Board members are responsible for failing to implement adequate measures and must understand the organisation’s cyber risk profile.
IT/Cyber specialists: Trainings in incident response and advanced threat analysis (Threat Intelligence).
Employees: Regular awareness programmes. The Netherlands promotes the national campaign “Maak het ze niet te makkelijk” (“Don’t make it too easy for them”), whose materials are commonly used in employee training.

ICELAND

Implementation status
Law adopted. Iceland adopted new provisions at the end of 2025, aligning the national framework (previously based on NIS1) with the expanded NIS2 requirements.

Name of the local law

Official name: Lög um net- og upplýsingaöryggi (Network and Information Systems Security Act – 2025/2026 update).
Supervisory authorities: Electronic Communications Office of Iceland (ECOI) (Fjarskiptastofa) and the national team CERT-IS.

Essential and important sectors
Division into “Mikilvægir innviðir” (essential/critical infrastructure) and important entities:

Essential sectors: Energy (geothermal and hydropower—foundation of the island), transport (air and maritime—key for supplies), banking, healthcare, water, digital infrastructure (subsea telecom cables), public administration.
Important sectors: Food production (fish processing—strategic), waste management, postal services, manufacturing (aluminium), digital service providers.
Specificity: Iceland places strong emphasis on international connectivity security (subsea cables connecting the island to Europe and North America), treating it as a national priority.

Technical measures
Iceland promotes ISO/IEC 27001 and CERT-IS guidance:

MFA (Multi-Factor Authentication): Widespread use, often integrated with the Icelandic electronic ID system (Rafræn skilríki).
Encryption: Mandatory for data transmitted and stored in the cloud (e.g., AES‑256).
Network segmentation: Separation of process control (OT) networks in geothermal plants and aluminium smelters.
DDoS protection: Due to geographic isolation, key operators must have advanced volumetric-attack mitigation capabilities.

Organisational measures

Risk management: Mandatory periodic audits (at least every 2 years for essential entities) performed by independent third parties.
Incident handling: Mandatory reporting to CERT-IS via a central portal (24h/72h).
Supply chain: Requirement to assess foreign IT service providers, which is critical given that Iceland imports most technology.
Business continuity (BCP): Detailed plans for loss of international connectivity (the so‑called “Island Mode”).

Mandatory and recommended training

Management (Stjórnendur): Mandatory trainings on risk management and legal liability. Icelandic law stresses that boards must understand the island-specific “threat profile”.
IT/Cyber staff: Recommended participation in the annual national cyber exercise “Lýður”.
All users: Mandatory cyber hygiene training. Iceland uses the “Netöryggi fyrir alla” campaign to educate organisations and the broader public.

LUXEMBOURG

Implementation status
Adopted law . The Chamber of Deputies (Parliament) approved key amendments to Bill No. 8364 in February 2026. Effective date: Full implementation and enforcement of the provisions is expected in April 2026.

Name of the local law

Official name: Projet de loi concernant des mesures destinées à assurer un niveau élevé de cybersécurité
Link: https://www.chd.lu/fr/directive-NIS2-cybersecurite
Supervisory authorities: ANSSI-LU (National Authority for Information System Security), ILR (Institut Luxembourgeois de Régulation) and, for the financial sector, CSSF.

Essential and important sectors
Luxembourg applies a strict classification; due to the country’s profile, the financial and fund industry is treated as a top priority:

Essential sectors: Energy, Transport, Banking and financial market infrastructure (especially payment systems), Healthcare, Water, Digital infrastructure (high concentration of Tier IV data centres), Public administration, Space (Luxembourg is a leader in the satellite sector).
Important sectors: Postal services, waste management, chemicals, food, manufacturing (medical devices, electronics), digital service providers, scientific research.

Technical measures
Technical requirements are based on ANSSI-LU standards and ISO/IEC 27001:

MFA (Multi-Factor Authentication): Mandatory for all external access and administrative accounts.
Cryptography: Requirement to use high-strength algorithms, especially in the financial sector and cloud services.
Network security: Mandatory network segmentation, use of next-generation firewalls (NGFW) and traffic anomaly detection systems (IDS).
Vulnerability management: Regular vulnerability scans and a requirement to perform penetration tests at least once per year for essential entities.

Organisational measures

Governance: Each organisation must appoint a person responsible for information security (CISO) reporting directly to the board.
Incident handling: Mandatory incident reporting via guichet.lu or directly to CIRCL (Computer Incident Response Center Luxembourg) under the 24h/72h model.
Risk management: Mandatory use of methodologies such as MONARC (developed in Luxembourg and optimised for NIS2).
Business continuity (BCP): Very high Disaster Recovery (DR) requirements due to the financial sector.

Mandatory and recommended training

Management (Board members): Legal obligation to complete training. Boards must undergo regular sessions on cyber accountability. In Luxembourg, failure to comply can result in bans on holding management functions.
IT and Cybersecurity staff: Recommended participation in training programmes organised by the LHC (Luxembourg House of Cybersecurity).
All users: Mandatory cyber hygiene trainings. Luxembourg promotes the “Bee Secure” portal, which provides materials for educating employees.

Liechtenstein

Implementation status
Law adopted. Liechtenstein completed the legislative process in 2025.

Name of the local law

Official name: The Cyber-Security Act (CSG)
Link: https://www.llv.li/serviceportal2/amtsstellen/stabstelle-cyber-sicherheit/rfc2350_csirt_li.pdf.
Supervisory authority: Stabsstelle Cyber-Sicherheit

Essential and important sectors
Despite its small size, Liechtenstein has strategic sectors that fall under NIS2 requirements:

Essential sectors: Energy (transmission networks), Transport, Banking and financial markets (foundation of the Principality’s economy), Healthcare, Water, Digital infrastructure, Public administration (Landesverwaltung).
Important sectors: Waste management, Manufacturing (highly specialised machinery and dental industry), Chemicals, Food, Digital service providers, Postal services.
Specificity: Due to the customs union and close ties with Switzerland, Liechtenstein places strong emphasis on the security of cross-border data exchange.

Technical measures
Technical standards are strongly aligned with Swiss and German BSI recommendations:

MFA (Multi-Factor Authentication): A strict requirement for administrative access and for all banking and finance services.
Encryption: AES‑256 standards for data at rest and mandatory TLS 1.3 for transmission.
Network segmentation: Strict separation of production control (OT) systems from office (IT) networks in industrial companies.
Endpoint protection: Requirement to use EDR (Endpoint Detection and Response) systems in essential entities.

Organisational measures

Risk management: Obligation to use ISO/IEC 27001 frameworks or the Swiss “Cyber-Check” standard.
Incident handling: Mandatory reporting to CERT-LI (part of NCSC-LI). Liechtenstein uses the EU 24h (initial) / 72h (full) model.
Business continuity (BCP): Requirement to apply a “Resilience by Design” strategy—systems must be designed to withstand outages of key communication nodes with Switzerland or Austria.
External audits: Essential entities must undergo an independent security audit every 2–3 years.

Mandatory and recommended training

Management (Mitglieder der Geschäftsleitung): Mandatory trainings. Under the local implementation of NIS2 Art. 20, board members can face personal financial liability if they cannot demonstrate participation in cyber risk management training.
IT and Cyber staff: Specialist training on Critical Infrastructure Protection (CIP).
All users: Regular awareness campaigns. Liechtenstein often uses educational resources from the Swiss NCSC and the German BSI.

SLOVENIA

Implementation status
Law adopted. Slovenia completed the legislative process in late 2025. The new provisions replaced the 2018 cybersecurity act (ZInfV).

Name of the local law

Official name: Zakon o spremembah in dopolnitvah Zakona o informacijski varnosti (ZInfV-1) – amendment to the Information Security Act (NIS2 transposition).
Link: https://www.uradni-list.si/glasilo-uradni-list-rs/vsebina/2025-01-1571
Supervisory authority: URSIV (Urad Vlade Republike Slovenije za informacijsko varnost) – Government Office for Information Security.

Essential and important sectors
Slovenia divides entities into “Bistveni subjekti” (essential) and “Pomembni subjekti” (important):

Essential sectors: Energy, transport, banking, healthcare (e‑health system), drinking water, digital infrastructure, public administration (including local government), space.
Important sectors: Postal services, waste management, chemicals, food, manufacturing (especially automotive and pharmaceuticals—e.g., Krka), digital service providers, scientific research.
Specificity: Slovenia included enhanced oversight of the tourism sector (including large booking platforms), recognising it as important for the national economy.

Technical measures
Technical requirements are aligned with URSIV guidance and the ISO/IEC 27001 standard:

MFA (Večfaktorna avtentikacija): Mandatory for all administrative access and remote VPN connections.
Encryption and cryptography: Requirement to use state-approved algorithms to protect government and medical data.
Network security: Mandatory network segmentation, use of IDS/IPS systems, and regular vulnerability scanning.
Identity and Access Management (IAM): Strong emphasis on using the national electronic identification system SI‑PASS.

Organisational measures

Risk management: Obligation to perform cyclical risk analyses and implement mitigation plans. Each essential entity must appoint a security coordinator.
Incident handling: Mandatory reporting to the national team SI‑CERT (Slovenian Computer Emergency Response Team). The 24h/72h model applies.
Business continuity (BCP): Requirement to have a system recovery strategy after an attack, with particular emphasis on backups isolated from the main network (offline backups).
Supply chain management: Obligation to verify the cybersecurity of external suppliers (Supply chain security audits).

Mandatory and recommended training

Management (Vodstvo): Mandatory trainings. Under ZInfV‑1, board members have direct accountability for failure to implement security measures and must complete certified training in cyber risk management.
IT/Cyber staff: Specialist courses organised by URSIV and participation in the national cyber exercise “Kibernetični ščit” (Cyber Shield).
All users: Regular cyber hygiene training. Slovenia promotes the “Varni na internetu” (“Safe on the Internet”) portal as the primary source of educational materials for employees.

CZECH REPUBLIC

Implementation status
Law adopted. The Czech Republic completed the legislative process in 2025, adopting an entirely new Cybersecurity Act that replaced the previous 2014 framework.

Name of the local law

Official name: Zákon o kybernetické bezpečnosti (new Cybersecurity Act).
Link: https://www.e-sbirka.cz/sb/2025/264?zalozka=text
Supervisory authority: NÚKIB (Národní úřad pro kybernetickou a informační bezpečnost) – National Cyber and Information Security Agency.

Essential and important sectors
The Czech Republic applies two regimes: “Režim vyšších povinností” (higher obligations; essential entities) and “Režim nižších povinností” (lower obligations; important entities):

Essential sectors: Energy, transport, banking, healthcare (including key hospitals), water, digital infrastructure, public administration (including e-government systems), space.
Important sectors: Postal services, waste management, chemicals, food, manufacturing (especially the automotive sector – Škoda Auto), digital service providers, scientific research.
Specificity: The Czech Republic brought a large number of medium-sized enterprises into scope, especially those operating in strategic supply chains for heavy industry and the defence sector.

Technical measures
NÚKIB issues very detailed technical decrees (vyhlášky) that specify requirements:

MFA (Vícefaktorové ověření): Mandatory for all administrative accounts and remote access to internal networks.
Encryption: Requirement to use certified cryptography to protect data transmitted over public channels.
Supply chain security review: The Czech Republic introduced a unique mechanism allowing the state to ban the use of technology from suppliers deemed a national security risk (the so‑called “Supply Chain Security Review”).
Network segmentation: Physical or logical separation of industrial control (OT) networks from IT networks.

Organisational measures

Risk management: Obligation to use methodologies aligned with ISO/IEC 27001, taking into account Czech-specific guidance on state-sponsored threats.
Incident handling: Mandatory reporting to GovCERT.cz (public sector) or CSIRT.cz (private sector) under the 24h/72h model.
Business continuity (BCP): Requirement to have and regularly test data recovery plans for ransomware scenarios.
Cybersecurity management roles: Each essential entity must appoint certified cybersecurity roles (manager, architect, and auditor).

Mandatory and recommended training

Management (Vrcholové vedení): Mandatory trainings. The Czech act explicitly assigns boards responsibility for approving security measures. Board members must complete training on cyber risks and legal liability.
IT/Cyber specialists: Recommended participation in advanced technical exercises organised by NÚKIB (e.g., the “Cyber Czech” exercise).
All users: Regular information security awareness training. NÚKIB provides the e-learning platform “Osvěta”, available to public and private entities.

DENMARK

Implementation status
Law adopted. Denmark completed the legislative process in 2025. The new legal framework replaced the 2018 Act on the security of network and information systems, significantly expanding the scope of covered entities.

Name of the local law

Official name: Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven)
Link: https://www.retsinformation.dk/eli/lta/2025/434/pdf
Supervisory authority: Center for Cybersikkerhed (CFCS) as the central authority, plus the relevant sector authorities (e.g., the Danish Energy Agency for energy, the Danish Maritime Authority for maritime transport).

Essential and important sectors
Denmark applies the division into “Væsentlige entiteter” (essential) and “Vigtige entiteter” (important):

Essential sectors: Energy (including a strong offshore wind sector), Transport, Banking, Healthcare, Water, Digital infrastructure, Public administration (state and regional level).
Important sectors: Postal services, waste management, chemicals, food, manufacturing (including pharmaceuticals—e.g., Novo Nordisk), digital service providers, scientific research.
Specificity: Denmark applied NIS2 requirements to a broad range of entities in the maritime sector due to the role of ports and shipping in the national economy.

Technical measures
Denmark relies on ISO/IEC 27001 and CFCS technical recommendations:

MFA (Multifaktor-autentificering): Mandatory for all remote access and high-privilege accounts.
Encryption: Requirement to use strong cryptography (CFCS recommendations on algorithms and key lengths).
Supply chain security: Obligation to perform technical risk assessments of suppliers of critical components.
Endpoint protection: Requirement to deploy advanced EDR systems in high-risk sectors.

Organisational measures

Risk management: Obligation to implement an Information Security Management System (ISMS) based on ISO 27001.
Incident handling: Mandatory reporting to CFCS (24h initial notification / 72h full report). Denmark has a highly efficient threat information exchange system between the public and private sectors.
Business continuity (BCP): Requirement to maintain and regularly test Disaster Recovery plans, especially in healthcare and energy.
“Good digital hygiene” principle: Denmark introduced a set of minimum organisational requirements for smaller “important” entities to avoid overburdening them with bureaucracy.

Mandatory and recommended training

Management (Ledelsen): Mandatory trainings. Under Danish law, board members are personally responsible for oversight of implementing security measures and must complete training on cyber risks (NIS2 Art. 20).
IT/Cyber staff: Specialist technical trainings and participation in national exercises such as “Cyber Koordination”.
All users: Regular cyber hygiene trainings. Denmark promotes the “Sikkerdigital.dk” portal, which offers ready-to-use educational materials for employees in organisations of all sizes.

NORWAY

Implementation status
Law adopted. Norway completed the legislative process in 2025. The new provisions evolve the existing cybersecurity act (Digitalsikkerhetsloven), aligning it fully with NIS2-level requirements.

Name of the local law

Official name: Lov om digital sikkerhet (Digitalsikkerhetsloven) – the Digital Security Act (implementing NIS2).
Link: https://lovdata.no/dokument/NL/lov/2023-12-20-108?q=Lov%20om%20digital%20sikkerhet
Supervisory authority: Nasjonal sikkerhetsmyndighet (NSM) – the National Security Authority, supported by sector regulators (e.g., NVE for the energy sector).

Essential and important sectors
Norway places particular emphasis on energy resources and subsea infrastructure:

Essential sectors: Energy (oil, gas, hydropower—foundation of Europe’s energy security), transport (maritime and aviation), banking, healthcare, water, digital infrastructure (subsea cables), public administration.
Important sectors: Waste management, manufacturing (extractive industry, metals), chemicals, food (including the strategic aquaculture/salmon sector), postal services, digital service providers.
Specificity: Norway brought a broad range of entities supporting offshore drilling platforms and pipelines into scope, treating them as critical infrastructure for the continent.

Technical measures
NSM publishes a set of “Basic Principles for ICT Security” (Grunnprinsipper for IKT-sikkerhet):

MFA (Flerfaktorautentisering): Mandatory for all external connections and administrative access.
Cryptography: Requirement to use strong algorithms approved by NSM (especially in the oil and gas sector).
Segmentation and isolation: Strict separation of SCADA/OT networks from corporate networks to prevent ransomware propagation.
Traffic monitoring: Obligation to deploy intrusion detection systems integrated with the national early warning system (VDI).

Organisational measures

Risk management: Obligation to use methodologies based on ISO/IEC 27001 or Norway’s NSM standard.
Incident handling: Mandatory reporting to NorCERT (part of NSM) and sector CSIRTs (e.g., KraftCERT for energy). Deadline: 24h to notify a significant incident.
Supply chain management: Mandatory verification of supplier security (Supply Chain Risk Management), especially in infrastructure projects.
Business continuity (BCP): Requirement to have scenarios for complete loss of satellite or cable connectivity.

Mandatory and recommended training

Management (Styret og ledelsen): Mandatory trainings. Norwegian law emphasises a clear “command responsibility” model. Boards must understand cyber risks and approve security budgets.
IT/Cyber staff: Recommended participation in the annual exercise “Øvelse Digital” (national digital resilience exercises).
All users: Regular cyber hygiene trainings. Norway promotes the “Nettvett.no” portal, which provides standard training materials for employees.

SWEDEN

Implementation status
Law adopted. Sweden completed the legislative process in 2025, introducing a new cybersecurity act that significantly expanded reporting and supervision obligations for critical sectors.

Name of the local law

Official name: Cybersäkerhetslag (2025:1506) – the Cybersecurity Act.
Link: https://www.svenskforfattningssamling.se/doc/20251506.html
Supervisory authority: MSB (Myndigheten för samhällsskydd och beredskap) – Swedish Civil Contingencies Agency, in cooperation with sector authorities (e.g., Post- och telestyrelsen for telecommunications).

Essential and important sectors
Sweden applies the division into “Väsentliga entiteter” (essential) and “Viktiga entiteter” (important):

Essential sectors: Energy, transport, banking, healthcare, water, digital infrastructure (including large cloud hubs), public administration (including municipalities – kommuner), space (Esrange Space Center).
Important sectors: Waste management, chemicals, food, manufacturing (especially defence and machinery—e.g., Saab, Scania), postal services, digital service providers, scientific research.
Specificity: Sweden puts strong emphasis on local governments, which operate key infrastructure at the municipal level.

Technical measures
Sweden bases requirements on MSB guidance and “basic cyber hygiene”:

MFA (Flerfaktorsautentisering): Strict requirement for all remote and administrative access.
Encryption and cryptography: Requirement to use algorithms approved by MSB and Försvarsmakten (the Armed Forces) to protect sensitive data.
Network segmentation: Strict isolation of control systems (SCADA/ICS) in the energy and water sectors.
Detection and response (EDR/MDR): Obligation to have capabilities for active intrusion detection in networks of essential entities.

Organisational measures

Risk management: Obligation to implement an Information Security Management System (ISMS) aligned with ISO/IEC 27001 or the Swedish standard SS-ISO/IEC 27001.
Incident handling: Mandatory reporting to CERT-SE (part of MSB). The 24h / 72h model applies.
Supply chain: Mandatory supplier verification from a national security perspective (especially for 5G infrastructure and cloud).
Business continuity (BCP): Plans must account for cooperation with civil defence under the concept of Total Defence (Totalförsvaret).

Mandatory and recommended training

Management (Ledningen): Mandatory trainings. Boards have direct legal and financial accountability and must undergo periodic training on digital risks and crisis management.
IT/Cyber staff: Recommended participation in national exercises such as “Viking” and technical trainings offered by MSB.
All users: Regular cyber hygiene training. Sweden promotes the “Din Säkerhet” portal, which provides educational materials for employees and citizens.

FINLAND

Implementation status
Law adopted. Finland finalised the legislative process in 2024, and the provisions have been fully applicable since 2025. The new legal framework replaced parts of the previous Act on Electronic Communications Services in the area of cybersecurity.

Name of the local law

Official name: Kyberturvallisuuslaki (Cybersecurity Act) and related amendments to sectoral laws.
Link: https://valtioneuvosto.fi/paatokset/paatos?decisionId=3531
Supervisory authority: Kyberturvallisuuskeskus (NCSC-FI) operating under Traficom (Finnish Transport and Communications Agency).

Essential and important sectors
Finland applies the classification “Keskeiset toimijat” (essential) and “Tärkeät toimijat” (important):

Essential sectors: Energy (including nuclear), transport, banking, healthcare, water, digital infrastructure, public administration, space.
Important sectors: Postal services, waste management, chemicals, food, manufacturing (including advanced wood and machinery industries), digital service providers, scientific research.
Specificity: Finland brought a broad range of district heating networks into scope; due to the climate, these are treated as critical infrastructure for population resilience.

Technical measures
NCSC-FI promotes “Security by Design” and the Finnish Katakri framework (for classified information):

MFA (Monivaiheinen tunnistautuminen): Mandatory for all access to critical systems and remote work.
Encryption: Requirement to use strong cryptography (NCSC-FI recommendations include future readiness for post-quantum threats).
Network segmentation: Strict separation of process control networks (OT) from corporate IT networks, especially in power plants and industrial facilities.
Endpoint Detection and Response (EDR): Requirement for continuous endpoint monitoring in essential entities.

Organisational measures

Risk management: Obligation to use ISO/IEC 27001 or the national standard PiTuVi (guidance for cloud and network security).
Incident handling: Mandatory reporting to NCSC-FI (24h initial / 72h detailed). Finland has a unique real-time threat information exchange system between companies and government.
Business continuity (BCP): Plans must be integrated with the national supply security system Huoltovarmuuskeskus (National Emergency Supply Agency), which ensures economic continuity during crises.
Supply chain: Mandatory verification of supplier security, especially in the area of 5G/6G technologies.

Mandatory and recommended training

Management (Ylin johto): Mandatory trainings. Boards have a statutory obligation to understand cyber risks and approve the cybersecurity strategy. Failure to comply can result in high administrative fines.
IT/Cyber staff: Recommended participation in advanced exercises such as “TIETO” (nationwide digital resilience exercises for the public and private sectors).
All users: Regular cyber hygiene training. Finland uses platforms such as “Kansalaisen kyberopas” to educate employees and citizens.

ESTONIA

Implementation status
Law adopted. Estonia completed the NIS2 transposition process in 2026, introducing major amendments to its cybersecurity framework (Küberturvalisuse seadus).

Name of the local law

Official name: Küberturvalisuse seadus (KTS) – the Cybersecurity Act.
Link: https://eelnoud.valitsus.ee/main/mount/docList/3566abf6-2ad6-415d-9c0e-78d7fb7fb33f?activity=1#JptSvGsk
Supervisory authority: RIA (Riigi Infosüsteemi Amet) – the State Information System Authority, which also operates CERT-EE.
Date of entry into force: The act entered into force on 1 January 2026.

Essential and important sectors
Estonia applies the classification “Olulised teenuseosutajad” (essential) and “Tähtsad teenuseosutajad” (important):

Essential sectors: Energy, transport, banking, healthcare, water, digital infrastructure (X-Road, electronic signatures), public administration (including e-voting), space.
Important sectors: Waste management, manufacturing, chemicals, food, postal services, digital service providers, scientific research.
Specificity: Due to the e-state model, Estonia brought nearly every trust service provider and organisations managing state registers into scope.

Technical measures
Estonia relies on its strict national standard E-ITS (Estonian Information Security Standard):

MFA (Mitmeteguriline autentimine): Mandatory, with a strong focus on using ID-kaart, Mobile-ID, or Smart-ID.
Cryptography: Requirement to use algorithms approved by RIA, with particular emphasis on protecting data integrity in the X-Road system.
Identity and Access Management (IAM): Centralised access control based on a distributed architecture.
Monitoring and detection: Obligation to deploy network sensors that provide anonymised threat telemetry to CERT-EE in real time.

Organisational measures

Risk management: Mandatory use of the E-ITS standard (successor to ISKE), compatible with ISO 27001 but adapted to e-government specifics.
Incident handling: Mandatory reporting to CERT-EE (24h/72h). Estonia operates one of the fastest incident triage systems globally.
Business continuity (BCP): The unique “Data Embassies” concept—keeping backup copies of critical state registers on servers abroad (e.g., in Luxembourg) to ensure continuity of the state in case of cyber warfare.
Supply chain: Very strict requirements for technology suppliers, especially from third countries.

Mandatory and recommended training

Management (Juhatus): Mandatory trainings. Boards of essential entities must have certification in risk management. Estonia enforces board accountability for cybersecurity very strictly.
IT/Cyber staff: Recommended participation in exercises organised by NATO CCDCOE (Tallinn hosts NATO’s Cooperative Cyber Defence Centre of Excellence).
All users: Regular training. Estonia promotes the “Küberpähkel” (“Cyber-nut”) platform for educating employees and students.

BULGARIA

Implementation status
Law adopted. Bulgaria finalised the legislative process in 2025, amending the key 2018 Cybersecurity Act to fully integrate NIS2 requirements.

Name of the local law

Official name: Закон за изменение и допълнение на Закона за киберсигурност
Link: https://dv.parliament.bg/DVWeb/showMaterialDV.jsp;jsessionid=32EE822873F44A3C848F5091764CBE63?idMat=241234
Supervisory authority: Министерство на електронното управление (Ministry of e-Government) and the national incident response centre CERT-BG.

Essential and important sectors
Bulgaria divides entities into “Съществени услуги” (essential) and “Важни услуги” (important):

Essential sectors: Energy (including nuclear – Kozloduy Nuclear Power Plant), Transport, Banking, Healthcare, Water, Digital infrastructure, Public administration, Space.
Important sectors: Waste management, Manufacturing (machinery, electronics), Chemicals, Food, Postal services, Digital service providers, Scientific research.
Specificity: Bulgaria introduced enhanced oversight of the nationally important tourism sector and companies operating gas transit pipelines.

Technical measures
Technical requirements are further detailed in regulations issued by the Ministry of e-Government:

MFA (Многофакторна автентификация): Mandatory for all accounts with access to systems of critical importance.
Encryption: Requirement to use certified cryptographic methods for data transmitted within public administration networks and essential sectors.
Network segmentation: Strict isolation of control systems (OT/ICS) from office networks in power and water utilities.
Endpoint protection: Requirement to use centrally managed anti-malware and endpoint security solutions.

Organisational measures

Risk management: Obligation to use ISO/IEC 27001 or a national risk assessment methodology developed by the Ministry.
Incident handling: Mandatory reporting to CERT-BG (24h initial notification / 72h full report).
Business continuity (BCP): Requirement to have and periodically test disaster recovery plans.
Audits: Essential entities must undergo an external security audit at least once every two years.

Mandatory and recommended training

Management (Ръководни кадри): Mandatory trainings. Boards of essential entities must complete certified training on cyber risk management and legal liability under the act.
IT/Cyber staff: Recommended participation in national and international exercises (e.g., Cyber Europe).
All users: Regular awareness trainings. Bulgaria promotes a national e-learning platform for public administration and business employees focused on cyber hygiene.

BELGIUM

Implementation status
Law adopted. Belgium adopted the NIS2 transposition act in April 2024, and most provisions entered into force on 18 October 2024. Belgium is widely regarded as an EU leader in terms of speed and quality of implementation.

Name of the local law

Official name: Loi du 26 avril 2024 établissant un cadre pour la cybersécurité des réseaux et des systèmes d’information d’intérêt général pour la sécurité publique (Law establishing a framework for cybersecurity of networks and information systems of general interest for public security).
Link: https://www.ejustice.just.fgov.be/cgi/article.pl?language=fr&sum_date=2024-05-17&lg_txt=f&caller=sum&s_editie=1&2024202344=4&numac_search=2024202344&view_numac=2024202344f
Supervisory authority: Centre for Cybersecurity Belgium (CCB).

Essential and important sectors
Belgium applies the division into “Entités Essentielles” (essential) and “Entités Importantes” (important):

Essential sectors: Energy, Transport, Banking, Healthcare, Drinking water, Wastewater, Digital infrastructure, Public administration (federal and regional), Space.
Important sectors: Postal services, Waste management, Chemicals, Food, Manufacturing (medical devices, computers, vehicles), Digital service providers, Scientific research.
Specificity: Belgium imposed additional obligations on entities managing port infrastructure (e.g., the Port of Antwerp‑Bruges) and institutions supporting international payment systems (e.g., SWIFT).

Technical measures
Belgium promotes the CyberFundamentals Framework (CyFun®), which provides different maturity levels (Small, Basic, Important, Essential):

MFA (Multi-Factor Authentication): Mandatory for all remote access and privileged accounts.
Encryption: Requirement to use strong protocols (TLS 1.2+) and encrypt sensitive data at rest.
Network segmentation: Mandatory separation of IT and OT (Operational Technology) environments in industry and energy.
Vulnerability management: Active scanning and remediation; Belgium places strong emphasis on Coordinated Vulnerability Disclosure (CVD).

Organisational measures

Registration in Safeonweb@Work: Each covered entity must register on the CCB portal for identification and communication.
Risk management: Obligation to use methodologies aligned with ISO/IEC 27001 or the CyFun® framework.
Incident handling: Mandatory reporting to CCB/CERT.be (24h initial notification of a significant-impact incident / 72h detailed report).
Business continuity (BCP): Requirement to have Disaster Recovery plans and regularly test backups.

Mandatory and recommended training

Management (Organes de direction): Mandatory trainings. The Belgian act explicitly assigns boards responsibility for approving risk management measures. Board members must have sufficient knowledge to oversee these processes (NIS2 Art. 20).
IT and Cybersecurity staff: Specialist trainings and participation in information-sharing platforms (e.g., Cybil).
All users: Regular cyber hygiene training. CCB provides free webinars and materials through the “Safeonweb” campaign.

ITALY

Implementation status
Law adopted. Italy completed the legislative process in 2024. The new provisions fully integrate NIS2 requirements with the existing national security architecture (Perimetro di Sicurezza Nazionale Cibernetica).

Name of the local law

Official name: Decreto Legislativo di recepimento della Direttiva (UE) 2022/2555 (NIS2).
Link: https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG
Supervisory authority: ACN (Agenzia per la Cybersicurezza Nazionale) – National Cybersecurity Agency.

Essential and important sectors
Italy applies the division into “Soggetti Essenziali” (essential) and “Soggetti Importanti” (important):

Essential sectors: Energy, Transport, Banking, Healthcare, Water, Digital infrastructure (including national traffic exchange points), Public administration (central and local), Space.
Important sectors: Waste management, Chemicals, Food, Manufacturing (including the luxury and automotive sector—e.g., Ferrari, Leonardo), Postal services, Digital service providers, Scientific research.
Specificity: Italy brought a large number of entities managing tourism and cultural infrastructure into scope due to their strategic importance for GDP.

Technical measures
Italy places strong emphasis on national ACN guidance and cyber resilience requirements:

MFA (Autenticazione a più fattori): Mandatory for all access to corporate networks and critical systems.
Encryption: Requirement to use algorithms approved by ACN (with particular emphasis on data stored in the government cloud).
Network security: Mandatory network segmentation and deployment of SOC-class capabilities (Security Operations Center) for essential entities.
Qualified cloud services: Requirement to use cloud providers certified by ACN, aligned with the Polo Strategico Nazionale model.

Organisational measures

Risk management: Mandatory use of the “Framework Nazionale per la Cybersecurity e la Data Protection” (based on ISO 27001 and NIST).
Incident handling: Mandatory reporting to CSIRT Italia (part of ACN). Deadlines: 24h (initial) / 72h (full).
Business continuity (BCP): Requirement to maintain and regularly test Disaster Recovery plans, including scenarios involving attacks on physical infrastructure (e.g., trans-Mediterranean cables).
Supplier accountability: Italy introduced a strict verification process for ICT technology suppliers from outside the EU (the so‑called “Golden Power” in cyberspace).

Mandatory and recommended training

Management (Organi di gestione): Mandatory trainings. Board members have direct responsibility for approving technical and organisational measures and must participate in programmes organised or certified by ACN.
IT and Cybersecurity staff: Specialist technical trainings and participation in national exercises (e.g., Cyber Europe) and ACN-led simulations.
All users: Regular awareness training. Italy promotes e-learning platforms developed with universities under programmes such as “Cyber 4.0”.

CROATIA

Implementation status
Law adopted. Croatia adopted the new cybersecurity act in early 2024, and most implementing provisions entered into force in 2025.

Name of the local law

Official name: Zakon o kibernetičkoj sigurnosti (Cybersecurity Act – transposing NIS2).
Link: https://narodne-novine.nn.hr/clanci/sluzbeni/2024_02_14_254.html
Supervisory authority: Centar za kibernetičku sigurnost (SOA) – cybersecurity centre within the Security and Intelligence Agency, in cooperation with CERT.hr.

Essential and important sectors
Croatia divides entities into “Ključni subjekti” (essential) and “Važni subjekti” (important):

Essential sectors: Energy, Transport, Banking, Healthcare, Water, Digital infrastructure, Public administration, Space.
Important sectors: Postal services, Waste management, Manufacturing, Chemicals, Food, Digital service providers, Scientific research.
Specificity: Croatia included a broad range of tourism and hospitality entities (due to tourism’s contribution to GDP), as well as organisations supporting Adriatic port infrastructure.

Technical measures
Croatia bases requirements on ISO/IEC 27001 and SOA national guidance:

MFA (Višefaktorska autentifikacija): Mandatory for all remote access (VPN) and for administrative accounts in essential sectors.
Cryptography: Requirement to use strong encryption for sensitive data (aligned with NATO and EU standards, which Croatia follows closely).
Network security: Mandatory segmentation between IT and OT (Operational Technology) networks in industry and energy.
DDoS protection: Requirement to have technical measures protecting against volumetric attacks for digital infrastructure providers.

Organisational measures

Risk management: Obligation to implement a documented risk analysis process and information security management.
Incident handling: Mandatory reporting to CERT.hr (national incident response team) and to SOA. Reporting follows the 24h (early warning) / 72h (full report) model.
Business continuity (BCP): Essential entities must have tested system recovery plans, with emphasis on backups that are physically isolated (offline).
Audits: Regular external audits (at least once every 2 years for essential entities).

Mandatory and recommended training

Management (Upravljačka tijela): Mandatory trainings. Boards have direct responsibility for NIS2 compliance and must participate in educational programmes on cyber hygiene and legal risk management.
IT/Cyber specialists: Recommended technical training and participation in national exercises such as “Kibernetički štit” (Cyber Shield).
All users: Regular awareness sessions (phishing, social engineering). Croatia promotes the “Veliki hrvatski cyber-test” campaign as an educational tool.

HUNGARY

Implementation status
Law adopted. Hungary was among the first countries to adopt an NIS2-aligned legal framework (already in 2023). Full enforcement and mandatory audits entered into force in 2024 and 2025.

Name of the local law

Official name: Act XXIII of 2023 on cybersecurity certification and cybersecurity supervision.
Link: https://njt.hu/jogszabaly/en/2023-23-00-00
Supervisory authority: SZTFH (Szabályozott Tevékenységek Felügyeleti Hatósága) – Supervisory Authority for Regulated Activities.

Essential and important sectors
Hungary applies the division into “Kiemelten kritikus” (essential) and “Kritikus” (important):

Essential sectors: Energy, Transport, Banking, Healthcare, Water, Digital infrastructure, Public administration, Space.
Important sectors: Postal services, Waste management, Manufacturing (machinery, chemicals, food), Digital service providers, Scientific research.
Specificity: Hungary imposed very strict requirements on the manufacturing sector, which is the backbone of the economy (especially automotive and battery manufacturing).

Technical measures
Technical requirements are specified in SZTFH regulations:

MFA (Többtényezős hitelesítés): Mandatory for all remote and administrative access for entities in both categories.
Encryption: A strict requirement to encrypt data at rest and in transit using algorithms approved by national security services.
Vulnerability management: Mandatory regular scanning and remediation of technical vulnerabilities in critical systems.
Logging and monitoring: Requirement to retain system logs for a defined period to enable post-incident analysis.

Organisational measures

Registration: Each covered entity had to register in the SZTFH system by mid-2024.
Risk management: Obligation to implement an Information Security Management System (ISMS) based on security classes (1–4).
Incident handling: Mandatory reporting to MKCSK (part of SZTFH) and to GovCERT-HU under the 24h / 72h model.
Mandatory audit: Every entity must undergo an audit every two years conducted by an independent audit firm registered with SZTFH. This is one of the most distinctive and stringent requirements in Hungary.

Mandatory and recommended training

Management (Vezetők): Mandatory trainings. Boards have direct responsibility for implementing NIS2 measures and must participate in certified cyber risk management trainings.
IT/Cyber specialists: Recommended technical trainings and close cooperation with the National Cybersecurity Institute (NKI).
All users: Regular cyber hygiene training. Hungary promotes the “KiberPajzs” (“Cyber Shield”) campaign, which provides educational materials for employees.

SLOVAKIA

Implementation status
Law adopted. Slovakia amended its existing Cybersecurity Act (Zákon o kybernetickej bezpečnosti) in 2024, making it fully compliant with the NIS2 Directive from early 2025.

Name of the local law

Official name: Zákon č. 69/2018 Z. z. o kybernetickej bezpečnosti (with later amendments implementing NIS2).
Link: https://static.slov-lex.sk/pdf/SK/ZZ/2024/366/ZZ_2024_366_20250101.pdf
Supervisory authority: Národný bezpečnostný úrad (NBÚ) – National Security Authority.

Essential and important sectors
Slovakia divides entities into “Základné služby” (essential) and “Dôležité služby” (important):

Essential sectors: Energy, Transport, Banking, Healthcare, Water, Digital infrastructure, Public administration, Space.
Important sectors: Postal services, Waste management, Manufacturing (especially the automotive sector – e.g., Volkswagen, Kia, Stellantis), Chemicals, Food, Digital service providers, Scientific research.
Specificity: Slovakia brought a broad range of metallurgy and machinery entities into scope, which constitute a key export backbone of the country.

Technical measures
NBÚ issues detailed implementing decrees (vyhlášky) specifying technical parameters:

MFA (Viacfaktorová autentifikácia): Mandatory for all accounts with access to critical information systems and for remote connections.
Encryption: Requirement to use cryptographic methods approved by NBÚ, especially to protect data transmitted over public networks.
Network segmentation: Strict separation of OT (industrial control) networks from corporate IT networks.
Monitoring and detection: Obligation to deploy incident and anomaly detection systems (IDS/IPS) in essential entities.

Organisational measures

Risk management: Obligation to implement an Information Security Management System (ISMS) aligned with ISO/IEC 27001 or national NBÚ standards.
Incident handling: Mandatory reporting to SK-CERT (part of NBÚ) and to CSIRT.SK (for public administration). Reporting follows the 24h / 72h model.
Business continuity (BCP): Requirement to have Disaster Recovery plans and regularly test data restoration from backups.
Audits: Essential entities must undergo a cybersecurity audit by a certified auditor every two years.

Mandatory and recommended training

Management (Štatutárne orgány): Mandatory trainings. Boards have direct responsibility for implementing security measures. Board members must be able to demonstrate documented knowledge of cyber risk management.
IT/Cyber specialists: Recommended participation in advanced technical training and national exercises such as “Cyber Zora”.
All users: Regular cyber hygiene trainings. Slovakia promotes the “Kyberbezpecnost.sk” portal as a source of educational materials for employees.

LATVIA

Implementation status
Law adopted. Latvia finalised the new cybersecurity law in 2024, and NIS2 provisions have been fully enforced since early 2025.

Name of the local law

Official name: Nacionālās kiberdrošības likums (National Cybersecurity Act).
Link: https://www.vestnesis.lv/op/2024/128A.1
Supervisory authorities: Nacionālais kiberdrošības centrs (NKDC) – National Cybersecurity Centre (under the Ministry of Defence) and CERT.LV.

Essential and important sectors
Latvia divides entities into “Būtisko pakalpojumu sniedzēji” (essential) and “Svarīgo pakalpojumu sniedzēji” (important):

Essential sectors: Energy, Transport, Banking, Healthcare, Water, Digital infrastructure, Public administration, Space.
Important sectors: Waste management, Manufacturing, Chemicals, Food, Postal services, Digital service providers, Scientific research.
Specificity: Latvia brought a large number of media broadcasters (radio and TV) into scope, as well as operators supporting critical infrastructure at the ports of Riga and Ventspils.

Technical measures
Requirements are based on NKDC guidance and NATO-aligned certifications:

MFA (Daudzfaktoru autentifikācija): Mandatory for all accounts with access to critical assets and for remote work.
Cryptography: Requirement to use strong encryption (AES‑256 or newer) for sensitive data.
Intrusion detection systems: Mandatory deployment of CERT.LV network sensors in essential entities (the so‑called “Kibersargs” – cyber shield).
Vulnerability management: Regular vulnerability scanning and immediate reporting of identified weaknesses.

Organisational measures

Risk management: Obligation to implement an Information Security Management System (ISMS) aligned with ISO/IEC 27001.
Incident handling: Mandatory reporting to CERT.LV (24h initial notification / 72h full report).
Supply chain: Very strict vetting of IT suppliers (in particular screening for influence from states outside NATO/EU).
Business continuity (BCP): Requirement to apply a “Resilience First” strategy—systems must be ready to operate in autonomous mode in case of loss of external connectivity.

Mandatory and recommended training

Management (Valdes locekļi): Mandatory trainings. Board members must hold a certificate confirming completion of training in cyber risk management and legal liability.
IT/Cyber staff: Participation in the annual “Cyber Chess” exercise and technical trainings organised by CERT.LV.
All users: Mandatory cyber hygiene training. Latvia promotes the “E‑mācības” e-learning platform for public officials and private-sector employees.

LITHUANIA

Implementation status
Law adopted. Lithuania adopted an amendment to the cybersecurity act in mid-2024. The provisions have been fully applicable since early 2025, and the registration process for essential entities has already been completed.

Name of the local law

Official name: Lietuvos Respublikos kibernetinio saugumo įstatymas (Cybersecurity Act of the Republic of Lithuania).
Link: https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/22f960219fff11ef9db2c9aaf9c67042?jfwid=l7s3186g7
Supervisory authority: NKSC (Nacionalinis kibernetinio saugumo centras) – National Cybersecurity Centre under the Ministry of National Defence.

Essential and important sectors
Lithuania applies the division into “Esminiai subjektai” (essential) and “Svarbūs subjektai” (important):

Essential sectors: Energy, Transport, Banking, Healthcare, Water, Digital infrastructure, Public administration, Space.
Important sectors: Waste management, Chemicals, Food, Manufacturing, Postal services, Digital service providers, Scientific research.
Specificity: Lithuania brought all entities managing critical national information infrastructure into scope, including systems supporting the Port of Klaipėda and strategic energy corridors.

Technical measures
Technical requirements are defined by NKSC and are based on national security standards:

MFA (Daugiafaktorinis autentiškumo patvirtinimas): Mandatory for all remote connections and privileged accounts.
Cryptography: Requirement to use state-certified encryption algorithms for sensitive data and inter-ministerial communication.
Network security: Mandatory network segmentation and deployment of IDS/IPS systems integrated with NKSC’s early warning capabilities.
System hardening: Obligation to apply defensive configurations (“security baselines”) for servers and workstations.

Organisational measures

Risk management: Obligation to use ISO/IEC 27001-aligned methodologies and national NKSC guidelines.
Incident handling: Mandatory reporting to NKSC / CERT-LT. Deadlines: 24h (initial) / 72h (full).
Supply chain management: Very strict rules for ICT suppliers—Lithuania was among the first in the EU to exclude “high-risk” suppliers (e.g., from China and Russia) from key infrastructure.
Business continuity (BCP): Requirement to have and regularly test data recovery plans for hybrid scenarios (e.g., cyberattack combined with physical disruption).

Mandatory and recommended training

Management (Vadovybė): Mandatory trainings. Boards of essential entities have a statutory obligation to participate in cyber risk management training. Personal accountability of board members is treated very seriously in Lithuania.
IT/Cyber staff: Recommended participation in advanced exercises such as “Amber Mist” (cyclical cyber defence exercises organised by the military and NKSC).
All users: Regular cyber hygiene training. Lithuania promotes the “Kibermokslas” platform to educate employees.

ROMANIA

Implementation status
Law adopted. Romania finalised the legislative process in 2025, updating the earlier Act on the security of networks and information systems (No. 362/2018). The new provisions significantly expanded DNSC’s powers to audit companies.

Name of the local law

Official name: ORDONANȚĂ DE URGENȚĂ privind instituirea unui cadru pentru securitatea cibernetică a rețelelor și sistemelor informatice din spațiul cibernetic național civil
Link: https://www.dnsc.ro/vezi/document/oug-privind-transpunerea-directivei-nis-2
Supervisory authority: DNSC (Directoratul Național de Securitate Cibernetică) – National Directorate for Cybersecurity.

Essential and important sectors
Romania divides entities into “Entități esențiale” (Essential entities) and “Entități importante” (Important entities):

Essential sectors: Energy, Transport, Banking, Healthcare, Water, Digital infrastructure, Public administration, Space.
Important sectors: Waste management, Chemicals, Food, Manufacturing (including the IT sector and digital services outsourcing), Postal services, Scientific research.
Specificity: Romania brought a broad range of managed service providers (MSPs) into scope under NIS2, recognising them as a critical link in the supply chain for global corporations operating in the country.

Technical measures
DNSC imposes standards aligned with ENISA requirements and NIST technical frameworks:

MFA (Multi-Factor Authentication): Strictly mandatory for all privileged access and remote workers.
Encryption: Requirement to use strong cryptography (minimum AES‑256) for sensitive data transmitted over public channels.
Network security: Mandatory implementation of SIEM (Security Information and Event Management) systems for essential entities.
OT security: Physical and logical isolation of process-control systems in the energy sector (especially in nuclear power – Cernavodă).

Organisational measures

Risk management: Obligation to implement an ISMS based on ISO/IEC 27001 or a national DNSC certification scheme.
Incident handling: Mandatory reporting to DNSC / CERT‑RO. Deadlines: 24h (initial) / 72h (full).
Supply chain management: Mandatory cybersecurity certification for key ICT technology suppliers.
Business continuity (BCP): Requirement to maintain plans for a full paralysis of critical infrastructure, including system recovery scenarios without internet access.

Mandatory and recommended training

Management (Conducerea): Mandatory trainings. Romanian law provides for high financial penalties for board members for negligence in cybersecurity oversight. Management must complete certified courses in operational risk.
IT and Cybersecurity specialists: Recommended participation in the “Lumea Cibernetică” exercises (local cyber defence exercises).
All users: Regular cyber hygiene training. Romania promotes the “Siguranța Online” portal for employee education.

GREECE

Implementation status
Law adopted. Greece finalised the legislative process in 2025. The new provisions replaced the earlier Act 4577/2018, aligning the national framework with the stringent NIS2 requirements and expanding the list of covered entities by thousands of companies.

Name of the local law

Official name: Νόμος για την Κυβερνοασφάλεια (Ενσωμάτωση NIS2) – Cybersecurity Act (NIS2 transposition).
Link: https://search.et.gr/el/fek/?fekId=774154
Supervisory authority: Εθνική Αρχή Κυβερνοασφάλειας (EAK) – National Cybersecurity Authority.

Essential and important sectors
Greece applies a division into “Βασικές οντότητες” (Essential entities) and “Σημαντικές οντότητες” (Important entities):

Essential sectors: Energy, Transport (especially maritime), Banking, Healthcare, Water, Digital infrastructure, Public administration, Space.
Important sectors: Waste management, Chemicals, Food, Manufacturing, Postal services, Digital service providers, Scientific research.
Specificity: Greece brought a very large number of shipping and port logistics entities into scope (e.g., the ports of Piraeus and Thessaloniki), recognising them as critical for global supply chains.

Technical measures
Technical guidance is issued by EAK and often builds on ENISA standards (ENISA is headquartered in Athens):

MFA (Αυθεντικοποίηση πολλαπλών παραγόντων): Mandatory for all access to infrastructure management systems and for remote work.
Encryption: Requirement to use strong cryptography for data at rest and in transit, with particular attention to communications between islands and the mainland.
Network security: Mandatory IT/OT segmentation, especially in the energy sector and in maritime transport (onboard systems security).
Device/product certification: Greece promotes the use of ICT products with security certifications recognised at EU level.

Organisational measures

Risk management: Obligation to implement an ISMS based on ISO/IEC 27001 or EAK national guidelines.
Incident handling: Mandatory reporting to CSIRT-CYBER (national response team). Deadlines: 24h (initial notification) / 72h (full report).
Business continuity (BCP): Requirement to maintain plans for outages in communications systems, which is critical for the country’s territorial integrity (archipelagos).
Supply chain management: Mandatory verification of technology suppliers, especially in 5G projects and port modernisation programmes.

Mandatory and recommended training

Management (Διοικητικά όργανα): Mandatory trainings. Boards of essential Greek entities bear personal responsibility for failures to implement NIS2 requirements. They must participate in certified training programmes on cyber risk management.
IT and Cybersecurity specialists: Recommended training organised by EAK and participation in the “Panoptis” exercise (nationwide cybersecurity exercise).
All users: Regular awareness programmes. Greece promotes the “CyberSafe” portal for educating public- and private-sector employees.

CYPRUS

Implementation status
Law adopted. Cyprus completed the NIS2 transposition process in 2025, updating the Act on the security of networks and information systems (Law 89(I)/2020). The new legal framework significantly expanded the supervisory powers of the DSA Commissioner.

Name of the local law

Official name: Ο περί Ασφάλειας Δικτύων και Συστημάτων Πληροφοριών (Τροποποιητικός) Νόμος του 2025
Link: https://dsa.cy/images/pdf-upload/DSA-Law-60-I-2025.pdf
Supervisory authority: Digital Security Authority (DSA) operating under the Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR).

Essential and important sectors
Cyprus divides entities into “Βασικές οντότητες” (Essential entities) and “Σημαντικές οντότητες” (Important entities):

Essential sectors: Energy, Transport (aviation and maritime), Banking and finance, Healthcare, Water, Digital infrastructure (key subsea cables connecting Europe with the Middle East), Public administration, Space.
Important sectors: Postal services, Waste management, Chemicals, Food, Manufacturing (including pharmaceuticals), Digital service providers, Scientific research.
Specificity: Cyprus brought a broad group of ship management entities and companies supporting the maritime registry into scope, which is unique at this scale in the EU.

Technical measures
DSA publishes guidance based on ENISA and NIST standards:

MFA (Αυθεντικοποίηση πολλαπλών παραγόντων): Mandatory for administrative access and for all employees in financial institutions and critical infrastructure operators.
Encryption: Requirement to use strong algorithms for data transmitted over international subsea links.
Continuous monitoring: Obligation to deploy intrusion detection (IDS) and log monitoring/correlation (SIEM) systems in essential entities.
Cloud security: Strict rules for hosting public administration data and medical data.

Organisational measures

Risk management: Obligation to implement a security framework aligned with ISO/IEC 27001 or a national digital security standard developed by DSA.
Incident handling: Mandatory reporting to CSIRT-CY (national Computer Security Incident Response Team). Reporting model: 24h initial notification / 72h full report.
Supply chain: Mandatory verification of ICT technology suppliers, especially in the telecommunications and banking sectors.
Audits: Essential entities must undergo regular audits performed by certified external auditors, with reports submitted directly to DSA.

Mandatory and recommended training

Management (Διοικητικά συμβούλια): Mandatory trainings. Board members are directly responsible for approving risk management measures. They must participate in trainings on cyber crisis management.
IT and Cybersecurity staff: Recommended participation in the “Cyber S” exercises and certification programmes offered by DSA.
All users: Regular awareness campaigns. Cyprus promotes the national “CyberAware Cyprus” programme aimed at SMEs and large enterprises.

SERBIA

Implementation status
In progress / New act. Serbia has prepared a new information security act (Zakon o informacionoj bezbednosti) reflecting key NIS2 requirements. The process is overseen under the national Information Security Development Strategy for 2021–2026.

Name of the local law

Official name: Zakon o informacionoj bezbednosti (Information Security Act).
Link: https://www.parlament.gov.rs/upload/archive/files/lat/pdf/zakoni/14_saziv/1223-25%20-%20Lat..pdf
Supervisory authority: RATEL (Regulatorna agencija za elektronske komunikacije i poštanske usluge) – also performs the role of the national incident response centre (SRB-CERT).

Essential and important sectors
Serbia defines covered entities as “IKT sistemi od posebnog značaja” (ICT systems of special importance):

Key sectors: Energy, Transport, Banking, Financial markets, Healthcare, Water, Digital infrastructure, Public administration.
Important sectors: Postal services, Waste management, Chemicals production and distribution, Food production, Manufacturing, Digital service providers (cloud, search engines).
Specificity: Serbia places strong emphasis on the mining and metallurgy sector and on IT (outsourcing) companies, which are key exports of the country.

Technical measures
Technical requirements are set out in government regulations (Uredbe) and supervised by RATEL:

MFA (Višefaktorska autentifikacija): Mandatory for access to systems of special importance and for network administrators.
Cryptography: Use of encryption standards aligned with national recommendations, with particular focus on personal data protection (compatibility with Serbia’s GDPR-equivalent – ZZPL).
Protection against network attacks: Obligation to deploy DDoS mitigation and to monitor traffic in real time.
Vulnerability management: Regular penetration testing and vulnerability scanning.

Organisational measures

Risk management: Obligation to adopt an ICT Systems Security Act (internal security act), updated at least annually.
Incident handling: Mandatory reporting of significant-impact incidents to SRB-CERT. Deadline: immediately, no later than 24 hours from detection.
Business continuity (BCP): Requirement to maintain disaster recovery plans and regularly test backups.
Audits: Operators of systems of special importance must undergo an external security audit at least once every two years.

Mandatory and recommended training

Management: Governance responsibility. While Serbian law emphasises the organisation’s legal responsibility, newer guidance requires managers to be aware of cyber risks and to approve security plans.
IT staff: Specialist training organised by RATEL and the National Academy for Public Administration (NAJU).
All users: Regular awareness programmes. Serbia runs campaigns such as “Pametno i bezbedno” (“Smart and safe”).

NORTH MACEDONIA

Implementation status
In progress / New legal framework. North Macedonia has prepared a new Act on the security of networks and information systems, which is almost a verbatim reflection of the NIS2 Directive. This process is a key element of the National Cybersecurity Strategy.

Name of the local law

Official name: Закон за безбедност на мрежни и информациски системи (Act on the security of networks and information systems).
Link: https://portal.mdt.gov.mk/post-body-files/zakoni-mdt-file-I4ez.pdf
Supervisory authority: MKD-CIRT (Национален центар за одговор на компјутерски инциденти) operating under the Agency for Electronic Communications (AEK).

Essential and important sectors
North Macedonia applies an EU‑aligned classification, focusing on operators of essential services (Оператори на суштински услуги):

Essential sectors: Energy, Transport, Banking, Financial market infrastructure, Healthcare, Water, Digital infrastructure, Public administration.
Important sectors: Postal services, Waste management, Food production and distribution, Digital service providers (marketplaces, cloud).
Specificity: Due to NATO and EU accession ambitions, North Macedonia brought all entities managing critical government information infrastructure and systems supporting civil defence into an NIS2‑level regime.

Technical measures
Technical requirements are set by MKD-CIRT and are based on ISO standards:

MFA (Мулти‑факторска автентикација): Recommended and increasingly implemented as a mandatory requirement for all access to state administration systems and critical sectors.
Encryption: Requirement to use strong cryptographic algorithms to protect citizens’ data (under national personal data protection law harmonised with the GDPR).
Network segmentation: Separation of public networks from internal government and operational (OT) networks in the energy sector.
Incident monitoring: Obligation to implement tools for continuous monitoring of logs and network traffic.

Organisational measures

Risk management: Obligation to maintain an information security policy based on ISO/IEC 27001.
Incident handling: Mandatory reporting to MKD-CIRT. Timelines are being aligned to the EU 24h/72h model to ensure full interoperability with EU Member States.
Business continuity (BCP): Essential entities must maintain Disaster Recovery plans, including procedures for restoring services after ransomware attacks.
Regional cooperation: Active participation in regional cybersecurity initiatives in the Western Balkans.

Mandatory and recommended training

Management: Increased accountability. New provisions introduce management accountability for cybersecurity negligence, which entails mandatory periodic briefings on digital risks.
IT and Cybersecurity staff: Regular trainings organised by MKD-CIRT and participation in regional exercises (e.g., “Cyber S”) and NATO international simulations.
All users: Promotion of awareness campaigns such as “Safe.mk”, aimed at raising the overall digital security culture.

ALBANIA

Implementation status
Law adopted. Albania adopted a new cybersecurity act in 2024 that reflects the NIS2 Directive almost in full. The new provisions entered into force in early 2025.

Name of the local law

Official name: Ligji nr. 25/2024 “Për Sigurinë Kibernetike” (Law No. 25/2024 on Cybersecurity).
Link: https://qbz.gov.al/eli/ligj/2024/03/21/25/8eec2e4f-c9bb-42a9-ac23-fefffc86318e;q=P%C3%ABr%20Sigurin%C3%AB%20Kibernetike
Supervisory authority: ACES (Autoriteti Kombëtar për Certifikimin Elektronik dhe Sigurinë Kibernetike) – National Authority for Electronic Certification and Cybersecurity.

Essential and important sectors
Albania applies a division into “Infrastruktura Kritike e Informacionit” (Critical Information Infrastructure) and “Infrastruktura e Rëndësishme” (Important Infrastructure):

Essential sectors: Energy, Transport, Banking, Healthcare, Water, Digital infrastructure, Public administration (e‑Albania portal).
Important sectors: Postal services, Waste management, Manufacturing, Food, Digital service providers, Scientific research.
Specificity: Due to a “Digital First” model, Albania placed enhanced supervision over entities supporting e‑citizen administration systems and the tourism sector.

Technical measures
ACES imposes standards based on ISO/IEC 27001 and NATO guidance:

MFA (Autentifikimi me shumë faktorë): Strict requirement for all government systems and operators of essential services.
Encryption: Obligation to use strong cryptography for sensitive data transmitted within state networks.
Network segmentation: Strict isolation of critical systems from the public internet.
Protection against hybrid attacks: Requirement to deploy advanced DDoS protection and real‑time traffic monitoring systems.

Organisational measures

Risk management: Requirement to maintain a security policy approved by ACES and to regularly update the threat/risk assessment.
Incident handling: Mandatory reporting to AL-CIRT (part of ACES). Deadlines: 24h (incident notification) / 72h (full technical report).
Business continuity (BCP): Essential entities must maintain geo‑redundant backups.
Audits: Operators of critical infrastructure are subject to annual audits carried out by ACES inspectors.

Mandatory and recommended training

Management (Drejtuesit): Mandatory trainings. After the 2024 reform, boards of essential entities may bear personal (including financial) liability for failures in cybersecurity oversight.
IT and Cybersecurity staff: Regular trainings under support programmes from the US and the EU; participation in “Cyber Shield” exercises.
All users: Mandatory digital hygiene courses for public administration employees.

MONTENEGRO

Implementation status
Law adopted / Implementing regulations in progress. Montenegro adopted a new information security act (Zakon o informacionoj bezbjednosti) at the end of 2024. This act is fully aligned with the NIS2 Directive and provides the foundation for building a modern digital protection ecosystem.

Name of the local law

Official name: Zakon o informacionoj bezbjednosti (Information Security Act).
Link: https://www.gov.me/en/documents/23936380-482a-4784-bd94-be69413d7334
Supervisory authority: Agencija za sajber bezbjednost (Cybersecurity Agency) and the national incident response team CIRT.ME.

Essential and important sectors
Montenegro applies the classification “Operatori kritične informatičke infrastrukture” (Operators of Critical Information Infrastructure):

Key sectors: Energy, Transport, Banking, Healthcare, Water supply, Digital infrastructure, Public administration.
Important sectors: Postal services, Waste management, Manufacturing, Food, Digital service providers, Tourism (of strategic importance).
Specificity: Due to EU accession ambitions, enhanced supervision applies to the telecommunications sector and systems supporting the Port of Bar, a key logistics hub for the country.

Technical measures
Technical requirements are defined by the Cybersecurity Agency and are based on NATO and ENISA standards:

MFA (Višefaktorska autentifikacija): Mandatory for all access to critical infrastructure and e-government services.
Encryption: Requirement to use strong algorithms (AES‑256 standard) to protect data transmitted in government networks.
Monitoring and detection: Obligation to implement SOC (Security Operations Center)-type capabilities for the largest entities in the energy and financial sectors.
Endpoint protection: Requirement to use advanced EDR/XDR-class systems in public administration.

Organisational measures

Risk management: Obligation to implement security frameworks aligned with ISO/IEC 27001.
Incident handling: Mandatory reporting to CIRT.ME. The EU reporting model applies: 24h (early warning) / 72h (detailed report).
Business continuity (BCP): Requirement to maintain a Disaster Recovery strategy, including backups stored in secure, isolated locations.
Audits: Regular security audits conducted by certified third parties or Cybersecurity Agency inspectors.

Mandatory and recommended training

Management: Mandatory accountability. The new law requires management to understand cyber risks and establishes direct responsibility for approving protection plans.
IT and Cybersecurity specialists: Recommended participation in international exercises (e.g., NATO Locked Shields) and trainings organised by the Western Balkans Cyber Capacity Centre (WB3C) in Podgorica.
All users: Regular awareness programmes, with particular emphasis on protection against phishing and social engineering.

UKRAINE

Implementation status
Implemented and active. Ukraine has updated its Act “On the Basic Principles of Ensuring Cybersecurity of Ukraine” and related legal acts (including Cabinet of Ministers resolutions) to fully reflect the rigor of NIS2. Due to the state of war, many of these provisions are more restrictive than EU standards.

Name of the local law

Official name: Закон України “Про основні засади забезпечення кібербезпеки України” (Act on the Basic Principles of Ensuring Cybersecurity of Ukraine).
Links:

Про внесення змін до деяких законів України щодо захисту інформації та кіберзахисту державних інформаційних ресурсів, об’єктів критичної інформаційної інфраструктури https://zakon.rada.gov.ua/laws/show/en/4336-IX?lang=en#Text
Про основні засади забезпечення кібербезпеки України https://zakon.rada.gov.ua/laws/show/2163-viii#Text

Supervisory authorities: NCSCC (National Cybersecurity Coordination Center under the National Security and Defence Council), SSSCIP (State Service of Special Communications and Information Protection), and CERT-UA.

Essential and important sectors
Ukraine uses the classification “Об’єкти критичної інфраструктури” (Critical Infrastructure Objects), divided into four criticality categories:

Essential sectors: Energy (nuclear, gas, electricity), Transport, Banking and finance, Healthcare, Water and food supply, Digital infrastructure (telecommunications, cloud), Public administration (including the Diia system), Defence industry.
Important sectors: Chemicals manufacturing, Waste management, Postal services, Digital service providers, Research institutions.
Specificity: Ukraine was among the first in Europe to assign critical infrastructure status to electronic registers and to satellite systems used for civil and military communications.

Technical measures
Technical requirements are extremely high due to continuous wiper-type attacks and attacks on the energy grid:

MFA (Багатофакторна автентифікација): Mandatory for any access to state systems and critical infrastructure.
Encryption: Requirement to use algorithms resistant to compromise attempts by foreign intelligence services (national and NATO standards).
Network segmentation and “air‑gapping”: Physical isolation of the most critical control systems (OT) from the internet.
Detection systems (EDR/XDR): Widespread deployment of enterprise-class tools to detect advanced threats (APT) in real time.

Organisational measures

Risk management: Obligation to implement risk management procedures aligned with NIST and ISO/IEC 27001.
Incident handling: Mandatory and immediate reporting to CERT-UA. Ukraine operates 24/7, with response times measured in minutes rather than hours.
Business continuity (BCP): Requirement to maintain backups in the cloud (often outside the country, e.g., in EU data centres) and to have emergency power supply systems.
Supply chain: Full ban on the use of software and hardware originating from aggressor states (Russia, Belarus).

Mandatory and recommended training

Management: Criminal and disciplinary liability. Managers of critical infrastructure entities are personally responsible for cybersecurity posture and must undergo regular briefings with NCSCC liaison officers.
IT and Cybersecurity specialists: Continuous participation in live-fire exercises and close cooperation with volunteers (e.g., IT Army of Ukraine).
All users: Mass cyber hygiene education programmes run by the Ministry of Digital Transformation.

GEORGIA

Implementation status
Implemented / Systematically updated. Georgia has a modern cybersecurity act that was updated in 2021–2024 to reflect EU NIS and NIS2 standards. The country is building its ecosystem based on a unique civil–military cooperation model.

Name of the local law

Official name: ინფორმაციული უსაფრთხოების შესახებ (Information Security Act).
Link: https://matsne.gov.ge/document/view/1679424?publication=8
Supervisory authorities: Digital Governance Agency (DGA) (under the Ministry of Justice) and the Cyber Operations Center (under the Ministry of Defence).

Essential and important sectors
Georgia divides entities into three categories (Category 1, 2 and 3) depending on their impact on national security:

Key sectors (Category 1): Government institutions, Energy (especially hydropower plants and transit pipelines), Telecommunications, Transport (ports of Batumi and Poti).
Important sectors (Categories 2 and 3): Banking and finance, Healthcare, Digital service providers, Municipal services (water, waste).
Specificity: Due to Georgia’s role as a transit country, particular emphasis is placed on the security of energy and fibre‑optic corridors connecting Europe with Asia.

Technical measures
Technical standards are set by DGA and are very close to NIS2 requirements:

MFA (მრავალფაქტორიანი ავთენტიფიკაცია): Mandatory for public administration systems and critical infrastructure operators.
Cryptography: Use of strong encryption algorithms approved by state security authorities.
Perimeter protection: Mandatory intrusion detection systems (IDS/IPS) for Category 1 entities, integrated with the national early warning system.
Data security: Requirement to physically locate databases containing state registers within Georgia or in certified allied clouds.

Organisational measures

Risk management: Obligation to implement an Information Security Management System (ISMS) based on ISO/IEC 27001.
Incident handling: Mandatory reporting to CERT.GOV.GE (civil sector) or the Cyber Operations Center (defence sector).
Business continuity (BCP): Requirement to have data recovery plans after failures, regularly tested against hybrid attack scenarios.
Supply chain: Verification of ICT technology suppliers for links to high-risk countries.

Mandatory and recommended training

Management: Responsibility-based governance. Leaders of key entities must appoint a Chief Information Security Officer (CISO) who reports directly to the board and supervisory authorities.
IT and Cybersecurity specialists: Active participation in NATO exercises (e.g., “Cyber Coalition”) and local simulations.
All users: Georgia runs broad awareness campaigns supported by international partners (EU, US), targeting public officials and the private sector.

MOLDOVA

Implementation status
Law adopted / Implementation phase. Moldova adopted a new Cybersecurity Law (No. 48/2023), which entered into force in 2024. The country is currently preparing detailed implementing regulations and building the operational structures foreseen in the law.

Name of the local law

Official name: Legea nr. 48 din 16.03.2023 privind securitatea cibernetică.
Link: https://www.legis.md/cautare/getResults?doc_id=147961&lang=ro
Supervisory authority: Agenția Națională pentru Securitate Cibernetică (ANSC) – newly established National Cybersecurity Agency.

Essential and important sectors
Moldova identifies “Furnizori de servicii esențiale” (providers of essential services):

Essential sectors: Energy, Transport, Banking and financial markets, Healthcare, Water supply, Digital infrastructure, Public administration.
Important sectors: Postal and courier services, Waste management, Food production and distribution, Chemicals production, Digital service providers.
Specificity: Particular priority was given to the energy and telecommunications sectors due to the need to diversify energy sources and protect against disinformation.

Technical measures
Requirements are defined by ANSC and are based on European standards:

MFA (Autentificarea cu mai mulți factori): Mandatory for critical systems and administrative access in public administration.
Encryption: Requirement to use cryptographic algorithms ensuring confidentiality of citizens’ data and government communications.
Vulnerability management: Mandatory regular system scanning and patching within timelines set by ANSC.
Traffic monitoring: Requirement to deploy anomaly detection systems integrated with the national operations centre.

Organisational measures

Risk management: Obligation to implement a security framework based on ISO/IEC 27001.
Incident handling: Mandatory reporting to CERT-Moldova (operated by STISC or the new Agency). Reporting follows the 24h / 72h model.
Business continuity (BCP): Requirement to have and test service restoration plans, including scenarios for protection against ransomware.
Supplier verification: Moldova introduced strict security assessment criteria for ICT technology suppliers, especially for 5G infrastructure and government systems.

Mandatory and recommended training

Management: Legal accountability. Management of essential entities is legally obliged to oversee implementation of security measures and must participate in programmes raising awareness of cyber risks.
IT and Cyber specialists: Participation in international exercises (e.g., organised by the EU and the US) and specialist courses certified by ANSC.
All users: Promotion of educational campaigns during Cybersecurity Month and e-learning trainings for public officials.

ARMENIA

Implementation status
In progress / draft bill. Armenia is not an EU Member State, so it does not implement the NIS2 Directive directly. However, in 2025 the government approved a package of draft laws (including the draft “On Cybersecurity” law) intended to align national requirements with European standards (including a risk-based approach and incident reporting obligations for critical infrastructure).

Local law title and link

Official title: draft law Law of the Republic of Armenia “On Cybersecurity” (part of the legislative package on cybersecurity and information systems governance).
Link:
https://hightech.gov.am/en/tegekatvakan-kentron/ayl/norutyunner/government-approved-package-draft-laws
https://www.e-draft.am/projects/8642/about
Lead authority (draft): Ministry of High-Tech Industry and the proposed regulator (Information Systems Regulatory Authority). Operationally, the national CSIRT AM-CERT is also in place.

Essential and important sectors
In the legislative drafts, Armenia is building a model similar to NIS/NIS2, based on the concept of critical infrastructure and “key” information systems. The scope of entities is to be specified in secondary legislation and registers, but in principle it includes:

Essential (critical) sectors: public administration and state registers, energy, telecommunications and communications, finance/banking, transport, healthcare, water supply, and other services critical to the functioning of the state.

Technical measures
Because the provisions are still at draft stage, detailed technical requirements have not yet been codified as uniformly as in EU Member States. However, the direction of work (consistent with NIS2 practice) assumes implementing minimum cyber protection capabilities for operators of critical systems, including:

MFA: mandatory (or expected as a standard) for privileged and remote access.
Vulnerability and patch management: periodic scanning, patch management, and prioritisation of high-risk vulnerabilities.
Monitoring and logging: log centralisation (e.g., SIEM), anomaly detection, and maintaining an audit trail for critical systems.
Network segmentation / OT separation: logical or physical separation of critical environments from office networks and the Internet.
Cryptography: encryption of data in transit and (for sensitive data) at rest, together with key management controls.
Backups and ransomware resilience: offline/immutable backups, restore testing, and securing access to backup repositories.

Organisational measures

Risk management: establishing an ISMS and performing periodic risk assessments (in practice most often based on ISO/IEC 27001) for critical systems and public services.
Incident handling and reporting: proposed obligations to notify significant incidents to state authorities/CSIRT (AM-CERT) and to maintain incident response procedures (triage, escalation, communication).
Business continuity (BCP/DR): required continuity and recovery plans, including regular testing (table-top and technical) for critical services.
Supplier management: assessing supply-chain risks (including IT and telecommunications service providers) and contractual security and incident-notification requirements.
Registers / entity identification: creating a register of critical systems and formally classifying entities subject to supervision.

Mandatory and recommended training

IT and Cybersecurity: provides general and role-specific cybersecurity training for its employees, conducts cyber exercises in cooperation with authorised and independent entities, ensures participation in training organised by the independent entity, and takes part in other events aimed at building cybersecurity capacity.
All users: ensures implementation of basic cyber hygiene requirements based on the zero-trust principle (“trust no one, verify everything”), such as software updates, access management for IT systems, staff training, and awareness-raising about cyber threats and phishing.

The key objectives of the NIS2 Directive are to:

Sectors and entities under the directive

Annex I identifies the following key sectors:

energy

transport

banking

financial market infrastructure

health

drinking water

waste water

digital infrastructure

ICT-service management (B2B)

public administration entities

space

In Annex II, important sectors include:

postal and courier services

waste management

chemicals

food

manufacturing

digital providers

research

Status of the NIS2 Directive in the European Union

POLAND

AUSTRIA

GERMANY

FRANCE

SPAIN

PORTUGAL

IRELAND

NETHERLANDS

LUXEMBOURG

Liechtenstein

SLOVENIA

CZECH REPUBLIC

DENMARK

NORWAY

SWEDEN

FINLAND

ESTONIA

BULGARIA

BELGIUM

ITALY

CROATIA

HUNGARY

SLOVAKIA

LATVIA

LITHUANIA

ROMANIA

GREECE

CYPRUS

SERBIA

NORTH MACEDONIA

ALBANIA

MONTENEGRO

UKRAINE

GEORGIA

MOLDOVA

ARMENIA

Training offer

About company

Contact

Privacy policy, personal data policy