NIS2, officially known as EU Network and Information Security Directive No. 2022/2555 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555 , was published in December 2022 and came into force at the start of 2023. Its goal is to harmonize and improve cybersecurity measures throughout the EU. This Directive replaces the previous NIS1 Directive, which had been in effect since 2016.
The key objectives of the NIS2 Directive are to:
- Establish a standard set of cybersecurity requirements across all EU member states.
- Expand the scope of the directive to cover more sectors and entities.
- Introduce stricter incident reporting obligations and enforcement measures.
- Promote better collaboration and information sharing between member states.
- Ensure a high level of cybersecurity resilience as a standard across the EU.
Each member state (e.g. Poland, Germany, France, …) must individually adapt the NIS2 directives into their national laws. They have until to adopt and publish all necessary measures for NIS2 compliance until October 2024. After this deadline, organizations will be legally required to adhere to these regulations.
Sectors and entities under the directive
The new law covers significantly more key entities crucial to national security. Previously, the process of implementing the NCS (National Cybersecurity System) began with a survey classifying organizations. Now, the “size-cap” principle applies—if you meet the criteria, you are required to comply with the law. It is the entities themselves that must be prepared rather than waiting for inquiries from central authorities.
Only micro-enterprises are exempt from this obligation.
The NIS2 Directive applies to both the public and private sectors, dividing entities into essential (Annex I) and important (Annex II) categories (see the document). The new regulations will cover all medium and large companies in specified sectors, as well as small enterprises if they play a significant role in the economy, society, or critical supply chains.
Annex I identifies the following key sectors:
energy
transport
banking
financial market infrastructure
health
drinking water
waste water
digital infrastructure
ICT-service management (B2B)
public administration entities
space
In Annex II, important sectors include:
postal and courier services
waste management
chemicals
food
manufacturing
digital providers
research
NIS2 status in EU
The NIS2 Directive Implementation Tracker is based on information from public sources that are regularly checked. The information provided may not be fully complete or up to date.
Check out the NIS2 adaptation in Your State:
* Please note that in some instances, legislation (or draft legislation) is only available in local language.
Austria
Austria has submitted the “Network and Information Security Act” for Parliament’s consideration. It is anticipated that the “Network and Information Security Act” will take effect in June 2025.
Belgium
Belgium adopted the “Law establishing a framework for the cybersecurity of network and information systems of general interest for public security” on 18 October 2024, implementing NIS2.
Bulgaria
Bulgaria has submitted the “Cybersecurity Act” for consideration by Parliament at a national level.
Croatia
Croatia adopted the “Cyber Security Act” on 15 February 2024, implementing NIS2.
Cyprus
Cyprus intends to transpose NIS2 into local law under the amended “Security of Networks and Information Systems Act 2020.” A public consultation closed on 29 September 2023.
Czech Republic
The Czech Republic has submitted the “Cybersecurity Act” for consideration by Parliament at a national level.
Denmark
Denmark has held a public consultation on a proposed draft law. Parliament is expected to consider an updated version of the draft law in February 2025. If passed, the law is anticipated to be effective from 1July 2025.
Estonia
The implementation of NIS2 has been delayed. No legislation (draft or otherwise) has been made public.
Finland
The implementation of NIS2 has been delayed. Legislators have not approved legislation.
France
France has submitted “Resilience of Critical Infrastructures and the Strengthening of Cybersecurity” act for consideration by Parliament and the Senate at a national level. It may take legislators months to finalise this.
Germany
Germany has submitted the “NIS2 Implementation and Cybersecurity Enhancement Act” for consideration by Parliament at a national level. We expect the Act to go into effect in March 2025.
Greece
Greece adopted ‘Law No.5160/2024’ on 29 November 2024, implementing NIS2.
Hungary
Hungary adopted the ‘Cybersecurity Act’ on 18 December 2024, implementing NIS2. A secondary piece of legislation dealing with provisional transition will enter into force separately.
Iceland
Iceland intends to transpose NIS2 into local law, but no draft legislation has been prepared, and there is no timeline for completion.
Ireland
Ireland has submitted the “National Cyber Security Bill” for Parliament to consider. It is listed in the autumn 2024 legislative programme. However, it is unclear when the bill will be approved.
Italy
Italy adopted a legislative decree implementing NIS2 on 1 October 2024.
Latvia
Latvia adopted the “National Cybersecurity Law” on 1 September 2024, implementing NIS2. Supporting rules and legislation are under consideration.
Lichtenstein
Lichtenstein has submitted the “Cybersecurity Law” for consideration by Parliament at a national level.
Lithuania
Lithuania adopted the “Law on Cyber Security” on 18 October 2024, implementing NIS2.
Luxembourg
Luxembourg has submitted a bill for consideration by Parliament at a national level.
Malta
Malta intends to transpose NIS2 into local law under the “Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order.” A public consultation closed on 7 October 2024.
Netherlands
The Netherlands intends to transpose NIS2 into local law under the “Cybersecurity Act.” It is anticipated that the “Cybersecurity Act” will be effective from Q3 2025.
Norway
Norway intends to transpose NIS2 into local law under the “Digital Security Act.” A public consultation will close on 11 December 2024. No draft legislation has been published.
Poland
The Government Legislation Center has published another draft amendment to the National Cyber Security System Act, dated February 7, 2025. This is the fifth amendment to this draft. The draft introduces a number of significant changes, the main ones in two areas: public entities as key and important entities, and supervision measures.
Portugal
Portugal intends to transpose NIS2 into local law. A public consultation on the draft legislation closed on 31 December 2024, following which the legislation will be approved by the Portuguese Government and Parliament.
Romania
Romania adopted the ‘Government Emergency Ordinance (GEO) 155/2024’ on 30 December 2024, implementing NIS2. Note the legislation linked here is to a prior draft of the Government Emergency Ordinance (GEO) 155/2024.
Slovakia
Slovakia intends to transpose NIS2 into local law under the “Cybersecurity Act”. The proposed date of effect is 1 January 2025, however the next step is for the legislation to be considered by Parliament.
Slovenia
Slovenia intends to transpose NIS2 into local law under the “Information Security Act.” Legislators are expected to adopt the implementing legislation in December 2024 or January 2025.
Spain
Spain has not yet circulated draft legislation, and it is not clear where Spain stands in the implementation process.
Sweden
Sweden intends to transpose NIS2 into local law through a new “Cyber Security Regulation.” It is anticipated that the “Cyber Security Regulation” will be transposed into local law by 1 January 2025.