NIS2: Where do European Countries Stand on Implementing Cybersecurity Strategies?

5 minute read | October.31.2024

The Network and Information Security 2 Directive (“NIS2”) was implemented into law in the EU on 17 October 2024 (implementing legislation available here). NIS2 expands the scope of the original NIS legislation to include new sectors that the EU deems critical (Annexes I and II of NIS2 Directive set out a list of services covered by the legislation). For more information about the scope of NIS2, read our “5 Things You Need to Know About NIS2” here.

EU Member States had until 17 October 2024 to implement NIS2 into national law. So where do countries stand on implementing NIS2? Here’s a country-by-country look at the status of implementation, current as of this article’s publication date but subject to change.

Country	Status	Legislation*	Commentary
Austria		Available here	Austria has submitted the “Network and Information Security Act” for Parliament’s consideration. It is anticipated that the “Network and Information Security Act” will take effect in June 2025.
Belgium		Available here	Belgium adopted the “Law establishing a framework for the cybersecurity of network and information systems of general interest for public security” on 18 October 2024, implementing NIS2.
Bulgaria		Available here	Bulgaria has submitted the “Cybersecurity Act” for consideration by Parliament at a national level.
Croatia		Available here	Croatia adopted the “Cyber Security Act” on 15 February 2024, implementing NIS2.
Cyprus		Available here	Cyprus intends to transpose NIS2 into local law under the amended “Security of Networks and Information Systems Act 2020.” A public consultation closed on 29 September 2023.
Czech Republic		Available here	The Czech Republic has submitted the “Cybersecurity Act” for consideration by Parliament at a national level.
Denmark		N/A	Denmark has held a public consultation on a proposed draft law. Parliament is expected to consider an updated version of the draft law in February 2025. If passed, the law is anticipated to be effective from 1July 2025.
Estonia		N/A	The implementation of NIS2 has been delayed. No legislation (draft or otherwise) has been made public.
Finland		Available here	The implementation of NIS2 has been delayed. Legislators have not approved legislation.
France		Available here	France has submitted “Resilience of Critical Infrastructures and the Strengthening of Cybersecurity” act for consideration by Parliament and the Senate at a national level. It may take legislators months to finalise this.
Germany		Available here	Germany has submitted the “NIS2 Implementation and Cybersecurity Enhancement Act” for consideration by Parliament at a national level. We expect the Act to go into effect in March 2025.
Greece		Available here	Greece intends to transpose NIS2 into local law. A public consultation on the draft legislation will close on 2November 2024.
Hungary		Available here	Hungary adopted the “Cybersecurity Certification and Cybersecurity Supervision Act,” implementing NIS2. Supporting rules and legislation are under consideration or waiting to be adopted.
Iceland		N/A	Iceland intends to transpose NIS2 into local law, but no draft legislation has been prepared, and there is no timeline for completion.
Ireland		Available here	Ireland has submitted the “National Cyber Security Bill” for Parliament to consider. It is listed in the autumn 2024 legislative programme. However, it is unclear when the bill will be approved.
Italy		Available here	Italy adopted a legislative decree implementing NIS2 on 1 October 2024.
Latvia		Available here	Latvia adopted the “National Cybersecurity Law” on 1 September 2024, implementing NIS2. Supporting rules and legislation are under consideration.
Lichtenstein		Available here	Lichtenstein has submitted the “Cybersecurity Law” for consideration by Parliament at a national level.
Lithuania		Available here	Lithuania adopted the “Law on Cyber Security” on 18 October 2024, implementing NIS2.
Luxembourg		Available here	Luxembourg has submitted a bill for consideration by Parliament at a national level.
Malta		Available here	Malta intends to transpose NIS2 into local law under the “Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order.” A public consultation closed on 7 October 2024.
Netherlands		Available here	The Netherlands intends to transpose NIS2 into local law under the “Cybersecurity Act.” It is anticipated that the “Cybersecurity Act” will be effective from Q3 2025.
Norway		N/A	Norway intends to transpose NIS2 into local law under the “Digital Security Act.” A public consultation will close on 11 December 2024. No draft legislation has been published.
Poland		Available here	Poland has submitted amendments to the “National Cyber Security System Act” (and certain other acts) for consideration by Parliament at a national level. If passed, the legislation should take effect in Q1 2025.
Portugal		N/A	Portugal has not yet circulated draft legislation, and it is not clear where Portugal stands in the implementation process.
Romania		Available here	Romania intends to transpose NIS2 into local law under the “Law on the establishment of a framework for the cyber security of networks and information systems in the national civil cyberspace.” A public consultation is open.
Slovakia		Available here	Slovakia adopted an amended “Cybersecurity Act” on 2 October 2024, implementing NIS2. This legislation will be effective as of 1 January 2025.
Slovenia		Available here	Slovenia intends to transpose NIS2 into local law under the “Information Security Act.” Legislators are expected to adopt the implementing legislation in December 2024 or January 2025.
Spain		N/A	Spain has not yet circulated draft legislation, and it is not clear where Spain stands in the implementation process.
Sweden		N/A	Sweden intends to transpose NIS2 into local law through a new “Cyber Security Regulation.” It is anticipated that the “Cyber Security Regulation” will be transposed into local law by 1 January 2025.

* Please note that in some instances, legislation (or draft legislation) is only available in local language.

NIS2 implementing legislation has been approved and adopted.

NIS2 implementing legislation is progressing. Legislation has been proposed, but legislation has not yet been approved, and a final copy of the legislation is not available.

NIS2 implementing legislation has not been published, and timelines for implementation of NIS2 are not clear.

Authors

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Adele Harrison Senior Associate, Cyber, Privacy & Data Innovation, Internal Investigations

London

See my bio

D:+44 20 7862 4600
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Internal Investigations
Global Investigations
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Adele Harrison Senior Associate

London

Adele has advised clients on a wide range of cybersecurity and data privacy matters. Adele has a particular interest in online safety requirements for companies and has advised clients in relation to the Age Appropriate Design Code, Video Sharing Platforms requirements and the Online Safety Bill.

Before joining Orrick, Adele worked for two years on a global investigation into allegations of fraud, bribery and corruption, resulting in settlements with the UK Serious Fraud Office, French Parquet National Financier, U.S. Department of Justice and U.S. Department of State.

Prior to her work in private practice, Adele practiced at the independent Bar for five years. She has experience in prosecuting and defending in a wide range of criminal law cases and has developed a practice focusing on fraud, white collar crime and regulatory law. Adele has conducted secondments with the Serious Fraud Office and Crown Prosecution Service on high profile banking fraud cases, as well as internships with the International Criminal Court and the New York State Division of Human Rights.

Adele has obtained the Certified Information Privacy Professional - Europe (CIPP/E) designation from the International Association of Privacy Professionals.

Rami Kawkabani Senior Associate, Technology & Innovation, Technology Transactions

Paris

See my bio

D:+33 1 5353 8157
E: [email protected]

Practice:

Technology & Innovation Sector
Technology & Innovation
Technology Transactions
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Rami Kawkabani Senior Associate

Paris

Rami advises clients in drafting and negotiating their contractual terms and in the context of strategic transactions covering significant and complex technological issues including in terms of liability and intellectual property.

He also regularly advises clients on compliance with tech and data European and French regulations (Digital Services Act, AI Act, RGPD, Data Act, LCEN) and in the context of their commercial practices towards consumers.

Rami has spent time in-house with major tech companies, and is able to quickly understand his client’s requirements and priorities.

Hanna Hewitt Associate, Global Compliance & Regulatory, Cyber, Privacy & Data Innovation

London

See my bio

D:+442078624681
E: [email protected]

Practice:

Global Compliance & Regulatory
Cyber, Privacy & Data Innovation
Technology & Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Hanna Hewitt Associate

London

Hanna has a knack for tracking the detail, which proves to be invaluable for clients when managing cyber incidents. Whilst working with a range of clients from FTSE100 to early-stage companies, Hanna oversees and helps keep multiple workstreams on track, seamlessly integrating with client’s internal incident response teams.

She assists clients throughout the lifecycle of a cyber incident: helping with immediate response, working with forensic providers to eradicate and contain cyber threats, and advising them on their regulatory and contractual obligations in respect of notification. Both pre- and post-cyber incident, Hanna also supports clients with ongoing cyber-risk management, to help mitigate regulatory and third-party risk. This includes helping clients navigate post-cyber incident litigation to the extent required.

When cyber incidents aren’t keeping her busy, Hanna also provides privacy advisory support, advising clients on the GDPR and other international data protection laws, including data retention, processing and transfer.

Hanna trained at Orrick and during her training contract also gained experience in litigation, corporate (Technology Companies Group) and competition.

Dr. Odey Hardan Associate, Strategic Advisory & Government Enforcement (SAGE), Cyber, Privacy & Data Innovation

Düsseldorf

See my bio

D:+49 211 36 78 7 602
E: [email protected]

Practice:

Strategic Advisory & Government Enforcement (SAGE)
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Dr. Odey Hardan Associate

Düsseldorf

Prior to joining Orrick, Odey served as a research assistant to a distinguished chair focusing on European law, where he authored several academic papers. Throughout his doctoral studies, he delved deeply into the intricate realms of European, international, and data protection law.

Additionally, Odey contributed to significant legal opinions and gained practical experience by supporting the representation of the German Federal Government in pivotal cases before the Federal Constitutional Court, including the proceedings on the European Patent Convention, CETA and the EU-Singapore Free Trade Agreement.

Before starting his legal practice, he also worked as a research assistant for an international UK-headquartered law firm.