5 minute read | October.31.2024
The Network and Information Security 2 Directive (“NIS2”) was implemented into law in the EU on 17 October 2024 (implementing legislation available here). NIS2 expands the scope of the original NIS legislation to include new sectors that the EU deems critical (Annexes I and II of NIS2 Directive set out a list of services covered by the legislation). For more information about the scope of NIS2, read our “5 Things You Need to Know About NIS2” here.
EU Member States had until 17 October 2024 to implement NIS2 into national law. So where do countries stand on implementing NIS2? Here’s a country-by-country look at the status of implementation, current as of this article’s publication date but subject to change.
Country |
Status |
Legislation* |
Commentary |
Austria |
Available here |
Austria has submitted the “Network and Information Security Act” for Parliament’s consideration. It is anticipated that the “Network and Information Security Act” will take effect in June 2025. |
|
Belgium |
Available here |
Belgium adopted the “Law establishing a framework for the cybersecurity of network and information systems of general interest for public security” on 18 October 2024, implementing NIS2. |
|
Bulgaria |
Available here |
Bulgaria has submitted the “Cybersecurity Act” for consideration by Parliament at a national level. |
|
Croatia |
Available here |
Croatia adopted the “Cyber Security Act” on 15 February 2024, implementing NIS2. |
|
Cyprus |
Available here |
Cyprus intends to transpose NIS2 into local law under the amended “Security of Networks and Information Systems Act 2020.” A public consultation closed on 29 September 2023. |
|
Czech Republic |
Available here |
The Czech Republic has submitted the “Cybersecurity Act” for consideration by Parliament at a national level.
|
|
Denmark |
N/A |
Denmark has held a public consultation on a proposed draft law. Parliament is expected to consider an updated version of the draft law in February 2025. If passed, the law is anticipated to be effective from 1July 2025. |
|
Estonia |
N/A |
The implementation of NIS2 has been delayed. No legislation (draft or otherwise) has been made public. |
|
Finland |
Available here |
The implementation of NIS2 has been delayed. Legislators have not approved legislation. |
|
France |
Available here |
France has submitted “Resilience of Critical Infrastructures and the Strengthening of Cybersecurity” act for consideration by Parliament and the Senate at a national level. It may take legislators months to finalise this. |
|
Germany |
Available here |
Germany has submitted the “NIS2 Implementation and Cybersecurity Enhancement Act” for consideration by Parliament at a national level. We expect the Act to go into effect in March 2025. |
|
Greece |
Available here |
Greece intends to transpose NIS2 into local law. A public consultation on the draft legislation will close on 2November 2024. |
|
Hungary |
Available here |
Hungary adopted the “Cybersecurity Certification and Cybersecurity Supervision Act,” implementing NIS2. Supporting rules and legislation are under consideration or waiting to be adopted. |
|
Iceland |
N/A |
Iceland intends to transpose NIS2 into local law, but no draft legislation has been prepared, and there is no timeline for completion. |
|
Ireland |
Available here |
Ireland has submitted the “National Cyber Security Bill” for Parliament to consider. It is listed in the autumn 2024 legislative programme. However, it is unclear when the bill will be approved. |
|
Italy |
Available here |
Italy adopted a legislative decree implementing NIS2 on 1 October 2024. |
|
Latvia |
Available here |
Latvia adopted the “National Cybersecurity Law” on 1 September 2024, implementing NIS2. Supporting rules and legislation are under consideration. |
|
Lichtenstein |
Available here |
Lichtenstein has submitted the “Cybersecurity Law” for consideration by Parliament at a national level. |
|
Lithuania |
Available here |
Lithuania adopted the “Law on Cyber Security” on 18 October 2024, implementing NIS2. |
|
Luxembourg |
Available here |
Luxembourg has submitted a bill for consideration by Parliament at a national level. |
|
Malta |
Available here |
Malta intends to transpose NIS2 into local law under the “Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order.” A public consultation closed on 7 October 2024. |
|
Netherlands |
Available here |
The Netherlands intends to transpose NIS2 into local law under the “Cybersecurity Act.” It is anticipated that the “Cybersecurity Act” will be effective from Q3 2025. |
|
Norway |
N/A |
Norway intends to transpose NIS2 into local law under the “Digital Security Act.” A public consultation will close on 11 December 2024. No draft legislation has been published. |
|
Poland |
Available here |
Poland has submitted amendments to the “National Cyber Security System Act” (and certain other acts) for consideration by Parliament at a national level. If passed, the legislation should take effect in Q1 2025. |
|
Portugal |
N/A |
Portugal intends to transpose NIS2 into local law. A public consultation on the draft legislation is ongoing, following which the legislation will be approved by the Portuguese Government and Parliament. |
|
Romania |
Available here |
Romania intends to transpose NIS2 into local law under the “Law on the establishment of a framework for the cyber security of networks and information systems in the national civil cyberspace.” A public consultation is open. |
|
Slovakia |
Available here |
Slovakia intends to transpose NIS2 into local law under the "Cybersecurity Act". The proposed date of effect is 1 January 2025, however the next step is for the legislation to be considered by Parliament. |
|
Slovenia |
Available here |
Slovenia intends to transpose NIS2 into local law under the “Information Security Act.” Legislators are expected to adopt the implementing legislation in December 2024 or January 2025. |
|
Spain |
N/A |
Spain has not yet circulated draft legislation, and it is not clear where Spain stands in the implementation process. |
|
Sweden |
N/A |
Sweden intends to transpose NIS2 into local law through a new “Cyber Security Regulation.” It is anticipated that the “Cyber Security Regulation” will be transposed into local law by 1 January 2025. |
* Please note that in some instances, legislation (or draft legislation) is only available in local language.
NIS2 implementing legislation has been approved and adopted.
NIS2 implementing legislation is progressing. Legislation has been proposed, but legislation has not yet been approved, and a final copy of the legislation is not available.
NIS2 implementing legislation has not been published, and timelines for implementation of NIS2 are not clear.