Download checklistGet ready with our self assesment

NIS 2 transposition process tracking

All European Union (EU) countries must transpose the NIS 2 (Network and Information Security) directive into their national law by October 2024.

European Directives vs. Regulations

Understanding the Difference Between European Directives and Regulations

A European Directive and a Regulation are both legislative acts of the European Union, but they function differently. A Regulation is directly applicable and enforceable in all EU member states as soon as it comes into effect, without requiring any further action by national governments. It has a binding legal force throughout the EU, ensuring uniformity of laws across member states. On the other hand, a Directive sets out a goal that all EU countries must achieve, but it is up to the individual countries to decide how to transpose (implement) it into their national laws. Directives are not directly applicable; they require national legislation to be passed in each member state to bring them into effect.

How Directives Are Transposed into National Law

When transposing a Directive, countries typically follow common steps to ensure compliance with the EU’s objectives while aligning with national legal systems. First, the national government drafts legislation or amendments to existing laws that align with the directive’s requirements. This process often involves consultations with stakeholders, including industries, public bodies, and the general public, to consider the directive’s implications. Once the draft is prepared, it undergoes the standardStandard Means a technical specification, adopted by a recognised standardisation body, for repeated or continuous application, with which compliance is not compulsory, and which is one of the following: (a) ‘international standard’ means a standard adopted by an international standardisation body; (b) ‘European standard’ means a standard adopted by a European standardisation organisation; (c) ‘harmonised standard’ means a European standard adopted on the basis of a request made by the Commission for the application of Union harmonisation legislation; (d) ‘national standard’ means a standard adopted by a national standardisation body - Definition according Article 2, point (1), ofRegulation (EU) No 1025/2012 of the European Parliament and of the Council. legislative procedure in the country, which may include readings, debates, and votes in the national parliament. After approval, the new or amended law is officially enacted and comes into force, thereby fulfilling the requirements of the EU Directive. The European Commission monitors the transposition process to ensure that all member states implement the directives within the specified deadline and in compliance with EU law.

To date, EU countries have achieved uneven levels of progress, and have sometimes adopted different approaches to transposition

Steps and Options for EU Member States

The transposition process is a complex but crucial step in ensuring that the NIS2 Directive’s goals of enhanced cybersecurityCybersecurity ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) 'cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats; - Definition according Article 2, point (1), of Regulation (EU) 2019/881; and resilience are achieved across the EU. Member states are given a framework but also the flexibility to adapt the directive to their specific national needs, ensuring that the directive’s implementation is both effective and tailored to local contexts.
While NIS2 provides a framework, member states have some flexibility in how they implement certain aspects. For example, they can decide on the specific penalties for non-compliance, the designation of competent authorities, and the identification of essential services and operators. Member states may choose to implement sector-specific rules or additional requirements beyond those outlined in NIS2 to address national concerns or enhance security in critical sectors.

Current Progress as of August 2024

Member stateTransposition statusReference
Austria In progress Method: Law TraspositionJuly 4, 2024 – National Council: Rejection of the Information System Security Act
June 13, 2024 4129/A XXVII. GP – Initiativantrag: Motion concerning a federal law enacting a Network and Information
System Security Act 2024 and amending the Telecommunications Act 2021 and the Health Telematics
Act 2012.
Belgium Completed Method: Law TraspositionApril 17, 2024 – Official publication: Belgisch Staatsblad ; Number: 2024/202344 ; Publication date: 2024-05-17 ; Page: 63179-63230
Bulgaria
Croatia Completed Method: Law TraspositionFebruary 7, 2024 – Official publication: Narodne Novine ; Number: 14/2024 ; Publication date: 2024-02-07
Cyprus
Czech Republic In progress Method: Law Trasposition25 July 2024 – The draft law was sent to MPs as print 
760/0. Expected to come into effect at the beginning of 2025
August 25, 2022 – NÚKIB created website nis2.nukib.cz
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Ireland
Italy
Latvia
Lithuania
Luxembourg
Malta
Netherlands
Poland
Portugal
Romania
Slovakia
Slovenia
Spain Completed Method: Identifying Existing LawsAugust 2024 – Guía CCN-STIC 892 “Perfil de Cumplimiento Especifico para organizaciones en el ámbito de aplicación de la Directiva NIS2 (PCE-NIS2)”
Sweden

Get NIS 2 Supply Chain RiskRisk Means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) Checklist

Download our free NIS2 Supply Chain Risk Checklist to ensure your organization meets the latest cybersecurity compliance standards effortlessly.