All European Union (EU) countries must transpose the NIS 2 (Network and Information Security) directive into their national law by October 2024.
Cyber criminals are getting increasingly efficient as they develop better tools, affecting a growing number of organizations that are all too often inadequately prepared. NIS 2 consolidates the NIS framework for improved security. This new European regulation drastically broadens the range of entities covered. It affects companies in a wide range of sectors and sizes, from SMEs to large corporations. This wider scope is undoubtedly a challenge for national authorities, who must transpose the text and define security requirements that will apply to heterogeneous organizations.
To date, EU countries have achieved uneven levels of progress, and have sometimes adopted different approaches to transposition (public vs. closed consultation, alignment with pre-existing national laws, varying degrees of communication including the provision of self-help tools …). This article compares the level of transposition in each member State.
Heterogeneous progress in transposition process
Last updated on May 15, 2024
The most advanced countries (maturity level 3 & 4)
Last updated on May 15, 2024
Countries with mid-term advancement(maturity level 2)
Last updated on May 15, 2024
Countries at the beginning of the transposition process (maturity level 1)
Last updated on May 15, 2024
Focus on selected European countries
Belgium
The NIS 2 transposition bill was approved by Parliament on April 18, 2024. A Royal Decree is subsequently expected to specify the practical details of the law’s implementation.
4
level of maturity
- November 10, 2023: the Belgian Council of Ministers approves, on first reading, the draft bill to transpose the European NIS 2 directive.
- November 16, 2023 – December 21, 2023: the CCB organizes a public consultation on this draft.
- 27 March 2024: The NIS 2 transposition bill is approved in the Interior Commission of the Chamber of Representatives.
- April 18, 2024: the bill is voted in plenary session by the Belgian Parliament.
- Upcoming : an implementing Royal Decree is expected to specify how the law will come into force. This decree will need to specify certain practical modalities related to the supervision of entities: the reference framework of cybersecurity measures used to assess entities, the inspection modalities of entities, the conditions for the accreditation of control bodies, etc.
- Compliance with the CyberFundamentals Framework (CyFun) provided by the CCB, as well as certification to the ISO 27001 standard, should serve as a presumption of compliance with NIS 2 security measures.
- The CyFun framework brings together a set of measures inspired by several cybersecurity standards (ISO 27001 / 27002, NIST CSF, CIS Controls and IEC 62443).
- Upon the entry into force of the law:
- All entities concerned by NIS 2 will have 5 months to notify the CCB.
- EE will be subject to annual inspections by an organization accredited by the CCB. EI may undergo inspections on a voluntary basis.
Germany
Germany published its third draft law (NIS2UmsuCG) in December 2023. A fourth version without major changes is expected soon.
3
level of maturity
- April 2023: First version of the draft law
- July 2023: Second version of the draft law
- December 2023: Third version of the draft law
- May 2024: Fourth version of the draft law (without major changes)
In Germany, the BSI Act adopted in 1991 gives BSI the mandate to ensure the security of information systems. The IT Security Act, enacted in 2015 (later updated in 2021 through the IT Security Act 2.0), expands BSI’s responsibilities and imposes security measures on operators of critical infrastructures. Concurrently, the KRITIS Ordinance, established in 2016, designates organizations with critical infrastructures and imposes specific obligations to enhance their cybersecurity.
Germany has clarified the categories of entities that will be affected by NIS2 in connection with KRITIS. The NIS 2 directive will cover two categories of entities :
1 – Particularly Important Entities (KRITIS + EE) :
- Companies with critical infrastructures already subject to KRITIS
- Large enterprises (with more than 249 employees or turnover exceeding €50 million or Annual Accounts exceeding €43 million) in the essential sectors covered by the NIS 2 directive
- Institutions specifically designated as essential by the State regardless of their size
2 – Important Entities (IE) :
- Large enterprises (with more than 249 employees or turnover exceeding €50 million or Annual Accounts exceeding €43 million) in the important sectors covered by the NIS 2 directive (postal services, waste management, food industry, manufacturing industry,…=> see list in the publication on the NIS 2 directive)
- Medium-sized enterprises (with between 50 and 250 employees or turnover between €10 million and €50 million or Annual Accounts between €10 million and €43 million) in the essential and important sectors covered by the NIS 2 directive
Entities subject to NIS 2 will be required to :
- Demonstrate their compliance with BSI through audits and/or certifications, starting from 2027 and then every 3 years
- Monitor their direct suppliers and immediately report any security incidents related to these suppliers to BSI
France
In order to adopt a co-constructive approach, ANSSI organized a series of consultations related to the transposition of NIS 2. By the end of 2023, ANSSI shared, in restricted working groups, a set of provisional security requirements. A bill is due to be presented to the legislative authorities in May 2024. This bill will then be accompanied by around twenty implementing decrees. One of these decrees should specify the final version of the safety requirements.
3
level of maturity
ANSSI has favored a participative approach, involving key players in the sector, including industry federations such as UFE (Union Française de l’Électricité), cybersecurity associations (CLUSIF, CESIN) and qualified service providers (PASSI, PRIS, PDIS etc.).
The consultation phase focused on 3 themes :
- The scope of entities subject to the law (September 2023)
- The modalities of interaction between ANSSI and regulated entities (October 2023)
- The cybersecurity requirements framework (November 2023 to March 2024)
ANSSI has planned to implement several online assistance tools, some of which are available in beta version :
- A tool to assess an organization’s eligibility to NIS 2
- A support service for implementing a cybersecurity approach
- A tool for monitoring cybersecurity measures
Authorities are planning to align the transposition of NIS with that of REC (Resilience of Critical Entities) to clarify the regulatory framework for organizations affected by both laws.
UK
Although not affected by the NIS 2 directive, following the Brexit, the UK plans to evolve its current NIS regulations.
1
level of maturity
- 2018 : While a member of the EU, the United Kingdom transposed the European NIS directive into its national law. For each sector affected, a competent authority (NIS Regulator) was identified. Guidance documents containing security measures were also made available for each sector.
- 2022 : Following a consultation, the Government has announced its intention to update the NIS regulations to improve the UK’s cyber resilience.
The modifications envisaged by the Government include :
- Integrating Managed Service Providers (MSPs) into the scope of the regulation to ensure the security of digital supply chains
- Improving the notification of cybersecurity incidents to authorities
- Implementing a cost recovery system to enforce NIS regulation.
Italie
L’Italie a initié sa préparation à la directive NIS 2 le 26 janvier 2022, avec une première publication dédiée à la stratégie et à la gouvernance.
1
niveau de maturité
La transposition de NIS 2 en Italie se déploie à travers plusieurs axes.
- La stratégie nationale de cybersécurité couvre 82 mesures, regroupées en 3 domaines thématiques (protection, développement et politique de réponse).
- Le cadre national des mesures de gestion comprend 5 mesures destinées à améliorer la gestion des cyber-crises. Parmi celles-ci, 2 mesures sont dédiées aux exercices et intégrées avec l’UE, l’OTAN (Organisation du traité de l’Atlantique nord) et les mécanismes internationaux applicables.
- L’équipe spécialisée dans la gestion des incidents et les outils à dispositions inclut 8 mesures consacrées aux services cybernétiques nationaux et aux multiples outils numériques en cours d’élaboration pour gérer le grand nombre d’entités.
- La supervision concerne 3 mesures qui prévoient l’activation d’une équipe centrale d’inspection.
ACN (Agenzia per la Cybersicurezza Nazionale)
Espagne
L’Espagne a organisé une consultation publique fin 2023, en vue de contribuer à la formulation de la législation nationale qui permettra la transposition de NIS 2.
1
niveau de maturité
21 septembre au 17 octobre 2023 : lors d’une consultation publique, toutes les parties intéressées (incluant les organisations, associations et citoyens) sont invitées à s’exprimer sur l’intégration de la directive européenne NIS 2 dans le droit national.
Les détails sur l’avancement du processus de transposition de NIS 2 en Espagne restent limités.
DSN (Departamento de Seguridad Nacional)
Luxembourg
Au Luxembourg, les entités affectées par la directive NIS 2 doivent procéder à un auto-enregistrement auprès des autorités désignées.
1
niveau de maturité
L’Institut Luxembourgeois de Régulation (IRL) a initié un processus d’identification et de sensibilisation des acteurs concernés par NIS 2.
Avec NIS 2, l’analyse annuelle des risques obligatoire incombe désormais aux dirigeants – contrairement à NIS 1 où l’IRL fournissait un rapport d’analyse des risques comparatif annuel à chaque entreprise concernée.
IRL (Institut Luxembourgeois de Régulation)
Autriche
L’Autriche anticipe la transposition de la directive NIS 2 avec des révisions programmées de ses lois actuelles sur la cybersécurité.
1
niveau de maturité
- L’approche autrichienne de la mise en œuvre de la NIS2 entraînera probablement l’évolution des législations existantes, incluant la loi sur la protection des infrastructures critiques (KritisG). Des discussions avec les parties prenantes et une consultation publique précéderont ces mises à jour.
- Des autorités de surveillance seront désignées pour veiller à l’application des nouvelles règles, avec des sanctions en cas de non-respect.
- La Chambre fédérale de commerce et d’industrie (WKO) autrichienne propose un guide en ligne (A-t-on le lien ?) aux entreprises pour savoir si elles sont concernées par NIS 2. Le cas échéant, elles devront évaluer et, si nécessaire, améliorer leurs procédures de cybersécurité pour se conformer aux nouvelles exigences.
WKO (Wirtschaftskammer Österreich)
Saisissez tout le potentiel de l'IA générative, adoptez les bons réflexes !
France
Fin 2023, l’ANSSI (Agence nationale de la sécurité des systèmes d’information) a publié un ensemble d’exigences provisoires pour la directive NIS 2. Ces informations, confidentielles à date, ont été partagées dans le cadre de groupes de travail restreints.
L’ANSSI privilégie une méthode participative, impliquant des acteurs clés du secteur, y compris des fédérations professionnelles comme l’UFE (Union Française de l’Électricité), des associations en cybersécurité (CLUSIF, CESIN) et des prestataires qualifiées (PASSI, PRIS, PDIS etc.).
La phase de consultation portait sur 3 thèmes :
- Le périmètre des entités assujetties (septembre 2023)
- Les modalités d’interaction entre l’ANSSI et les entités assujetties (octobre 2023)
- Les exigences de cybersécurité (novembre 2023-mars 2024)
- Un outil d’autoévaluation de l’éligibilité à NIS2 (version bêta) est accessible en ligne.
- Un travail de mise en cohérence des règlementations DORA (Digital Operational Resilience Act), NIS et REC (???) est en cours afin de clarifier le cadre réglementaire=.
ANSSI (Agence nationale de la sécurité des systèmes d’information)
This publication was produced with the contribution of Nandi Traoré and Amélie Amanejieu.
Related Insights
Zineb Elfarissi
Gerome Billois
Sleh-Eddine Choura
Henri du Périer
Nathalie Balabhadra
Aurelia de Maleissye
Nicolas Gauchard
Hugo Bérard