The NIS 2 directive, or Network and Information Security 2, represents a major evolution in strengthening cybersecurity across the European Union. Adopted to address an increasing number of cyber threats, this directive must be applied in each EU member state starting October 17, 2024. It aims to reinforce the cybersecurity and cyber-resilience levels of a wide range of critical infrastructures and essential European services. But how are European states managing to meet NIS 2 requirements? What obstacles are they facing? This article offers a detailed overview of the current NIS 2 transposition and its implications for nations and businesses.
Context and Objectives of NIS 2
The NIS 2 directive is an improved version of the first NIS directive, which sought to harmonize cybersecurity requirements in the EU. With the evolution of cyberattacks from state and para-state origins, it became necessary to strengthen the security of networks and information systems. NIS 2 objectives include increasing the resilience of critical infrastructures, clarifying corporate responsibilities in cybersecurity, and extending the scope to new economic sectors.
Key Differences Between NIS 1 and NIS 2
NIS 2 distinguishes itself from NIS 1 in several important aspects. First, it broadens its scope from 10 to 18 affected sectors, integrating domains such as healthcare, energy, finance, and even transportation. Additionally, it eliminates the “OSE” (Essential Service Operators) designation in favor of two entity categories: essential and important entities. Finally, it imposes stricter reporting obligations and new non-compliance sanctions.
Unlike NIS 1, the new directive assigns direct responsibility to corporate leadership. Executives are now required to ensure their organization’s compliance with NIS 2. This means personally supervising cybersecurity strategies, participating in audits, and being able to justify measures taken to prevent cyberattacks.
Cybersecurity Requirements Under NIS 2
Security Obligations for Businesses
Companies affected by the NIS 2 directive must implement a series of security strategies to protect their information systems. These actions aim to guarantee proactive risk management, particularly through network and system security, and by monitoring suppliers and subcontractors.
Network Architecture Protection
NIS 2 requires businesses to strengthen their network and system security to minimize intrusion and destabilization risks. It specifically recommends network segmentation and controlled remote access. Implementing attack detection systems, using firewalls, and conducting regular vulnerability tests are also recommended. In Germany, companies like Siemens have implemented advanced threat analysis and detection systems to comply with NIS 2 cybersecurity requirements. (Source : siemens.com).
Incident Reporting Obligations
One of the directive’s primary requirements is the strict incident reporting obligation. Entities subject to NIS 2 must report any major incident to competent authorities within 24 hours, enabling rapid and coordinated responses to cyberattacks. In Belgium, the Belgian Cyber Security Center (CCB) has established a digital platform facilitating incident notifications and requesting assistance from the Cyber Emergency Response Team (CERT) (Source : cert.be).
Compliance and Audits Under NIS 2
To prove NIS 2 compliance, organizations will need to undergo regular audits. These audits will verify that cybersecurity measures are correctly implemented and meet the standards established by the directive.
Note that an ISO 27001 certified entity is not automatically compliant with the new directive. However, as specified on the Orange Cyberdéfense website, “ISO 27001 certification provides a good governance framework covering a large part of its requirements.”
NIS 2 Transposition Across Europe
How to Measure EU Member States’ Progress?
NIS 2 transposition is not uniform across member states. Some countries have been preparing for months or even years, while others are only beginning the process late. To measure member countries’ progress, several aspects must be considered:
- Legislative progress (bill publication, adoption)
- Transposition timeline
- Competent authority designation
- Identification of essential and important entities
- Training and awareness
- Incident notification mechanisms
Country-Specific NIS 2 Transposition Focus
Belgium
In Belgium, NIS 2 transposition is advancing rapidly. The bill was voted on in April 2024, and practical implementation details are being finalized. The Belgian Cyber Security Center (CCB) has established a reference framework based primarily on the ISO 27001 standard to ensure compliance of relevant entities. This is the “CyberFundamentals” approach, which offers a series of concrete measures to reduce the risk of computer attacks. It allows an organization to access different security levels, from Small to Essential, depending on threat severity. Additionally, the CyFun Self-assessment Tool enables verification of NIS 2 compliance against recommended measures.
Starting from the directive’s application on October 18, 2024, most entities will have five months to register on the SafeonWeb site (two months for those in certain information and communication technology sectors). The first mandatory company assessment must occur 18 months after the law’s entry into force. Finally, CyberFundamentals or ISO 27001 certification must be obtained by the concerned entity within 36 months of the national NIS 2 transposition. (Source : CCB)
Germany
Germany has adopted a more progressive approach to compliance. The country has published several draft law versions, but complete transposition is planned for 2025. The German regulatory framework relies on the KRITIS law, which establishes measures for critical infrastructure security and resilience, and the BSI Act, which assigns supervision to the Federal Office for Information Security (BSI).
France
In France, the National Cybersecurity Agency (ANSSI) is leading NIS 2 transposition through a participatory approach involving all stakeholders.
However, the legislative text has not yet been adopted: it was presented to Parliament on October 15, 2024, just days before the national directive transposition deadline. Uncertainties remained regarding the integration of local authorities into security requirements. ANSSI organized consultations in May 2024 with professional organizations affected by the directive and local government elected official associations. These aimed to clarify the scope of concerned entities and applied security measures. Increasing the “cyber maturity level of local authorities” emerged as a priority with NIS 2, as did harmonizing IT security at the territorial level.
To achieve this, public and private organizations need time. Therefore, during the Hexatrust Summer Universities in September 2024, ANSSI Director General Vincent Strubel indicated that no sanctions would be imposed on non-compliant NIS 2 companies during the first three years after its implementation.
The “My NIS 2 Space” platform allows organizations to:
- Obtain information about the new Directive
- Verify whether they are concerned by NIS 2
- And, soon, declare themselves to ANSSI
Croatia
Croatia is among the most advanced countries in NIS 2 transposition, with a draft law already adopted. In February 2024, the Croatian Cyber Security Act (CSA) came into effect, partially transposing the new Directive. By February 2025, competent authorities must notify organizations concerned by this law. These organizations will then have one year to comply with CSA measures. (Source : Wavestone)
Hungary
In Hungary, the NIS 2 directive was transposed in May 2023 following the adoption of Law 23 of 2023 on cybersecurity certification and supervision. Under the Hungarian legislation transposing NIS 2, national organizations had until June 30, 2024, to register as essential entities (EE) or important entities (IE) (Source : DLA Piper). Before October 18, 2024, NIS 2-concerned organizations must implement security measures corresponding to their information systems‘ criticality level and pay the SZTFH (Szabályozott Tevékenységek Felügyeleti Hatósága) surveillance fee.
Legal and Administrative Challenges of Transposition
Legislative Complexity of NIS 2
NIS 2 transposition presents a complex legal challenge for member states. The directive requires an in-depth revision of national legislative frameworks, which can be time-consuming and politically sensitive. Differences between countries’ legal systems also make harmonizing cybersecurity requirements difficult. According to an analysis by Mayer Brown, legislative framework fragmentation in the EU constitutes a major obstacle to NIS 2’s homogeneous implementation. (Source : Mayer Brown, Analyse 2024)
Leadership Responsibility
NIS 2 imposes personal responsibility on business leaders, requiring them to justify cybersecurity measure implementation. This evolution aims to ensure cybersecurity is a top management priority but also introduces additional complexities. For small businesses, it can represent a significant burden. A recent Ivanti study of 3,000 business leaders and IT and security professionals worldwide found that “The majority (55%) of IT/security professionals believe their non-IT leaders do not have a good understanding of vulnerability management concepts.” This is confirmed by “47% of non-IT leaders who admit they do not have a very good level of understanding of the concept.” The hope is that NIS 2 transposition will pave the way for more training and awareness among leadership.
Conclusion: A Crucial but Laborious Standardization
NIS 2 directive transposition is a complex process requiring concerted efforts from all EU member states. Legislative process fragmentation, challenges related to increased leadership responsibilities, and the expansion of covered sectors make implementation difficult. However, the directive is essential for improving the resilience of Europe’s critical infrastructures against growing cyber threats.
Although countries do not show the same level of advancement and are not ready at the same time, they must be prepared by April 2025 to deliver their list of essential and important entities to the European Commission. The question remains whether these concentrated efforts in such a short timeframe will guarantee enhanced, sustainable, and ultimately uniform cybersecurity across the continent.
Download the infographic
Frequently Asked Questions about the NIS 2 Directive
The NIS 2 directive is a European directive aimed at harmonizing and strengthening cybersecurity across member states. It seeks to protect the security of networks and information systems by establishing a new framework for more robust cybersecurity. Adopted in October 2024, this European directive aims to elevate protection levels by combating increasing cyber threats through improved coordination between member countries and heightened security requirements for critical infrastructures.
The impacts of the NIS 2 directive on businesses are significant. It imposes increased cybersecurity obligations, including reinforced security measures and more rigorous risk management for concerned entities. The required level of IT security is high, with mandatory incident reporting, regular audits, and compliance with international standards such as ISO 27001. This approach enables better preparation against continuously escalating cyber threats.
To prepare for NIS 2 compliance, it is essential to establish a plan including risk assessment, employee training, and implementing management measures adapted to new obligations. Essential entities must also ensure they follow a national strategy to strengthen their cybersecurity and meet the standards imposed by the directive. Training is crucial to guarantee that all stakeholders understand their responsibilities and the security measures to be implemented.
The NIS 2 directive concerns a broad range of entities across 18 sectors, including essential service operators, companies in critical sectors such as energy, healthcare, and finance, and certain local authorities. Additionally, it applies to third-country companies operating within the European Union, with each member state’s national agency responsible for identifying the concerned entities.
The NIS 2 directive introduces a strict sanctions regime for compliance infractions. Companies failing to meet cybersecurity obligations may be subject to significant fines. Leadership responsibility is also engaged, with potential sanctions including fines based on a percentage of turnover, in accordance with each member state’s national law. These sanctions aim to ensure companies respect the established security standards.
The NIS 2 directive officially comes into force in October 2024. Member states must transpose the directive into their national legislation by this date, although some countries will provide additional time without sanction risk, such as France. Each country must publish corresponding legislation in the official journal, ensuring all concerned entities respect the new cybersecurity requirements within the specified timeframe.
The NIS 2 directive strengthens cybersecurity by imposing harmonized rules for all member states, targeting a higher overall protection level. It establishes specific security measures for critical infrastructures, improves data protection, and ensures public safety. The directive seeks to reduce cybersecurity risks by requiring regular audits, better coordination between member states, and clear measures to manage cyber threats and reinforce information system resilience.