NIS2 Tranposition Overview

The state of play of the NIS2 Directive

Europe’s critical infrastructure faces ever-increasing cyber threats. Examples of serious consequences are the Danish railways coming to a standstill in 2022, or the millions of Ukrainians being cut off from the internet in 2023. To combat these threats, the revised Network and Information Security (NIS2) Directive was adopted in November 2022, and entered into force on 16 January 2023. It aims to increase the common level of cybersecurity of critical infrastructure in the EU and sets out obligations related to Member States’ cyber capabilities, risk management and reporting, and cooperation and information exchange for ‘essential and important entities’.

The deadline for Member States to transpose the Directive into national law was 17 October 2024. Nevertheless, as of 28 November 2024, the European Commission opened infringement procedures on 23 EU Member States for having failed to transpose the NIS2 Directive. Two months after the deadline, only four Member States had done so. The ongoing work in the EU Member States and (draft) transposition laws published so far show that there is a real risk of fragmentation across the EU, hampering efficient cybersecurity and competitiveness for the digital industry. Recently, DIGITALEUROPE has published studies on improving the EU Digital Single Market and on how Europe can lead on critical technology.

This document seeks to provide an overview of the state of NIS2 transposition in the EU Member States, based on details provided by national trade association (NTA) members of DIGITALEUROPE, complemented by desk research. Note that the information found below is non-exhaustive, is based on available information and comprises a snapshot of the current situation that may be subject to change.