Member States were required to transpose NIS2 into local laws by 17 October 2024, but progress has been slow: to date only 11 member states have passed implementing legislation. Since our last post in February new legislation has been published in Finland and Malta. Implementation seems to be on the horizon in several jurisdictions – notably Denmark, which is set to publish their implementing legislation by the end of April and is expected to come into force on 1 July 2025.
Our map below shows the status of implementing legislation in each Member State and when that legislation is expected to be in force.
The slow pace of implementation presents a major challenge. In jurisdictions that met the transposition deadline, like Belgium and Hungary, registration obligations and substantive requirements are already in force, and compliance obligations in Italy, Croatia, Lithuania, Latvia, Romania, Slovakia, Finland, Malta and Greece will take effect throughout 2025 and 2026. At the same time, many Member States are yet to finalise their implementing legislation, and so organisations cannot yet make a definitive determination if local entities are in scope. Multinational organisations will need to take a strategic, holistic approach to NIS2 compliance across their European operations, but this is increasingly difficult as compliance obligations in early adopter jurisdictions gather speed while most jurisdictions haven’t even left the starting blocks.
You can find more detail on which organisations are in scope of NIS2 in our post Europe’s enhanced cybersecurity regime: Who does NIS2 apply to and what are the key obligations?, and a summary of key compliance obligations in our post Is Europe ready for NIS2?. Subscribe to Connect on Tech for more updates on data, cyber and technology regulation around the globe.
Our thanks to the following firms who contributed to our implementation map: Bulgaria: Violette Kunze, DGKV; Croatia: Marija Gregorić, Babic & Partners; Cyprus: Alexandros Georgiades, Ada Athanasiadou & Alexandra Kokkinou, Chrysostomide; Denmark: Martin Dræbye Gantzhorn, Gorrissen Federspiel; Estonia: Merlin Liis-Toomela, Ellex; Finland: Kalle Hynönen & Aleksi Yli-Houhala, Krogerus; Greece: George Ballas & Nikolaos A. Papadopoulos, Balpel; Ireland: Eoghan O’Keefe & John Cahir, A&L Goodbody; Latvia: Irina Rozenšteina & Edvijs Zandars, Ellex; Lithuania: Dr. Jaunius Gumbis, Ellex; Malta: Paul Micallef Grimaud, Ganado Advocates; Portugal: Ricardo Henriques, Abreu Advogados; Romania: Ana Maria Abrudan & Andrei Popa, Musat; Slovenia: Ziga Dolhar, Wolf Theiss.
