In Cybersecurity

EU NIS2 implementation: mind the growing compliance gap

Member States were required to transpose NIS2 into local laws by 17 October 2024, but progress has been slow: to date only 11 member states have passed implementing legislation. Since our last post in February new legislation has been published in Finland and Malta. Implementation seems to be on the horizon in several jurisdictions – notably Denmark, which is set to publish their implementing legislation by the end of April and is expected to come into force on 1 July 2025.

Our map below shows the status of implementing legislation in each Member State and when that legislation is expected to be in force.

The slow pace of implementation presents a major challenge. In jurisdictions that met the transposition deadline, like Belgium and Hungary, registration obligations and substantive requirements are already in force, and compliance obligations in Italy, Croatia, Lithuania, Latvia, Romania, Slovakia, Finland, Malta and Greece will take effect throughout 2025 and 2026. At the same time, many Member States are yet to finalise their implementing legislation, and so organisations cannot yet make a definitive determination if local entities are in scope. Multinational organisations will need to take a strategic, holistic approach to NIS2 compliance across their European operations, but this is increasingly difficult as compliance obligations in early adopter jurisdictions gather speed while most jurisdictions haven’t even left the starting blocks.

You can find more detail on which organisations are in scope of NIS2 in our post Europe’s enhanced cybersecurity regime: Who does NIS2 apply to and what are the key obligations?, and a summary of key compliance obligations in our post Is Europe ready for NIS2?. Subscribe to Connect on Tech for more updates on data, cyber and technology regulation around the globe.

Our thanks to the following firms who contributed to our implementation map: Bulgaria: Violette Kunze, DGKV; Croatia: Marija Gregorić, Babic & Partners; Cyprus: Alexandros Georgiades, Ada Athanasiadou & Alexandra Kokkinou, Chrysostomide; Denmark: Martin Dræbye Gantzhorn, Gorrissen Federspiel; Estonia: Merlin Liis-Toomela, Ellex; Finland: Kalle Hynönen & Aleksi Yli-Houhala, Krogerus; Greece: George Ballas & Nikolaos A. Papadopoulos, Balpel; Ireland: Eoghan O’Keefe & John Cahir, A&L Goodbody; Latvia: Irina Rozenšteina & Edvijs Zandars, Ellex; Lithuania: Dr. Jaunius Gumbis, Ellex; Malta: Paul Micallef Grimaud, Ganado Advocates; Portugal: Ricardo Henriques, Abreu Advogados; Romania: Ana Maria Abrudan & Andrei Popa, Musat; Slovenia: Ziga Dolhar, Wolf Theiss.

Author Vinod Bange

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author Magalie Dansac Le Clerc

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author Dr. Lukas Feiler

Dr. Lukas Feiler, SSCP, CIPP/E, heads the Firm’s Commercial, Data, IPTech and Trade practice in Vienna. He is specialized in technology litigations, focusing on regulatory and civil disputes in the areas of data protection, AI, and platform regulation. Building on his litigation expertise, Lukas advises clients on strategic compliance issues in the areas of cyber security, data protection, and AI. Lukas also leads the AI Desk in Vienna and is a member of the Firm’s EMEA Data Privacy & Security leadership team. Lukas regularly represents clients before the Austrian Supreme Court, the Austrian Administrative Supreme Court, the European Commission, and the EU’s General Court and the CJEU.

Author Beat Koenig

Beat König is an associate of Baker McKenzie's IP and Technology Team in Vienna. Beat advises multinational and domestic clients on telecommunications law, software licensing, data protection, IT outsourcing, patent law, trademark law, copyright, cyber security, e-commerce matters and related litigation.

Author Elisabeth Dehareng

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author Caroline Serbanescu

Caroline Serbanescu is an Associate at the Brussels office of Baker McKenzie.

Author Milena Hoffmanová

Milena Hoffmanová heads the Prague office Pharmaceuticals & Healthcare group. Her practice covers pharmaceuticals and healthcare matters, compliance, general commercial law, administrative law, as well as data protection and privacy law matters.

Author Dusan Hlavaty

Dušan Hlavatý heads the IPTech practice in Baker McKenzie Prague and is a member of the Prague core M&A team. Dušan deals with, among other things, privacy issues, telecommunication matters, cyber security, digital media, gaming, e-commerce, IP and technology projects.

Author Marlyse Lissan

Marlyse Lissan joined Baker McKenzie in July 2021. Marlyse is a member of the Information Technology and Communications team and focuses on new technologies, computer technology, Internet and telecommunications.

Author Prof. Dr. Michael Schmidl

Prof. Dr. Michael Schmidl is co-head of the German Information Technology Group and is based in Baker McKenzie's Munich office. He is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Michael also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author Matthias Scholz

Author Florian Tannen

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.

Author Josephine Becker

Author Dr Michaela Nebel

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation.

Author Simone (Bach) Rieken LL.M.

Simone Rieken is a senior associate in Baker McKenzie's Frankfurt office and a member of the Information Technology Practice Group. Prior to joining the Firm, she worked for a large German corporate law firm, focusing on IT and data protection law. She studied law at the University of Trier and at Queen Mary, University of London and clerked in Hamburg and Los Angeles. She advises national and international companies on all aspects of IT and data protection law. She focuses on data protection with regard to direct marketing and related tracking and profiling activities. Another focus of her practice is on IT (outsourcing) projects and agile software developments.

Author Caroline Heinickel

Caroline Heinickel is a Senior Counsel in Baker McKenzie’s Frankfurt office. Caroline leads the German telecommunications law practice. Caroline advises and represents companies and public authorities with a particular focus on telecommunications law, IT security and EU law matters. She regularly advises clients in a broad range of telecommunications regulatory, including representation before the Federal Network Agency and the German courts, in infrastructure projects and telecommunications transactions as well as in cybersecurity matters.

Author Ines K. Radmilovic

Author Dr. Csaba Vári

Csaba Vári is head of the Privacy practice for Baker McKenzie in Hungary and a member of the Intellectual Property and Technology group. He provides comprehensive advice to clients on privacy and cybersecurity matters, from European data protection regulations and local privacy laws to e-commerce and cloud services regulation. His work focuses on advice and support to clients regarding data protection impact assessments, data security incident reporting, and responding to queries from data subjects, as well as representation before regulatory authorities and courts.

Author Annie Elfassi

Author Kyllian Talbourdet

Author Valerie Kopera

Author Francesca Gaudino

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author Nathalja Doing

Nathalja Doing is an associate in Baker McKenzie Amsterdam's Intellectual Property, Information Technology & Communications and Commercial practice groups. She is part of its IP and IT subgroups and the multidisciplinary Privacy Team. Nathalja has particular knowledge on various aspects of law and technology, specifically GDPR, platform laws, content regulation and IP.

Author Marcin Fialka

Author Martyna Czapska

Martyna advises clients on personal data protection and IP law. She is experienced in representing individuals and entrepreneurs in court proceedings. Martyna has also provided current legal consultancy for businesses, including in employment law.

Author Radoslaw Nozykowski

Radoslaw Nożykowski is a Counsel in the IP Tech/Compliance &Investigations departments at Baker McKenzie Warsaw office. He has over 15 years of professional experience working for clients from technology, finance, media and healthcare sectors. He is recommended by Chambers Europe and Legal 500 in the area of TMT (including privacy compliance).

Author Jakub Falkowski

Author Patricia Pérez

Patricia Perez joined the Information Technology & Communications Department of Baker & McKenzie in Madrid in 2013. Her prior experience includes working at national law firms in the Corporate and Intellectual Property and Information Technology departments.

Author Pablo Uslé

Author Peder Oxhammar

Peder Oxhammar is Head of Baker McKenzie’s Intellectual Property Group in Stockholm. Mr. Oxhammar practices mainly within the field of intellectual property with special focus on patents, contentious matters, strategy and licensing. He advises clients in a wide range of industries in Sweden, including pharmaceuticals, white-goods, electronics, and defense.

Author William Höglund

William Höglund is a member of Baker McKenzie’s Intellectual Property and Data & Technology Practice Group in Stockholm. William focuses his practice mainly on intellectual property, IT and privacy law.

Author Alexandra Glad

Author David Molina

Author Benjamin van Kessel

Benjamin van Kessel is a partner in the Amsterdam’s IP, Technology and Commercial Contracts department.

Author Silvia Grohmann

Silvia Grohmann, CIPP/E is an associate at the Vienna office of Baker McKenzie. The landscape of EU legislation in the technology law sector is one of her areas of expertise. Her practice has a particular focus on providing strategic advisory in the areas data protection law, cybersecurity and AI. Silvia is well known to consistently publish articles on current legal issues related to emerging technologies and has made a name for herself amongst the industry with her strategic analyses and practical advice.

Author Juliette Leportois

Juliette is a member of the Information Technology and Communications team and focuses on new technologies, computer technology, internet and telecommunications.

Author Raphaël Hendrickx

Raphaël Hendrickx is a junior associate in the IP and Technology Group in the Brussels office.

Author Maximilien T'Scharner

Maximilien T'Scharner is a junior associate in the Intellectual Property and Technology Practice Group in the Brussels office.

Author David Závada

David Závada is a junior associate and a member of the IPTech practice group of the Prague office.

Author Eva Sluijmer

Eva Sluijmer is an associate within the Baker McKenzie Intellectual Property, Information Technology & Communications and Commercial practice group in Amsterdam.

Author Kathy Harford

Kathy Harford is the Lead Knowledge Lawyer for Baker McKenzie’s global IP, Data & Technology practice.

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

Related Posts

Singapore: Update on government agency intended to tackle online harms

Upcoming Webinar: Complying with the AI Act: Navigating HR Challenges in the EU

Mexico: New legal framework in matters of transparency, protection of personal data and access to public information