The deadline for NIS2 implementation passed more than 3 months ago. To date, 9 EU Member States have enacted implementing legislation, with registration requirements already in force in several jurisdictions. Of the 18 remaining jurisdictions, at least 6 expect that implementing legislation will not be in force until the second half of 2025, or the likely implementation date is unclear. What does that mean for multinational organisations operating in Europe?
The complexity and breadth of the new regime, as well as the uncertain political landscape in several jurisdictions, has clearly presented challenges for Member States. Our map below shows the status of implementing legislation in each Member State and when that legislation is expected to be in force.
The UK is not required to implement NIS2 but is preparing to publish a draft Cyber Security and Resilience Bill, likely in the second half of 2025. We expect this new regime to share similarities with NIS2 but it won’t be a copy and paste. EEA jurisdictions are also not required to implement NIS2, but may adapt their national cybersecurity legislation to meet its requirements – for example, Norway has indicated it will do so.
Despite the delayed implementation in many Member States, multinational organisations providing services or carrying out activities in the EU must start their compliance efforts now, wherever they are headquartered. For example, some in-scope subsidiaries in Hungary, Italy and Belgium may already be subject to proactive registration requirements, and similar requirements will kick in shortly in Latvia, Greece, Slovakia and Romania.
As discussed in more detail in our post Is Europe ready for NIS2?, the delayed implementation means that multinational organisations should continue with compliance efforts based on the NIS2 Directive itself and its transposition in the Member States where national legislation is either enacted or nearly final, while building in flexibility and monitoring to react to further implementing acts. You can find more details on the key elements of a NIS2 compliance plan in our earlier post.
Our thanks to the following firms who contributed to our implementation map: Bulgaria: Violette Kunze, DGKV; Croatia: Marija Gregorić, Babic & Partners; Cyprus: Alexandros Georgiades, Ada Athanasiadou & Alexandra Kokkinou, Chrysostomide; Denmark: Martin Dræbye Gantzhorn, Gorrissen Federspiel; Estonia: Merlin Liis-Toomela, Ellex; Finland: Kalle Hynönen & Aleksi Yli-Houhala, Krogerus; Greece: George Ballas & Nikolaus A. Papadopoulos, Balpel; Ireland: Eoghan O’Keefe & John Cahir, A&L Goodbody; Latvia: Irina Rozenšteina & Edvijs Zandars, Ellex; Lithuania: Dr. Jaunius Gumbis, Ellex; Malta: Paul Micallef Grimaud, Ganado Advocates; Portugal: Ricardo Henriques, Abreu Advogados; Romania: Ana Maria Abrudan & Andrei Popa, Musat; Slovenia: Ziga Dolhar, Wolf Theiss.
