In Cybersecurity

NIS2 Implementation Delay: What It Means for Organisations in the EU

The deadline for NIS2 implementation passed on 17 October, but only 6 EU Member States met that deadline, and 14 of the remaining 22 are not expected to have implementing legislation in force before the end of the year.

The complexity and breadth of the new regime has clearly presented challenges for Member States, as well as organisations preparing to comply. Our map below shows the status of implementing legislation in each Member State and when that legislation is expected to be in force.

The UK is not required to implement NIS2, but is expected to follow a similar path with the proposed Cyber Security and Resilience Bill which will be introduced to Parliament in 2025. Like NIS2, the Bill will expand the remit of the existing regulatory framework and mandate increased incident reporting, as well as giving regulators new cost recovery and proactive investigation powers. The UK seems set to ensure that its new innovation driven growth plans contain a cyber framework to support and protect that growth, data and critical infrastructure.

Despite the delayed implementation in many Member States, multinational organisations providing services or carrying out activities in the EU must start their compliance efforts now, wherever they are headquartered. For example, in-scope subsidiaries in countries that have already transposed NIS2 may already have formal notification or registration obligations – see, for example, our post NIS2: What can we learn from implementation in Hungary? As discussed in more detail in our post Is Europe ready for NIS2?, the delayed implementation means that multinational organisations should continue with compliance efforts based on the NIS2 Directive itself and its transposition in the Member States where national legislation is either enacted or nearly final, while building in flexibility and monitoring to react to further implementing acts. You can find more details on the key elements of a NIS2 compliance plan in our earlier post.

Our thanks to the following firms who contributed to our implementation map: Bulgaria: Violette Kunze, DGKV; Cyprus: Alexandros Georgiades & Alexandra Kokkinou, Chrysostomides; Denmark: Martin Dræbye Gantzhorn MDG, Gorrissen Federspiel; Estonia: Merlin Liis-Toomela, Ellex; Finland: Kalle Hynönen & Aleksi Yli-Houhala, Krogerus; Greece: George Ballas & Nikolaus A. Papadopoulos, Balpel; Ireland: Eoghan O’Keefe & John Cahir, A&L Goodbody; Latvia: Irina Rozenšteina & Edvijs Zandars, Ellex; Lithuania: Dr. Jaunius Gumbis, Ellex; Malta: Paul Micallef Grimaud, Ganado Advocates; Portugal: Ricardo Henriques, Abreu Advogados; Romania: Ana Maria Abrudan & Andrei Popa, Musat; Slovenia: Ziga Dolhar, Wolf Theiss.

Author Vinod Bange

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author Magalie Dansac Le Clerc

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author Josephine Becker

Author Martyna Czapska

Martyna advises clients on personal data protection and IP law. She is experienced in representing individuals and entrepreneurs in court proceedings. Martyna has also provided current legal consultancy for businesses, including in employment law.

Author Elisabeth Dehareng

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author Nathalja Doing

Nathalja Doing is an associate in Baker McKenzie Amsterdam's Intellectual Property, Information Technology & Communications and Commercial practice groups. She is part of its IP and IT subgroups and the multidisciplinary Privacy Team. Nathalja has particular knowledge on various aspects of law and technology, specifically GDPR, platform laws, content regulation and IP.

Author Annie Elfassi

Author Jakub Falkowski

Author Dr. Lukas Feiler

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author Marcin Fialka

Author Francesca Gaudino

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author Alexandra Glad

Author Kathy Harford

Kathy Harford is the Lead Knowledge Lawyer for Baker McKenzie’s global IP, Data & Technology practice.

Author Caroline Heinickel

Author Dusan Hlavaty

Dušan Hlavatý heads the IPTech practice in Baker McKenzie Prague and is a member of the Prague core M&A team. Dušan deals with, among other things, privacy issues, telecommunication matters, cyber security, digital media, gaming, e-commerce, IP and technology projects.

Author Milena Hoffmanová

Milena Hoffmanová heads the Prague office Pharmaceuticals & Healthcare group. Her practice covers pharmaceuticals and healthcare matters, compliance, general commercial law, administrative law, as well as data protection and privacy law matters.

Author William Höglund

William Höglund is a member of Baker McKenzie’s Intellectual Property and Data & Technology Practice Group in Stockholm. William focuses his practice mainly on intellectual property, IT and privacy law.

Author Beat Koenig

Beat König is an associate of Baker McKenzie's IP and Technology Team in Vienna. Beat advises multinational and domestic clients on telecommunications law, software licensing, data protection, IT outsourcing, patent law, trademark law, copyright, cyber security, e-commerce matters and related litigation.

Author Valerie Kopera

Author Marlyse Lissan

Marlyse Lissan joined Baker McKenzie in July 2021. Marlyse is a member of the Information Technology and Communications team and focuses on new technologies, computer technology, Internet and telecommunications.

Author David Molina

Author Dr Michaela Nebel

Dr. Michaela Nebel is a partner in the Frankfurt office of Baker McKenzie. Prior to joining Baker McKenzie she studied law at the University of Passau. She obtained her Doctor of Law degree on a topic related to privacy in the Web 2.0. From July until December 2014 she practiced at the San Francisco office of Baker McKenzie. She is a member of the International Association of Privacy Professionals (IAPP) and since May 2015 a Certified Information Privacy Professional/Europe (CIPP/E) and since May 2017 a Certified Information Privacy Professional/United States (CIPP/US). She is also the author of numerous articles on information technology law, in particular on data protection law and e-commerce law, and the co-author of an English language commentary on the EU General Data Protection Regulation.

Author Radoslaw Nozykowski

Radoslaw Nożykowski is a Counsel in the IP Tech/Compliance &Investigations departments at Baker McKenzie Warsaw office. He has over 15 years of professional experience working for clients from technology, finance, media and healthcare sectors. He is recommended by Chambers Europe and Legal 500 in the area of TMT (including privacy compliance).

Author Peder Oxhammar

Peder Oxhammar is Head of Baker McKenzie’s Intellectual Property Group in Stockholm. Mr. Oxhammar practices mainly within the field of intellectual property with special focus on patents, contentious matters, strategy and licensing. He advises clients in a wide range of industries in Sweden, including pharmaceuticals, white-goods, electronics, and defense.

Author Patricia Pérez

Patricia Perez joined the Information Technology & Communications Department of Baker & McKenzie in Madrid in 2013. Her prior experience includes working at national law firms in the Corporate and Intellectual Property and Information Technology departments.

Author Ines K. Radmilovic

Author Simone (Bach) Rieken LL.M.

Simone Rieken is a senior associate in Baker McKenzie's Frankfurt office and a member of the Information Technology Practice Group. Prior to joining the Firm, she worked for a large German corporate law firm, focusing on IT and data protection law. She studied law at the University of Trier and at Queen Mary, University of London and clerked in Hamburg and Los Angeles. She advises national and international companies on all aspects of IT and data protection law. She focuses on data protection with regard to direct marketing and related tracking and profiling activities. Another focus of her practice is on IT (outsourcing) projects and agile software developments.

Author Prof. Dr. Michael Schmidl

Prof. Dr. Michael Schmidl is co-head of the German Information Technology Group and is based in Baker McKenzie's Munich office. He is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Michael also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author Matthias Scholz

Author Caroline Serbanescu

Caroline Serbanescu is an Associate at the Brussels office of Baker McKenzie.

Author Kyllian Talbourdet

Author Florian Tannen

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.

Author Pablo Uslé

Author Dr. Csaba Vári

Csaba Vári is head of the Privacy practice for Baker McKenzie in Hungary and a member of the Intellectual Property and Technology group. He provides comprehensive advice to clients on privacy and cybersecurity matters, from European data protection regulations and local privacy laws to e-commerce and cloud services regulation. His work focuses on advice and support to clients regarding data protection impact assessments, data security incident reporting, and responding to queries from data subjects, as well as representation before regulatory authorities and courts.

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

Related Posts

Baker McKenzie Cyber Law Roundtable: Navigating NIS2: What Every Organization Needs to Know

Celebrating Data Privacy Day: our updated Global Data & Cyber Handbook

The 2025 Baker McKenzie “Top 10” Predictions on Global Data and Cybersecurity Risks