The NIS2 Directive, also known as the new version of the Network and Information Security Directive, is a European directive aimed at strengthening cybersecurity across the European Union (EU). The directive is designed to help organizations protect themselves against cyber threats and to ensure that the EU’s critical infrastructure is more secure and robust.
EU member states must implement the NIS2 into national law by 17 October 2024 – setting a new standard in light of its extraterritorial reach and personal liability of management bodies.
In this guide, we take you through the current implementation status for each member state and what you should be on the lookout for.
European Commission initiates infringement procedures for NIS2 Directive implementation
The European Commission has launched infringement procedures against 23 Member States for failing to fully transpose the NIS2 Directive (Directive 2022/2555) into national law. This directive, which aims to enhance cybersecurity across the European Union, had a transposition deadline of 17 October 2024. The affected Member States include major economies such as Germany, France, and Spain, alongside others like Denmark, the Netherlands, and Sweden. The NIS2 Directive represents a significant step in strengthening the EU’s cybersecurity resilience by setting comprehensive rules for entities operating in critical sectors. These sectors include energy, health, transport, digital infrastructure, public administration, and others essential for the functioning of modern society. The directive seeks to improve the resilience of these entities, enhance incident response capacities, and ensure uniformity in cybersecurity standards across the EU. The directive's successful implementation is crucial, especially as the threats to critical infrastructure become increasingly sophisticated. By mandating measures to mitigate risks, the NIS2 Directive addresses vulnerabilities and ensures that public and private entities are better equipped to handle cybersecurity incidents.
The Commission's decision to issue letters of formal notice marks the first step in its infringement process. Member States have two months from November 28, 2024 onwards to respond, complete their transposition, and notify the Commission of their measures. Failure to provide a satisfactory response within this period may lead to further legal action, including the issuance of a reasoned opinion, which could escalate to proceedings before the Court of Justice of the European Union. This action underscores the EU’s commitment to maintaining high cybersecurity standards and ensuring the full implementation of its legislative framework. It also highlights the importance of timely and effective national measures to protect critical sectors from cyber threats, safeguarding the resilience of the European digital economy and society. By addressing delays in the NIS2 Directive’s transposition, the Commission reaffirms the need for collective action to secure the EU’s digital future and protect critical services that citizens and businesses rely on daily.
NIS2 implementation across EU member states
Click on the countries below to view the local implementation status.
Key:
No draft law yet
Draft law published
Law released
For further guidance on implementing NIS2, please get in touch with your local contact or:
Nils Müller Partner Data Privacy, Cybersecurity & Technology
T: +49 8 95 45 65 19 4 E: nilsmueller@eversheds-sutherland.com
Olaf Van Haperen Partner Data Privacy, Cybersecurity & Technology
T: +31 1 02 48 80 58 E: olafvanhaperen@eversheds-sutherland.com
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page