The deadline for NIS2 implementation passed on 17 October, but only 6 EU Member States met that deadline, and 14 of the remaining 22 are not expected to have implementing legislation in force before the end of the year.
The complexity and breadth of the new regime has clearly presented challenges for Member States, as well as organisations preparing to comply. Our map below shows the status of implementing legislation in each Member State and when that legislation is expected to be in force.
The UK is not required to implement NIS2, but is expected to follow a similar path with the proposed Cyber Security and Resilience Bill which will be introduced to Parliament in 2025. Like NIS2, the Bill will expand the remit of the existing regulatory framework and mandate increased incident reporting, as well as giving regulators new cost recovery and proactive investigation powers. The UK seems set to ensure that its new innovation driven growth plans contain a cyber framework to support and protect that growth, data and critical infrastructure.
Despite the delayed implementation in many Member States, multinational organisations providing services or carrying out activities in the EU must start their compliance efforts now, wherever they are headquartered. For example, in-scope subsidiaries in countries that have already transposed NIS2 may already have formal notification or registration obligations – see, for example, our post NIS2: What can we learn from implementation in Hungary? As discussed in more detail in our post Is Europe ready for NIS2?, the delayed implementation means that multinational organisations should continue with compliance efforts based on the NIS2 Directive itself and its transposition in the Member States where national legislation is either enacted or nearly final, while building in flexibility and monitoring to react to further implementing acts. You can find more details on the key elements of a NIS2 compliance plan in our earlier post.
Our thanks to the following firms who contributed to our implementation map: Bulgaria: Violette Kunze, DGKV; Cyprus: Alexandros Georgiades & Alexandra Kokkinou, Chrysostomides; Denmark: Martin Dræbye Gantzhorn MDG, Gorrissen Federspiel; Estonia: Merlin Liis-Toomela, Ellex; Finland: Kalle Hynönen & Aleksi Yli-Houhala, Krogerus; Greece: George Ballas & Nikolaus A. Papadopoulos, Balpel; Ireland: Eoghan O’Keefe & John Cahir, A&L Goodbody; Latvia: Irina Rozenšteina & Edvijs Zandars, Ellex; Lithuania: Dr. Jaunius Gumbis, Ellex; Malta: Paul Micallef Grimaud, Ganado Advocates; Portugal: Ricardo Henriques, Abreu Advogados; Romania: Ana Maria Abrudan & Andrei Popa, Musat; Slovenia: Ziga Dolhar, Wolf Theiss.
