NIS2 implementation guidelines in EU countries
Knyrim Trieb AttorneysAustria
- Implementation Stage: Draft NISG 2024 discussed but not passed due to lack of majority. Availability of the draft law noted.
- Registration to Local Authorities: Required for essential and important entities (and domain name registration services) within three months of law enactment or immediately thereafter.
- Are there Specific Registration Requirements: Yes. Registration must include entity name, address/contact details (including representative if applicable), sector/subsector/type, EU service locations, IP ranges (if applicable), main/branch addresses (or representative address), and information on threshold levels/entity type.
- Specificities of Local Implementation: Draft development unclear due to government formation. Broader registration scope than NIS2 (all essential/important entities). Allows personal data publication post-incident for awareness. Includes option for EU cybersecurity certification (Art 49). Local administration/educational institutions are not currently in scope.
TimelexBelgium
- Implementation Stage: National law transposing NIS 2 entered into force on October 18, 2024.
- Registration to Local Authorities: Required for essential and important entities within 5 months of law’s entry (or identification). Specific entities (e.g., DNS, cloud) had a 2-month deadline.
- Are there Specific Registration Requirements: Yes. Registration includes name, Belgian CBE/KBO number (or similar EU registration), address/contact details (email, IP, phone), relevant sector/subsector (Annex I/II), and EU service locations. Specific rules apply to certain entities.
- Specificities of Local Implementation: Few key differences. Belgian entities need a coordinated vulnerability disclosure policy. Essential entities have conformity assessment options (CCB inspection or assessment body). Important entities can voluntarily have a self-assessment reviewed. Risk analysis based on all-hazards approach is mandatory. Essential entities can opt for important entity level under conditions.
Rowan legalCzech Republic
- Implementation Stage: As of 15.4. 2025, the NIS2 has not yet been implemented into the Czech legal system. The draft of the new cyber security act awaits the third reading in the Chamber of Deputies.
- Registration to Local Authorities: Yes, essential and important entities are subject to registration with the National Office for Cyber and Information Security (NÚKIB).
- Are there Specific Registration Requirements: Implementing regulation to the new cyber Security act specifies the requirements for registration. Essential and important entities are required to register through a web formular on the NÚKIB websites. Test version is available.
- Specificities of Local Implementation: Czech legislation provides for two levels of security measures to be implemented by regulated entities. A regulated entity must evaluate which level it will fall into as part of its preparation for registration with NÚKIB. The boundary between the cybersecurity measures levels does not correspond to the division between essential and important entities as set in NIIS2.
NJORD Law FirmDenmark
- Implementation Stage: Danish NIS2-law proposal introduced on February 6, 2025, with finalization expected in March/April 2025.
- Registration to Local Authorities: Required for essential and important entities and domain name registration services with the relevant authority.
- Are there Specific Registration Requirements: Yes. Includes entity name, address/contact details (email, IP ranges, phone), relevant sector/sub-sector (Annex 1/2), and EU service locations. Submission deadline: two weeks after coverage; changes: two weeks after change.
- Specificities of Local Implementation: No significant registration rule amendments expected, but competent authorities for registration may change.
LexiaFinland
- Implementation Stage: Legislation is already in force.
- Registration to Local Authorities: Yes. Scope aligns with NIS2 Art 2(1-4) and 3(1-2), covering essential/important entities (excluding public administration, which is under separate Act on Information Management in Public Administration).
- Are there Specific Registration Requirements: Yes. Supervisory authority maintains a register. Entities report name, address, email, phone, other contact details, IP range, relevant sector/subsector (Annex 1/2), essential entity classification, EU service locations, and voluntary information sharing participation. Specific digital service providers must report additional details. Registration form details are not yet specified.
- Specificities of Local Implementation: No significant changes expected to the Government Bill.
YdèsFrance
- Implementation Stage: Legislation amendments expected to come into force earliest summer 2025.
- Registration to Local Authorities: Yes. Scope aligns with NIS2 Art 2(1-4) and 3(1-2), covering essential/important entities (excluding public administration, which is under separate Act on Information Management in Public Administration).
- Are there Specific Registration Requirements: Yes. Supervisory authority maintains a register. Entities report name, address, email, phone, other contact details, IP range, relevant sector/subsector (Annex 1/2), essential entity classification, EU service locations, and voluntary information sharing participation. Specific digital service providers must report additional details. Registration form details are not yet specified.
Wodianka Privacy LegalGermany
- Implementation Stage: Latest NIS-2 draft stopped in January 2025; new law expected after federal elections, likely finalized by end of 2025.
- Registration to Local Authorities: Yes, § 33 Sec 1 BSIG requires registration within 3 months of service provision.
- Are there Specific Registration Requirements: Yes, pursuant to § 33 Sec No 1-5 BSIG: entity name (including legal form/commercial register number), address/contact details (email, public IP ranges, phone), relevant sector/industry (Annex 1/2), EU service locations for Annex 1/2 types, and responsible federal/state supervisory authorities.
- Specificities of Local Implementation: Registration is already mandatory for critical infrastructures. Uncertainty exists due to a new “NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz” being discussed post-elections.
VJT & PartnersHungary
- Implementation Stage: Implemented. Hungary’s new cybersecurity law, Act LXIX of 2024, came into force in January 2025. This law fully transposes the NIS2 Directive and the CER Directive, replacing previous regulations.
- Registration to Local Authorities: Required. Essential and important entities are required to register with the cybersecurity regulator. Existing entities had to submit their registration forms by 30 June 2024, with a grace period extended until 18 October 2024. Newly established entities must register within 30 days of commencing operations.
- Are there Specific Registration Requirements: Yes. The new cybersecurity law includes a mandatory electronic registration form, which businesses must submit via their official Hungarian electronic gateway. The initial registration form and the form for amending registrations are available online.
- Specificities of Local Implementation: No major changes expected. The regulator recently introduced a new requirement for entities to notify whether they provide services in other Member States. Additionally, minor refinements were made to the registration forms on 20 February 2025.
RPLTItaly
- Implementation Stage: National law transposing NIS 2 entered into force on October 16, 2024.
- Registration to Local Authorities: Yes. Essential and important entities must register or update registration annually (January 1 – February 28) on the National Cybersecurity Agency’s digital platform.
- Are there Specific Registration Requirements: Yes. Includes company name, address/contact details, point of contact (and substitute with details), relevant sectors/sub-sectors/entity types (Annexes I-IV), public IP space/domain names, EU service locations, and legal representatives’ details. Specific digital service providers must provide additional information like EU headquarters/establishment addresses (or representative details if non-EU based).
- Specificities of Local Implementation: No key differences
Van Diepen Van der Kroef AdvocatenThe Netherlands
- Implementation Stage: NIS 2 will be implemented through the Cyberbeveiligingswet in the third quarter of 2025, a delayed implementation.
- Registration to Local Authorities: Required for essential and important entities with the Dutch Cyber Security Center (NCSC). Self-evaluation check available on NCSC website. Voluntary registration possible from October 2024, obligatory from mid-2025.
- Are there Specific Registration Requirements: Yes. Detailed information and a registration checklist are available on the NCSC website at the provided link.
- Specificities of Local Implementation: Basic structure aligns with NIS2 directive. Implemented within a single law, the Cyberbeveiligingswet. Significant amendments to the draft are unlikely, but detailed changes are possible.
Brækhus AdvokatfirmaNorway
- Implementation Stage: Norway, as an EEA country, will implement NIS2. However, due to the EEA agreement process, implementation typically occurs later than in EU member states. A national law transposing the NIS 1 Directive will enter into force sometime in 2025. NIS2 Implementation is expected to occur after that.
- Registration to Local Authorities: Not currently required, but will be once NIS2 is implemented. The National Security Authority (NSM) is anticipated to oversee registration.
- Are there Specific Registration Requirements: No draft law is available as of February 9, 2025, so specific registration requirements are not yet defined.
- Specificities of Local Implementation: No local version is available as of February 9, 2025. It is unclear if there will be significant amendments to the NIS2 registration rules
Traple Konarski Podrecki & WspólnicyPoland
- Implementation Stage: Draft law amending the Act on the National Cybersecurity System is in government work (fifth version). Submission to parliament planned for the second quarter of 2025.
- Registration to Local Authorities: Required for essential and important entities via application to the register maintained by the minister responsible for informatization. Deadline: 3 months from law’s entry or recognition as an essential/important entity.
- Are there Specific Registration Requirements: Yes. Electronic application required (qualified/trusted/personal signature) with 17 items, including entity name, sector/sub-sector/type, registered office/contact/tax ID, internet domains, enterprise size, and managed cybersecurity service provider contract info.
- Specificities of Local Implementation: Several changes compared to NIS 2: mandatory external audit for essential entities, introduction of a security order, recognition of high-risk suppliers, and a quasi-category of public-important entities with limited obligations.
MLGTSPortugal
- Implementation Stage: A draft bill was under discussion in Parliament but has expired due to its dissolution. The initiative will need to be reintroduced after the May elections, and its content may change.
- Registration to Local Authorities: Yes, if the previous bill’s requirements remain, essential, important, and relevant public entities, along with domain name service providers, must initially register with the National Cybersecurity Center (CNCS) within 60 days of the CNCS platform’s availability. New domain name service providers have 30 days from starting activity. Registered entities must update data changes within 30 business days (or 3 months for certain digital service providers).
- Specific Registration Requirements: Yes, if the previous bill’s requirements remain, registration will require data such as the tax identification number, IP address ranges, a list of EU Member States where services are provided, and updated contact details of a designated EU representative (if applicable). The CNCS may require additional data later.
- Specificities of Local Implementation: Information not currently available.
Tuca Zbârcea & AsociatiiRomania
- Implementation Stage: Law entered into force in December 2024
- Registration to Local Authorities: Timeframe is 30 days from the entry into force of secondary legislation regarding the notification duties or from the date of qualification as an essential or important entity (if such occurs after the entry into force of the relevant secondary legislation)
- Are there Specific Registration Requirements: Entities registering on a dedicated platform must provide core identification and contact details, information about their activities and size, contact information for cybersecurity and monitoring personnel, their public IP address ranges, details about their presence in the EU, and information necessary to determine if they qualify as an essential or important entity under relevant regulations. It’s anticipated that secondary legislation related to NIS2 notification duties will require further information beyond these minimum requirements.
- Specificities of Local Implementation: No
Rowan legalSlovakia
- Implementation Stage: NIS2 implemented via amendment to Act No. 69/2018 Coll., effective January 1, 2025 (in force since November 28, 2024).
- Registration to Local Authorities: Yes, essential (“Kritická základná služba”) and important (“Základná služba”) entities must register with the National Security Office (“Národný bezpečnostný úrad”).
- Are there Specific Registration Requirements: Yes. Registration form provided by the National Security Office. Important service providers register within 60 days of commencing activity, providing name, registered office/contact details (including electronic addresses, public IP addresses, phone numbers), EU operating/service locations, and representative’s details (if applicable).
- Specificities of Local Implementation: Entities are categorized as providing “essential service” or “important service” instead of the direct “essential” and “important” terminology of NIS2.
RocaJunyentSpain
- Implementation Stage: A draft bill transposing the NIS 2 Directive has been approved and is pending final approval.
- Registration to Local Authorities: Yes, essential and important entities must register in the National Cybersecurity Centre list. Entities are responsible for assessing their inclusion and submitting the required information to supervisory authorities within a maximum of three months from acquiring their status. Regulatory mechanisms for self-registration may be established.
- Specific Registration Requirements: Yes, the draft law specifies the required information, including the entity’s name, address and contact details (including updated email, IP ranges, phone numbers, and the contact person for information security), the specific sector and subsector according to the draft bill’s annexes, and a list of EU Member States where services are offered. Entities must notify supervisory authorities of any changes to this information within two weeks.
- Specificities of Local Implementation: There are specific obligations concerning the protection of informants, a specific cooperation regime for the financial sector, and a dedicated National Cybersecurity Framework for compliance. Additionally, certain obligations, such as information and notification requirements, go beyond the stipulations of NIS 2
Norelid AdvokatbyriaSweden
- Implementation Stage: A draft of the Swedish national law implementing the NIS2 directive was published in March 2024 through a Swedish Government Official Report. However, the official and finalized proposal for the legislation is expected to be published in May 2025. Hence, the Swedish national law will most likely enter into force in August 2025 at the earliest.
- Registration to Local Authorities: Essential and important entities will be required to register with their designated supervisory authority, which will vary depending on sector. In total, there are 11 supervisory authorities appointed to supervise the entities subject to the NIS 2 directive. The supervisory authorities will be obligated to report the registration information to the Swedish CSIRT (cybersecurity regulator) who will act as an overall coordinator.
- Specific Registration Requirements: The draft law (as well as the current Swedish national law through which the first NIS directive is implemented) provides information about the obligation to register. However, the exact information to be submitted by the entities when registering will be provided through the cybersecurity regulator’s own regulation(s). With this as a basis, each supervisory authority will then establish their own respective registration forms.
- Specificities of Local Implementation: Not at this stage, but we expect possible differences in the final draft of the law.