Over the last few years, the NIS2 Directive has been a hot topic for many organizations. We have extensively covered it in articles, whitepapers, speaker slots at several events, and webinars in English and German.
The directive entered into force in October 2024 should be transposed into local law by then.
What does transposing into local law mean in practice, then? Put simply, it means that each country in the European Union has to adapt the NIS2 directive into something that fits local laws.
A new report published by ABB tells us that not every country within the European Union is quite there yet, even if most countries are far along in the process. The report can be summarized into four categories:
Countries that have already implemented NIS2 into local law
Countries that, for different reasons, are not quite there yet but are at an “advanced stage” of implementation.
Countries that are in an early stage of implementation.
Countries that are at the beginning of the process.
If you want to learn more about each country's details, we advise you to take a closer look at the ABB report linked above. However, to give you a quick overview of where countries within the EU stand regarding NIS2 implementation, we have compiled a short list.
Belgium (October 2024)
Croatia (Cybersecurity Act, February 2024)
Greece (November 2024)
Hungary (Cybersecurity Act, May 2023)
Italy (October 2024)
Latvia (September 2024)
Lithuania (October 2024)
Romania (January 2025)
Slovakia (January 2025)
Austria
Bulgaria
Cyprus
Czech republic
Denmark
Finland
France
Ireland
Luxembourg
Malta
Netherlands
Poland
Slovenia
Sweden
Estonia
Spain
Germany
Portugal
In a simple list like this, Germany and Portugal stick out in a bad way, but what does this mean in practice?
For Germany, the German government has proposed a local version of the NIS2 directive, but the proposition did not reach a majority in the Bundestag. A revised version is expected to be up for a vote in fall 2025. However, as of right now, Germany is a bit behind most other countries.
However, this only means that German companies have been given more time to work towards compliance. They must prioritize this immediately. Contact us at Pointsharp if you need help with any part of your NIS2 journey.
If your organization is in a country where NIS2 has yet to be fully implemented, you cannot postpone your work to comply with the directive. If you fall within one of the categories affected by NIS2, you should have already started the journey to compliance. If not, you risk losing business to compliant organizations and, in the worst case, being fined for non-compliance.
Adhering to NIS2 is not just about avoiding fines. It is also about increasing cybersecurity to prevent security incidents. If you avoid incidents, your clients perceive you as more serious and trustworthy, which can prevent bad press while growing your business.
As a leading cybersecurity provider founded and based in Europe, Pointsharp is uniquely positioned to help you become compliant with the NIS2 directive. We have already helped numerous organizations comply with regulations like NIS2, DORA, and GDPR, and we have provided high-security solutions to large organizations within critical infrastructure for many years.
If you want to learn more, we have several whitepapers, ebooks, and webinars that cover all aspects of NIS2 and its benefits to your organization.
We can help you become compliant, no matter what infrastructure of solutions you already use today.
