.png)
What is NSM ICT Security Principles? 🇳🇴
NSM ICT Security Principles is Norway’s national framework for securing ICT systems. Learn what it is, who it applies to, key requirements, and how to comply.
18.8.2025
NIS2 is the European Union's cybersecurity directive, which builds on its forerunner to ensure stronger protection and resilience. In this blog article, we take a closer look at the national implementation required by the NIS2 Directive, and take a look at the local laws: which ones are available in Cyberday and how they differ from the European Directive?
NIS2 Directive is an updated version of the original NIS Directive, which extends the scope of the original Directive and aims to strengthen cybersecurity across the European Union. The NIS2 Directive applies to a wide range of sectors that are critical to the operation of the economy, such as energy, transport, water, food, health, finance, digital infrastructure operators, manufacturing industry and many others.
Spring 2024 we published an e-book on NIS2 ready with ISO 27001 best practices. In our free e-book, we will guide you through the world of NIS2, the contents of the directive and give you practical tips on how to achieve compliance. Grab yours here: cyberday.ai/ebook
.png)
NIS2 & local legistation
EU Member States were required to adopt the NIS2 Directive into national law by 17 October 2024, with implementation to follow shortly after. While many missed the deadline, progress is ongoing, and most countries are expected to finalize their legislation soon. The Directive broadens the sectors covered and strengthens requirements for risk management, incident reporting, and cybersecurity measures, including stricter incident reporting and supply chain security standards.
Key national-level decisions include defining local authorities, implementation, and monitoring details. The Directive sets minimum control methods, allowing only national-level additions. Considerations include:
Regulatory Authorities:
NIS2 places significant emphasis on the role of public authorities in ensuring the cyber security of critical services and critical infrastructure in the European Union and stresses the need for increased cooperation between public authorities in EU Member States.
National legislation should specify which authorities are responsible for monitoring the implementation of NIS2 in the country concerned, and whether, for example, the monitoring is divided between different authorities according to their areas of competence. Countries must designate local authorities to ensure compliance with NIS2 rules: this means designating national supervisory authorities or creating new supervisory teams for sectors such as energy, health and transport.
Implementation and monitoring:
NIS2 establishes clear and stringent requirements for implementation and monitoring to ensure compliance by both organizations and Member States. Member States must enforce control measures against key actors that are effective, proportionate, and dissuasive, while considering the specific circumstances of each case. If monitoring reveals potential non-compliance by a significant operator, authorities must take appropriate action, including, if necessary, ex-post control measures. Additionally, countries should establish teams to handle and investigate cybersecurity incidents as needed.
Risk management and security measures:
According to NIS2, an organisation should have well-defined policies to manage information security risks, assess the effectiveness of security measures and identify key areas for improvement.
The NIS2 Directive specifically identifies the following areas of information security for which the organisation must document and implement its actions, and the organisation's management is responsible for the adequacy of those actions:
- Risk management and system security
- Incident management, logging and detection
- Business continuity and backup
- Supply chain security and control
- Secure system acquisition and development
- Evaluation of the effectiveness of security measures
- Information security hygiene practices and training
- Encryption
- Staff security
- Access management
- Management of Protected Assets
- Multi-factor authentication (MFA)
Tip: To assess the adequacy of information security measures, it is useful to use generally accepted content such as ISO 27001.
Each country must ensure that organisations implement measures to manage risks. These measures include ensuring that supply chains are secure, as well as carefully reviewing risks.
Incident detection and reporting:
Under NIS2, significant incidents must be reported to the national supervisory authority, so national legislation defines when and how to report incidents. NIS2 thus sets the basic standards, but countries can set stricter or more detailed rules according to their own needs.
At national level, it is also possible to go beyond the scope of the NIS2 Directive, and to create specifications according to national needs. These agreements and actions at national level will ensure that the NIS2 Directive is tailored to each country's legislation while maintaining a coherent approach to cybersecurity across the EU.
What local NIS2 laws are available in Cyberday?
Here's the current situation in a nutshell:
Austria: Netz- und Informationssystemsicherheitsgesetz 🇦🇹
Austria’s Netz- und Informationssystemsicherheitsgesetz (NIS Act) implements the NIS2 directive into national law. It sets requirements for cybersecurity risk management, incident reporting, and sector-specific protective measures for both essential and important entities. The law keeps close alignment with NIS2’s scope, while detailing national supervisory structures and cooperation mechanisms. Enforcement is led by the Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology (BMKÖ) in coordination with the Austrian Cyber Security Council.
Belgium: La loi NIS2 🇧🇪
Belgium has implemented the European Union's NIS2 Directive into national law as the NIS2 Law. This legislation closely aligns with the EU directive, incorporating only minor national adaptations. It establishes cybersecurity requirements for companies operating in critical sectors and registered in Belgium. Key national measures include specific registration procedures and conformity assessments.
Bulgaria: Закон за прилагане на NIS2 🇧🇬
Bulgaria’s Law on the Application of NIS2 establishes a national framework for identifying and securing essential and important entities in line with the NIS2 directive. It introduces specific national procedures for registration, incident notification, and sectoral audits, alongside strengthened supervisory powers. Enforcement is handled jointly by the State Agency for National Security and the Commission for Personal Data Protection.
Croatia: Zakon o kibernetičkoj sigurnosti 🇭🇷
Croatian implementation of the NIS2 The Cybersecurity Act (Zakon o kibernetičkoj sigurnosti NN 14/2024) has come into account in February 2024. It defines cybersecurity rules for Croatian companies with the same criteria as NIS2 with some exceptions, such as the inclusion of additional sectors, detailed categorization of entities, defined timelines for compliance, and specified penalties.
Cyprus: Ο Νόμος για την Κυβερνοασφάλεια 🇨🇾
Cyprus’ Cybersecurity Law implements the EU NIS2 directive and sets out obligations for essential and important entities to establish risk management measures, report incidents, and cooperate with national authorities. It includes national designation processes and clarifies sector-specific responsibilities. The Department of Electronic Communications under the Ministry of Transport, Communications and Works acts as the primary supervisory body.
Finland: Kyberturvallisuuslaki 🇫🇮
Finland's "Kyberturvallisuuslaki" is waiting for the last approval, but can already be used in implementation. The Cybersecurity Act creates a clear legal framework for information security risk management and incident reporting in line with the NIS2 Directive. The new law aims to unify Finland's current fragmented cybersecurity legislation and harmonise it with the EU-wide standards introduced by NIS2. It broadens the scope of risk management and reporting requirements and clarifies the number of companies and public institutions that have to comply with them. The Cybersecurity Act takes as its starting point the minimum level of the Directive, and defines mainly the points corresponding to the content of the Directive. The Cybersecurity Act does not add to the scope of the NIS2 Directive, nor to the means of control.
Germany: NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz 🇩🇪
Germany’s NIS2 Implementation and Cybersecurity Strengthening Act transposes the EU directive with added national measures for enforcement, including stricter incident reporting timelines, heavier penalties, and broader sectoral scope in some areas. The Federal Office for Information Security (BSI) serves as the main supervisory authority, supported by state-level regulators for certain sectors.
Greece: Εθνική αρχή για την ασφάλεια στον κυβερνοχώρο… 🇬🇷
Greece has enacted its NIS2 implementation, strengthening cybersecurity obligations for critical sectors including energy, transport, and digital infrastructure. The law aligns closely with the EU directive, while introducing additional oversight and compliance verification processes. Enforcement is carried out by the Hellenic National Cybersecurity Authority, which coordinates with sectoral regulators.
Ireland: The national cyber security bill 2024 🇮🇪
Ireland’s National Cyber Security Bill 2024 brings the NIS2 directive into Irish law. It sets risk management and incident reporting duties for essential and important entities, with national procedures for registration and compliance monitoring. The National Cyber Security Centre (NCSC), under the Department of the Environment, Climate and Communications, is the lead enforcement body.
Italy: Il Cybersecurity Act Decreto legislativo n. 138 🇮🇹
Italy’s Cybersecurity Act (Legislative Decree No. 138) transposes NIS2 with additional measures for public administration entities and certain private operators. It specifies detailed compliance timelines, enhanced penalties, and extended obligations in critical sectors. The National Cybersecurity Agency (ACN) is responsible for oversight and enforcement.
Latvia: Nacionālās kiberdrošības likums 🇱🇻
NIS2 has been adopted as "National Cyber Security Act" in Latvia. It improves the security of information and communication technologies, including setting requirements for the provision and receipt of essential and important services and operation of information and communication technologies. The Act expands the scope to include both public and private sector organizations, categorizing them into three groups based on criticality.
Lithuania: Kibernetinio Saugumo Įstatymas 🇱🇹
The Cybersecurity Act "Kibernetinio Saugumo Įstatymas" implements the European Union NIS2 law in Lithuania. It sets out requirements for various organisations to strengthen their cybersecurity risk management. Lithuanian act introduces expanded scope, detailed implementation timelines (12 months from inclusion), and defined supervisory roles.
Luxembourg: Projet de loi n° 8364 🇱🇺
Luxembourg’s Bill No. 8364 implements the NIS2 directive into national law, with provisions for cybersecurity obligations, incident reporting, and sector-specific requirements, particularly in financial and digital infrastructure. The High Commission for National Protection (HCPN) will act as the main supervisory authority once the law is enacted.
Malta: Avviż Legali 71 tal-2025 🇲🇹
Malta’s Legal Notice 71 of 2025 gives national effect to NIS2 by imposing security, risk management, and incident reporting requirements on essential and important entities. It outlines sectoral responsibilities and reporting mechanisms. The Malta Cyber Security Authority oversees implementation and enforcement.
Netherlands: Cyberbeveiligingswet 🇳🇱
The Dutch Cybersecurity Act (Cyberbeveiligingswet) transposes NIS2 with national adjustments for incident handling, sectoral cooperation, and public-private coordination. It applies to essential and important entities across critical sectors. The National Cyber Security Centre (NCSC), under the Ministry of Justice and Security, serves as the lead enforcement body.
Romania: Ordonanța de Urgență nr. 155/2024 🇷🇴
Romania’s Emergency Ordinance No. 155/2024 enforces the NIS2 directive at national level, adding technical and procedural requirements for both public and private sector operators. The National Cyber Security Directorate (DNSC) is responsible for oversight, enforcement, and sectoral coordination.
Spain: Ley de Ciberseguridad 🇪🇸
Spain’s Cybersecurity Law transposes NIS2 with national procedures for designation, compliance monitoring, and penalties. It includes additional measures for the public administration sector and strengthens incident response capabilities. The National Cybersecurity Council coordinates enforcement with relevant sectoral authorities.
Sweden: Cybersäkerhetslagen 🇸🇪
Sweden’s Cybersecurity Act implements NIS2 requirements for essential and important entities, with sector-specific guidance and coordination mechanisms. The Swedish Civil Contingencies Agency (MSB) acts as the primary supervisory authority, supported by relevant sectoral regulators.
Start implementing the national legislation in Cyberday
You can now activate your national laws at Cyberday! You can find the General EU version of the NIS2 Directive, as well as the national laws of the countries under the NIS2 framework. Activate the legislation of your choice with a click of a button.
