Navigating NIS2 Compliance
January 2025 - A current view on local NIS2 legislations for organizations with cross-border European operations
The Network and Information Security 2 (NIS 2) Directive establishes more rigorous cybersecurity requirements for organisations in EU Member States, with a transposition deadline of October 2024. This whitepaper provides an analysis as of January 2025 of the current regulatory landscape, touching upon key aspects such as sector definition, identification of entities, registration requirements, and security measures, as well as management accountability and government oversight.
Across the EU, Member States display varied transpositions of the NIS2 Directive, with the following notable highlights:
- Belgium, Croatia, Hungary, Latvia, Lithuania, Greece and Italy have transposed NIS2.
- Belgium has adhered to the Directive’s scope classifications, but defines a custom cyber security controls framework to which entities can certify next to ISO 27001. Lithuania has defined a custom control framework of 76 technical requirements. Greece and Italy also mention a custom control set.
- Italy will require organizations to be compliant by September 2026 (transition period) and requires the adoption of a National Cyber Security Framework (based on NIST CSF) which will define basic obligations and long-term obligations. This framework is foreseen for April 2025.
- Croatia, as well as in the drafts of the Czech Republic and Poland, have expanded upon the Directive’s sector scope, recognizing additional critical entities and sectors.
- Croatia has not setup a registration platform, but the relevant governing body will request information from entities for categorization. Croatian entities will thus not have to register themselves and the initiative will be with the Croatian government
- Some countries also define specific requirements on top of the NIS2 directive, such as Hungary, Latvia, Lithuania, and Belgium.
The Directive’s emphasis on management accountability is clear, with executive boards and managing directors mandated to ensure compliance with risk management measures. While Italy and Poland provide detailed definitions and responsibilities for management bodies. Belgium, Croatia, Hungary, and Greece amongst others do not elaborate further.
Government oversight and audit mechanisms vary, with a frequent audit for essential entities in Belgium, Greece, Croatia and Poland. Lithuania on the other hand has no periodic audits.
In essence, the transpositions studied showcase important specifics which can have significant impact for organisations operating in these countries. For these organisations, it means closely following upon the transpositions now that the transposition deadline has passed and trying to define a common ground to reach a workable level of compliance. Most of the NIS2 laws are expected in 2025. Having a strategic cybersecurity control framework to navigate this evolving regulatory landscape will be important moving forward.
To read further download the whitepaper and reach out in case of any questions.
