Skip to main content

Navigating NIS2 Compliance

July 2024 - a current view on local NIS2 legislations for organizations with cross-border European operations

The Network and Information Security 2 (NIS 2) Directive establishes more rigorous cybersecurity requirements for organisations in EU Member States, with an anticipated transposition deadline of October 2024. This whitepaper provides an analysis until June 2024 of the current regulatory landscape, touching upon key aspects such as sector definition, identification of entities, registration requirements, and security measures, as well as management accountability and government oversight.

Across the EU, Member States display varied transpositions of the NIS2 Directive until June 2024, with the following notable highlights:  

  • Croatia, Czech Republic and Poland, have expanded upon the Directive’s sector scope, recognizing additional critical entities and sectors.  
  • Belgium on the other hand has adhered to the Directive’s scope classifications, but defines a custom cyber security controls framework.
  • Belgium and Poland’s approach to security controls aligns with international standards ISO/IEC 27001 and ISO/IEC 22301, as benchmarks for compliance.
  • Austria requires entities to demonstrate the effectiveness of these risk measures through a self-declaration process.  
  • Croatia has not setup a registration platform, but the relevant governing body will request information from entities for categorization. Croatian entities will thus not have to register themselves and the initiative will be with the Croatian government  

The Directive’s emphasis on management accountability is clear, with executive boards and managing directors mandated to ensure compliance with risk management measures. While Austria and Poland provide detailed definitions and responsibilities for management bodies, Belgium, Croatia, Hungary, and Germany do not further specify the concepts. 

Government oversight and audit mechanisms vary, with Austria proposing dual audit approaches and Germany draft law establishing a 3 yearly verification process. Croatia and Poland propose an audit frequency of at least every two years.  In essence, the transpositions studied showcase important specifics which can have significant impact for organisations operating in these countries. For these organisations, it means closely following up on the transpositions and trying to define a common ground to reach a workable level of compliance. Having a strategic cybersecurity control framework to navigate this evolving regulatory landscape will be important moving forward.  

To read further download the whitepaper and reach out in case of any questions. 

 

Across the EU, Member States display varied transpositions of the NIS2 Directive until July 2024, with the following notable highlights:  

  • Croatia, Czech Republic and Poland, have expanded upon the Directive’s sector scope, recognizing additional critical entities and sectors.  
  • Belgium on the other hand has adhered to the Directive’s scope classifications, but defines a custom cyber security controls framework to which entities can certify next to ISO 27001. Belgium also requires a coordinated vulnerability disclosure policy for each entity.
  • Italy will require organizations to be compliant by September 2026 (transition period) and requires the adaption of a National Cyber Security Framework (based on NIST CSF) which defines cyber security controls for highly critical, critical and standard services. 
  • Ireland, and Poland’s approach to security controls aligns with international standards ISO/IEC 27001, NIST CSF or ISO/IEC 22301, as benchmarks for compliance. 
  • Austria requires entities to demonstrate the effectiveness of these risk measures through a self-declaration process.
  • Croatia has not setup a registration platform, but the relevant governing body will request information from entities for categorization. Croatian entities will thus not have to register themselves and the initiative will be with the Croatian government.

The Directive’s emphasis on management accountability is clear, with executive boards and managing directors mandated to ensure compliance with risk management measures. While Austria, Italy and Poland provide detailed definitions and responsibilities for management bodies, Belgium, Croatia, Hungary, and Germany do not further specify the concepts.

Government oversight and audit mechanisms vary, with Austria proposing dual audit approaches and Germany draft law establishing a 3 yearly verification process. Croatia and Poland propose an audit frequency of at least every two years.

In essence, the transpositions studied showcase important specifics which can have significant impact for organisations operating in these countries. For these organisations, it means closely following up on the transpositions and trying to define a common ground to reach a workable level of compliance. Having a strategic cybersecurity control framework to navigate this evolving regulatory landscape will be important moving forward.

To read further download the whitepaper and reach out in case of any questions.

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey