Skip to main content

Navigating NIS2 Compliance

June 2025 - A current view on local NIS2 legislations for organizations with cross-border European operations

The Network and Information Security 2 (NIS 2) Directive establishes more rigorous cybersecurity requirements for organisations in EU Member States,with a long passed transposition deadline of October 2024. This whitepaper provides an analysis as of June 2025 of the current regulatory landscape of countries that have transposed NIS2, touching upon key aspects such as sector definition, identification of entities, registration requirements, and security measures, as well as management accountability and government oversight. 

Across the EU, Member States display varied transpositions of the NIS2 Directive until June 2024, with the following notable highlights:  

  • Croatia, Czech Republic and Poland, have expanded upon the Directive’s sector scope, recognizing additional critical entities and sectors.  
  • Belgium on the other hand has adhered to the Directive’s scope classifications, but defines a custom cyber security controls framework.
  • Belgium and Poland’s approach to security controls aligns with international standards ISO/IEC 27001 and ISO/IEC 22301, as benchmarks for compliance.
  • Austria requires entities to demonstrate the effectiveness of these risk measures through a self-declaration process.  
  • Croatia has not setup a registration platform, but the relevant governing body will request information from entities for categorization. Croatian entities will thus not have to register themselves and the initiative will be with the Croatian government  

The Directive’s emphasis on management accountability is clear, with executive boards and managing directors mandated to ensure compliance with risk management measures. While Austria and Poland provide detailed definitions and responsibilities for management bodies, Belgium, Croatia, Hungary, and Germany do not further specify the concepts. 

Government oversight and audit mechanisms vary, with Austria proposing dual audit approaches and Germany draft law establishing a 3 yearly verification process. Croatia and Poland propose an audit frequency of at least every two years.  In essence, the transpositions studied showcase important specifics which can have significant impact for organisations operating in these countries. For these organisations, it means closely following up on the transpositions and trying to define a common ground to reach a workable level of compliance. Having a strategic cybersecurity control framework to navigate this evolving regulatory landscape will be important moving forward.  

To read further download the whitepaper and reach out in case of any questions. 

 

Across the EU and the EEA, countries display varied transpositions of the NIS2 Directive, with the following notable highlights:

  • Belgium, Croatia, Cyprus, Slovakia, Finland, Denmark, Greece, Hungary, Italy, Latvia, Lithuania, Malta, Liechtenstein and Slovakia have transposed NIS2. Often this includes additional decrees, amendments or acts. For Romania NIS2 is partially transposed 
  • Registration deadlines already passed for a significant number of countries that have transposed NIS2. Organisations that did not register yet, should do so as soon as possible. 
  • Security measures of the transpositions can be categorized in three main approaches: either a maturity based national cybersecurity control frameworks, a compliance based control framework or more principle based approach. Most countries define their list of required security controls. 
  • Countries such as Croatia, Hungary, Italy and Slovakia extend beyond the sectors mentioned in the Directive and add sectors such as education, defence or culture. 
  • Croatia, Cyprus and Lithuania do not require entities to register themselves, instead the government agencies of these countries will identify entities in scope. 
  • Most countries align with the reporting schedule of the Directive, however Cyprus imposes a 6-hour early warning for significant incidents instead of the standard 24 hours. Lithuania requires an ‘automated’ incident reporting. 

The Directive’s emphasis on management accountability is clear, with executive boards and managing directors mandated to ensure compliance with risk management measures. Government oversight and audit mechanisms vary. In most countries essential entities require audits by a government accredited auditor. Frequency varies between yearly and every 5 years.

In essence, the transpositions studied showcase important specifics which can have significant impact for organisations operating in these countries. For these organisations, it means closely following up on the transpositions and trying to define a common ground to reach a workable level of compliance. 

Most of the NIS2 laws are expected in 2025, but some only by late 2026. Having a strategic cybersecurity control framework to navigate this evolving regulatory landscape will be important moving forward.  

Did you find this useful?

Thanks for your feedback