The revised EU directive on the security of network and information systems (NIS2) repeals and replaces the existing NIS Directive. The NIS Directive, adopted in 2016, was the first EU-wide cybersecurity law.

The principal objective of the NIS2 Directive is to increase the level of cyber resilience across the EU. It does so by requiring all entities in the EU, which provide critical services to the economy and society as a whole, to take appropriate cybersecurity measures.

Cullen International released a series of reports on the different aspects of the revised NIS2 directive

NIS2 transposition: tracking the entities in scope and the authorities that oversee compliance

Our latest benchmark details how 16 EU member states transposed (or are in the process of doing so) certain aspects of the directive on measures for a high common level of cybersecurity across the EU (NIS2).

The benchmark shows whether the scope of national transposition rules differs from that of the NIS2, and maps competent authorities for sectors such as digital infrastructure, digital providers and ICT service management.

For instance: In most of the surveyed EU countries that have designated NIS2 authorities (or proposed to do so), the telecoms sector remains under the supervision of the national regulatory authority (NRA).

Benchmark on the transposition status of EU NIS2 Directive

Cullen International is tracking and comparing the progress made by the 27 EU member states in transposing the Revised Directive on the Security of Network and Information Systems (NIS2).

EU member states had until 17 October 2024 to transpose the NIS2, which replaces the existing NIS Directive. 

Status October 2024: 

Most EU member states did not meet the transposition deadline. Thus far, only Belgium, Croatia, Hungary, Italy, Latvia, and Lithuania have adopted national legislation to transpose the directive.

In several member states, including for example France, Germany, the Netherlands and Sweden, the draft laws transposing the directive were not yet adopted into law.

All you need to know about the new NIS2 Directive – Part 1: Scope

The revised directive classifies the entities covered into those which are considered essential and those which are important. As a rule, all medium and large size entities will have to comply with the NIS2 security risk management and reporting rules. However, the directive will adjust the classification as being either essential or important depending on the size of the entity.

The first of five reports covers the objectives and scope of the revised directive and explains the applicable rules to classify entities as either essential or important.  

All you need to know about the new NIS2 Directive – Part 2: Common security risk management and reporting requirements

The revised EU directive on the security of network and information systems (NIS2) sets baseline security risk management measures for all the entities operating across the sectors falling within its scope. The directive applies an “all-hazard” approach, thus the risk management measures should also address physical and environmental security (e.g. natural disasters, system failures). 

Our second of five reports provides an analysis of the common security risk management and reporting requirements, which apply to all essential and important entities covered by the revised directive. 

All you need to know about the new NIS2 Directive – Part 3: Specific obligations for the telecoms, ICT supply chain and digital sectors

The revised EU directive on the security of network and information systems (NIS2) imposes on critical entities (e.g. cloud providers, data centres, social media platforms) common security risk management and reporting requirements. Importantly, the NIS2 will also regulate the security of telecoms operators when providing both telecoms related services (e.g. mobile services) and non-telecoms services (e.g. cloud). 

Our third of five reports covers certain security obligations which apply specifically to the telecoms, ICT supply chain and digital sectors.

All you need to know about the new NIS2 Directive –
Part 4: Supervision and jurisdiction
 

The revised EU directive on the security of network and information systems (NIS2) subjects essential and important entities to the same security risk management and reporting requirements. However, they differ based on supervision.

Our fourth of five reports outlines the supervisory and enforcement framework laid down by the NIS2 directive.

All you need to know about the new NIS2 Directive –
Part 5: Requirements at EU level and for EU member states

Our last of five reports outlines the main requirements at EU level and for EU member states that are set out in the revised directive on the security of network and information systems (NIS2).

Whereas the EU cybersecurity agency (ENISA) will have increased responsibilities, member states will have to establish national policies on large-scale cybersecurity incidents and on coordinated vulnerability disclosure.

To request one of our NIS2 reports and/or a demo of our Digital Economy intelligence,
please just complete the below form.

(Note: Our services are predominantly designed for the use of government entities, regulators, communications service providers or manufacturers. We reserve the right to offer access to our research only to selected organisations. Feel free to contact us if you have any question regarding your eligibility for free extracts or a demo. ) 

Yes, keep me informed about Cullen International's latest research and services. You can unsubscribe at any time.
Please feel free to specify your interests (other than the requested piece of research):
Fields of interest
Competition Law
Digital Economy
Media
Postal
Telecoms
Regions
Americas
Europe
MENA
Global
Types of services
Subscription
Conferences
Custom research & studies
Training