Member area

Become a Member

NIS2 Directive Transposition Tracker

The tracker in brief

The NIS2 Directive Transposition Tracker is a collaborative project providing a streamlined and comprehensive overview of the Directive’s transposition across EU member states.

Organised into dedicated sections for each country, the tracker covers key aspects such as the sectoral scope, applicable standards, registration processes, sanctions, lists of competent authorities, and deadlines.

This initiative aims to identify similarities and differences in implementation while ensuring clarity for stakeholders navigating the evolving regulatory landscape.

Methodology

The information collected in the tracker is the outcome of a joint effort between the European Cyber Security Organisation (ECSO) and the ECSO CISO Community.

The data was gathered and cross-referenced through systematic research and analysis of primary and secondary sources, including Official Journals of Member States, EU databases, publicly available articles, and expert inputs.

As some sections are incomplete due to pending legislation, the tracker will be revised regularly to reflect the latest developments in NIS2 implementation.

CLICK ON THE COUNTRIES FOR MORE INFO

Disclaimer: The information provided in this document is for general informational purposes only and is not to be used for legal ends. Please consult primary sources and national legislations for official business. All information is provided in good faith and to the best of our abilities. Any references to third parties are not to be intended as statements by the contributors involved. We take no responsibility for any errors or omissions in the content of this document. Law extracts have been simplified to facilitate readability. Any action you take upon the information in this document is strictly at your own risk.

National registration platforms

Belgium
Visit platform
Czechia
Visit platform
Greece
Send email
Hungary
Visit platform
Italy
Visit platform
Lithuania
Visit platform
Luxembourg
Visit platform
Slovakia
Visit platform

ECSO analysis of the current situation

Last update: 06 March 2025

The NIS2 Directive aims to strengthen the cyber resilience of critical infrastructure and supply chains across the EU by enhancing requirements for public and private sector entities from a wide range of sectors. Amidst soaring vulnerabilities of network and information systems catalysed by emerging cyber threats, state-sponsored attacks, and growing digital dependencies, four countries met the transposition deadline of 17 October 2024. As a result, on 28 November 2024, the European Commission opened infringement procedures on 23 Member States. 

Although the number of countries that transposed the Directive into national legislation increased from four to nine as of mid-February 2025, the implementation process was marked by a substantial divergence in adoption timelines and requirements, creating operational and compliance challenges for entities providing services in multiple jurisdictions. Measures vary in strictness, registration deadlines, sectoral coverage, incident reporting requirements, and enforcement timelines, posing risks of fragmentation.

Against this backdrop, this overview examines both draft and adopted national laws transposing the NIS2 Directive, using select country examples to illustrate broader trends without implying exhaustiveness.

Considerable variations emerged regarding the scope of implementation, with some countries opting to exclude certain sectors and others expanding coverage or reclassifying existing ones. Hungary, Finland, and Belgium omitted the banking and financial sectors (covered by DORA), whereas Bulgaria and Portugal did not include (local level) public administration in their draft legislation. Several countries introduced additional subsectors under the ‘essential’ industries category, including Hungary (adding public transport to transportation), Slovakia (incorporating thermal power engineering into energy), and Poland (classifying mineral extraction under energy and electronic communications under digital infrastructure). 

In addition, Spain’s draft law brings the nuclear industry within scope. At the same time, Poland reclassified manufacturing – including chemical production, food processing, and distribution – from ‘important’ to ‘essential.’ In some cases, national laws merged sectors equivalent to ‘essential’ under NIS2, such as drinking water and wastewater, into a single sector. Whilst Germany proposed this approach (draft law as of February 2025), Hungary and Slovakia adopted it. The decision of Member States to include or exclude specific sectors could be based on national priorities, existing legislation and risk assessments necessitating stricter enforcement in critical areas.

In countries like Greece, Hungary, Latvia, and Slovakia, national legislation refers to European and international security standards without specifying particular frameworks. In contrast, other laws or drafts specifically mention cybersecurity frameworks, such as ISO 27001/2 (e.g., Croatia, Finland, and Slovenia), NIST 800-53 (Cyprus), and NIST CSF 2.0 (Ireland). Notably, Belgium, Romania, and Lithuania adopted tailored national frameworks for standards in some measure based on international ones. Subsequently, dissimilar frameworks across the EU could complicate administrative procedures and compliance obligations for entities.

The definitions of significant incidents, the timelines for reporting, thresholds, and reporting obligations differ across Member States. For instance, entities based in Cyprus must submit early warnings to the competent authority within six hours of detecting the incident. In comparison, NIS2 requires an early warning within 24 hours, an incident notification within 72 hours, a final report within one month, or a progress report if the incident is ongoing, with a final report due a month after the incident ends.

In terms of timelines, per draft texts, entities are obliged to start reporting incidents nine months after classification in Malta and one year after registration in Czechia. The draft law in Czechia also suggests an increased scope of incident reporting beyond significant incidents. In Slovakia, the adopted law requires entities to report significant cyber threats in addition to incidents where the entity prevented a threat that could have caused a significant incident or identified a vulnerability in publicly accessible networks or systems it operates and could not mitigate the risk in time. The diverse reporting requirements could lead to supplementary compliance costs for cross-border entities.

In most Member States, entities are required to self-register, except in certain cases, namely Croatia, where competent authorities lead the registration process. Registration timeframes span from one month after the law enters into force in Romania to three months in Austria. Examples of countries that introduced expected deadlines for registration in the first half of 2025 are Ireland and Sweden (January), Italy (February), and Denmark (April).  In cases where NIS2 has not yet been fully transposed, the applicability of these deadlines may depend on national implementation progress.

In parallel, Greece introduced different registration periods (March and April 2025) depending on the type of entity. Precisely, domain name systems, online marketplaces, search engines, social networks, data centres, network providers, and security services must register earlier than all other entities operating in Greece. 

Significant differences can also be observed in the classification of entities. Although the majority of countries introduced a classification of essential and important entities comparable to the provisions of NIS2, a three-tier one (e.g., Germany and Portugal) was proposed in several draft laws with security requirements varying based on the tier to which an entity belongs. Additionally, Finland introduced the same security obligations for both essential and important entities, with differences regarding the ex-ante (essential) and ex-post (important) supervision, as well as maximum sanctions (in alignment with NIS2).

Concerning enforcement, several countries introduced sector-specific authorities (e.g., Croatia, Finland, Ireland, and Sweden) and sectoral CSIRTs (e.g., Austria, Poland, and Spain). Going a step beyond, a number of Member States introduced stricter measures than those enshrined in the Directive. In Hungary, service providers and organisations operating in high-risk and risk sectors must sign an agreement with a certified external auditor company before the end of 2024 to undergo bi-annual audits thereafter. Moreover, entities operating in Romania must conduct an annual self-assessment of their cybersecurity risk management maturity and submit a corrective action plan within 30 days to address deficiencies.

Sanctions generally correspond to NIS2. However, certain countries have incorporated additional measures for multiple levels of offences (e.g., Belgium, Croatia, Greece, Italy, Lithuania, Poland, Slovenia, Portugal, and Spain). For example, the Luxembourg draft considers establishing fines for budgetary bodies under GDPR practices. GDPR is also used to determine the amount and type of penalties based on the severity of the infringement.

The nuances in implementation measures present both challenges and opportunities. Moving forward, regulatory harmonisation can be prioritised through complementary legislative initiatives to NIS2, developing additional guidelines, mutual recognition of security frameworks, and strengthened cooperation between national competent authorities.

Community-sourced information

The information in this section has been crowdsourced from the community. While we strive to ensure its accuracy and relevance, please note that it is subject to review and updates. Once the official sources are published, we will review and finalise the information accordingly.

Saw something wrong? If you have any suggestions or notice any discrepancies, please let us know so we can address them promptly.

Contact us

Contributors

The NIS2 Directive Transposition Tracker is an initiative powered by the ECSO Policy Analysis & Outreach Stream.

We would like to extend our sincere gratitude to our partners and contributors for their invaluable insights and efforts in compiling this tracker. In particular, the ECSO CISO Community has been instrumental in verifying and creating a comprehensive resource to shed more light on the status of the NIS2 transposition across the EU.

Discover the ECSO CISO Community

ECSO White Paper

NIS2 Implementation: Challenges and Priorities

This comprehensive publication provides actionable recommendations for institutional stakeholders to enhance the implementation process, as well as a comprehensive analysis of:

 

  • The varying approaches to implementation across EU countries in key cybersecurity areas.
  • Results from our Europe-wide survey of cybersecurity practitioners on organizational preparedness.
  • Detailed case studies of sectoral implementation.
Read the full paper

About the ECSO Policy Analysis & Outreach Stream

Read more about this workstream

The ECSO Policy Analysis and Outreach Stream delivers in-depth policy analysis to ECSO Members, helping them decode and act upon key European cybersecurity developments. The initiative involves close collaboration with EU policymakers and the integration of insights from both public and private sectors. By engaging with European and international stakeholders, it promotes meaningful dialogue for a structured, dynamic European cybersecurity landscape.

Initiative administration

Cristian Michael Tracci

Senior Manager for Policy Analysis and Outreach

cristian.tracci[at]ecs-org.eu

Sebastijan Čutura

Senior Manager, Industry Cybersecurity

sebastijan.cutura[at]ecs-org.eu

Simona Kaneva

Manager for Policy Analysis and Outreach

simona.kaneva[at]ecs-org.eu

Tomasz Michałowski

Junior Manager for European Cyber Security Community

tomasz.michalowski[at]ecs-org.eu

X-twitter Linkedin

secretariat[at]ecs-org.eu

Avenue des Arts 46 Kunstlaan, 1000 Brussels, Belgium

Subscribe to the ECSO Newsletter

Subscription form

Subscribe to our newsletter

© ECSO All rights reserved

Data Privacy Policy

EU Transparency Registry 684434822646-91

Austria

Status: Draft Law
Link: Draft Law

Scope (Legal reference: Chapter 1, Subsection 2; Annex 1, 2)

Corresponds to NIS2.

Standards, guidelines, certifications – references (Legal reference: to be updated)

Reference to the Risk Management Catalogue.

Incident reporting (Legal reference: Chapter 3, Section 2)

Incidents are reported to the CSIRT in charge. Reporting requirements:

Corresponds to NIS2.

Process of registering as an entity in the scope to central authorities (Legal reference: Chapter 3, Section 1; Chapter 3, Section 2; Chapter 5)

Essential and important entities must register within 3 months after the Federal Act’s entry into force. The following information is requested:

Entities shall register with the cybersecurity authority and send the requested information via a secure communication channel.

Security measures compliance: provisions under sections 2 to 47 will enter into force from 01/06/2025.

Fines (Legal reference: Chapter 5)

Corresponds to NIS2.

Competent Authority and designated CSIRT (Legal reference: Chapter 2, Section 1; Chapter 2, Section 3)

In the absence of a sector-specific CSIRT, the national CSIRT must perform the tasks of the relevant sector-specific CSIRT for the sector in question.

Belgium

Status: Transposed
Date of Transposition: 26/04/2024 (Entered into force on 18/10/2024)
National law: Law of April 26, 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security (“NIS2 law”)
Link: Final text

Scope (Legal reference Art. 3, 6(3))

NIS 2 (the banking and financial market sectors are out of scope as they are covered by DORA).

The law (Section 2, Article 3(2)) allows certain entities to be excluded from regulation based on their independence from partners and linked companies, particularly regarding networks, information systems, and services provided. The Centre for Cybersecurity Belgium assesses this independence, and the King has the authority to define the evaluation criteria.

Standards, guidelines, certifications – references (Legal reference Art. 30)

Belgian Cyber Fundamentals Framework (CyFun) based on: NIST CSF, ISO 27001, ISO 27002, CIS Controls, IEC 62443.

Conformity against the requirements of the respective assurance levels in the CyberFundamentals Framework will be assessed according to the requirements set out in the CyberFundamentals Conformity Assessment Scheme (CAS). The assessment shall be performed by an accredited and authorised conformity assessment body.

Incident reporting (Legal reference Art. 25, 35)

Significant incidents are reported to the national CSIRT via an online form. Reporting requirements (significant incidents):

Corresponds to NIS2. In the event of a significant cyber threat, essential and important entities must promptly inform the recipients of their services. Significant incidents are defined as incidents that cause serious operational disruption of services or financial losses for the concerned entity or affect other natural or legal persons by significant cause material or immaterial damage. Providers of trust services will report the incident within 24 hours when the incident has consequences for the provision of their trust services.

Process of registering as an entity in the scope to central authorities (Legal reference Art. 13)

Upon entry into force, companies have 5 months to register with the CCB through the registration platform (via an online form) and 18 months to provide proof. Entities are required to provide the following details:

Fines (Legal reference Art. 59)

The national cybersecurity authority is responsible for infringements of the provisions of the bill. The administrative fine is doubled in the event of a repeat offence for the same acts within three years. The combination of several breaches may give rise to a single administrative fine proportional to the seriousness of the facts as a whole.

Competent Authority and designated CSIRT (Legal reference Art. 17, 19)

National Center for Cybersecurity, National CSIRT.
Centre pour la Cybersécurité Bélgique (CCB), Centre de Crise National (NCCN).

Bulgaria

Status: Draft Law
Link: Draft Law

Scope (Legal reference: Annex 1)

NIS2 (the draft excludes public administration).

Standards, guidelines, certifications – references (Legal reference: Art. 24)

Reference to EU standards under the NIS2 Directive.

Incident reporting (Legal reference: Art. 22(5))

Significant incidents are reported to the national CSIRT. Reporting requirements:

Corresponds to NIS2.

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 6)

The draft requires entities to submit the following information:

Fines (Legal reference: Art. 28, 29)

Corresponds to NIS2.

Competent Authority and designated CSIRT (Legal reference: Art. 16, 27)

In addition to the competent authority, the following have supervisory powers:

Croatia

Status: Transposed
Date of Transposition:15/02/2024
National Law: Regulation on Cybersecurity
Link: Primary Law
Implementing Act:Regulation on Cybersecurity, adopted on 22/11/2024
Link: Implementing Act

Scope (Legal reference: Art. 9, 10, 13)

In addition to NIS2, the Regulation covers ICT service management, the public administration as well as private and public entities from the education sector.

Standards, guidelines, certifications – references (Legal reference: to be updated)
Incident reporting (Legal reference: Art. 37, Art. 58 – 74, Subordinate Act)

Entities shall notify the competent CSIRT of significant incidents by providing:

Corresponds to NIS2. Reporting requirements under Art. 65 Subordinate Act

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 23, Art. 28 Subordinate Act)

One year from the receipt of the notification on categorisation, entities in scope are required to comply with all provisions of the Law and the subordinate acts.

Entities shall submit the following information to the Central State Cyber Security Authority:

The responsible governing body will formally notify and thus request essential and important entities to submit information for the purposes of categorisation and list maintenance. Entities have 45 days to deliver the information required.

Essential entities are required to deliver a cyber security audit report conducted by a certified external audit service provider to the Competent authority within 2 years (and every 2 years afterwards) or at the request of the Competent authority.

Important entities are required to deliver a cyber security self-assessment or an assessment by an external provider to their Competent authority every 2 years as well as a cyber security audit report conducted by a certified external audit service upon the request of the Competent authority.

Fines (Legal reference: Art. 86, 101, 102, 103)
Competent Authority and designated CSIRT (Legal reference: Annex III)

Cyprus

Status: Draft (submitted to the Parliament for voting)
Date of Transposition: Expected late February
National law: The Security of Networks and Information Systems Law, 2025, N.89(I)/2025
Link:To be updated

Scope (Legal reference: Art. 2A)

NIS2 (banking remains within the scope for national strategy purposes and cooperation on large-scale incidents but is not subject to supervision by the competent authority).

Standards, guidelines, certifications – references (Legal reference: to be updated)

National security measures framework, similar to ISO 27001. The published security measures legislation includes mapping that corresponds to:

Incident reporting (Legal reference: To be updated)

Provisions under NIS2, Art. 23. Additional requirements:

Process of registering as an entity in the scope to central authorities (Legal reference: To be updated)

Essential and important entities will be identified by the Digital Security Authority. The final list of entities will be approved by the Parliament.

Fines (Legal reference: To be updated)

Fines under NIS2, Art. 34 in addition to national provisions on administrative fines and criminal penalties for national law violations.

Competent Authority and designated CSIRT (Legal reference: To be updated)

Czechia

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: § 4 )

NIS2 as well as the military industry sector.
Sector-specific thresholds (for instance, an entity could be considered essential based on criteria such as being a large enterprise in electricity production or having a certain output, and similar thresholds for the gas storage sector).

Standards, guidelines, certifications – references (Legal reference: to be updated)

ISMS

Incident reporting (Legal reference: § 15, 16)

Reporting requirements :

Affected companies do not have to report incidents until 1 year after receipt of the registration confirmation. Increased scope for reporting of incidents that goes beyond reporting of significant incidents.

Process of registering as an entity in the scope to central authorities (Legal reference: to be updated)

To be updated.

Fines (Legal reference: § 59(4), 60, 61)
Competent Authority and designated CSIRT (Legal reference: to be updated)

To be updated.

Denmark

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: Annex 1, 2)

NIS2.
The implementation takes place through the Ministry of Defence proposing a main law that creates a common basic framework for the implementation of NIS2 across sectors. The main act will authorise the sector.

Standards, guidelines, certifications – references (Legal reference: to be updated)

To be updated.

Incident reporting (Legal reference: to be updated)

The current reporting scheme mandates reporting of incidents that go over a threshold of loss of over 5000 user hours of service, as well as geographical thresholds for services that do not have consumer users (e.g. air traffic control).

Process of registering as an entity in the scope to central authorities (Legal reference: chapter 3, § 10)

The draft requires entities to register with the relevant competent authority and provide the following information by 17 April 2025:

An entity that falls within the scope of the Act after that date must submit the information within two weeks of the entity becoming subject to the Act. In the event of a change in the information provided pursuant to paragraph 1, the entity shall notify the relevant competent authority within two weeks of the date of the change.

Fines (Legal reference: § 31)

Corresponds to NIS2.

Competent Authority and designated CSIRT (Legal reference: to be updated)

The responsible authority may be the Ministry of Defence.

Estonia

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: to be updated)

NIS2.

The NIS Directive was transposed via the Estonian Cybersecurity Act in 2018, amended in 2022. The original transposition text was less stringent regarding non-compliance fines and geographical scope provisions. However, the 2022 text extended the scope of entities included and increased obligations for operators. It is likely that the transposition of the NIS2 Directive will not greatly change the current legal framework. 

Standards, guidelines, certifications – references (Legal reference: to be updated)

National Cyber Security Strategy 2023-2027.

Incident reporting (Legal reference: to be updated)

To be updated.

Process of registering as an entity in the scope to central authorities (Legal reference: to be updated)

To be updated.

Fines (Legal reference: to be updated)

To be updated.

Competent Authority and designated CSIRT (Legal reference: to be updated)

Estonian Information System Authority .

Finland

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: Art. 3)

NIS2 (the finance sector is out of scope and covered by DORA). The draft law introduces the same security obligations for both essential and important entities, with differences regarding ex-ante (essential) and ex-post (important) supervision as well as maximum sanctions (in alignment with NIS2).

Standards, guidelines, certifications – references (Legal reference: to be updated)

ISO 27001

Incident reporting (Legal reference: Art. 2.6)

Reporting requirements :

Corresponds to NIS2.

Significant incident definition: incident that has caused or can cause a significant disruption in service, or causes financial losses, or has caused or can cause material or immaterial damage to people or legal entities.

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 2.3)

Reference to NIS2

Fines (Legal reference: Art. 5.1.6)

Fines would not be applicable to public sector entities.

Competent Authority and designated CSIRT (Legal reference: to be updated)

National Cyber Security Centre.

The National Cyber Security Centre under the Finnish Transport and Communications Agency is identified as CSIRT unit and a centralised contact point.
Sector specific authorities are listed under Art. 24 of the Valvovat viranomaiset.

Sector-specific supervisory authorities: Finnish Transport and Communications Agency, Energy Authority, Finnish Safety and Chemicals Agency, Valvira (National Supervisory Authority for Welfare and Health), South Savo Centre for Economic Development, Transport and the Environment, Finnish Food Authority and Finnish Medicines Agency.

France

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: to be updated.)

NIS2.

Standards, guidelines, certifications – references (Legal reference: to be updated)

To be updated.

Incident reporting (Legal reference: to be updated.)

To be updated.

Process of registering as an entity in the scope to central authorities (Legal reference: to be updated.)

To be updated.

Fines (Legal reference: Art. 5.1.6)

Corresponds to NIS2.

Competent Authority and designated CSIRT (Legal reference: to be updated)

ANSSI.

Germany

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: § 28, Annex 1, 2)

NIS2 with changes in sectors and subsectors.

Sectors of important and essential entities (ICT service management and public administration excluded):

Sectors for key entities:

The scope is expanded to 3 categories of entities:

The threshold for companies is lower as the criteria of company size counts individually in terms of employees and turnover (companies with less than 50 employees are also potentially affected).

Standards, guidelines, certifications – references (Legal reference: to be updated)

The draft law tasks the BSI with developing detailed requirements, standards, and guidelines.

Incident reporting (Legal reference: § 32)

Reporting requirements:

Corresponds to NIS2.

Process of registering as an entity in the scope to central authorities (Legal reference: § 33)

Entities are requested to provide the following information to the Federal Office no later than 3 months after they are classified as important or essential:

The information is submitted via a registration facility set up jointly by the Federal Office and the Federal Office for Civil Protection and Disaster Assistance.

Fines (Legal reference: § 65)

To be updated.

Competent Authority and designated CSIRT (Legal reference: § 1)

Federal Office for Information Security. BSI (Bundesamt für Sicherheit in der Informationstechnik).

Greece

Status: Transposed
Date of Transposition: 27/11/2024
National law:Law No. 5160
Link: Final Text

Scope (Legal reference: Art. 3, Annex I, II)

NIS2.

Exclusions are limited to law enforcement government agencies only, as well as certain entities that are already under exclusion from the (ΕU) 2022/2554 directive by the Greek government.

Standards, guidelines, certifications – references (Legal reference: Art. 17)

Reference to EU standards under the NIS2 Directive.

Incident reporting (Legal reference: Art. 16)

Incidents are reported to the National CSIRT (of the National Cybersecurity Authority).

Reporting requirements:

Corresponds to NIS2.

Process of registering as an entity in the scope to central authorities

(Legal reference: Art. 19 + Link; Art 4, 19 + Link)

Entities are required to submit to the National Cybersecurity Authority the following information:

Registration is currently done via email at register.ncsa@cyber.gov.gr

The law defines two distinct groups of applicable companies. Companies under Article 19 such as DNS/TLD providers, online marketplaces, online search engines, social networks, data centre & network providers, security service providers need to register earlier and have to follow a more strict process for keeping registration information up to date. All other companies have an additional 3 weeks to register and will less strict info update requirements.

Decision (1381/2025) from 10/2/2025 extended registration deadlines.

Deadline for the registration of essential entities related to digital services (e.g., domain name systems, online marketplaces, search engines, social networks, data centres and network providers): 28/03/2025

Deadline for all other entities: 11/04/2025

Fines (Legal reference: Art. 26)

Additional administrative fines are defined for breaches of specific paragraphs of Article 24. Depending on the type of breach, these can range between 20,000 and 800,000 EUR in addition to the standard fines. These fines could concern failures to comply with registration deadlines (up to 200,000 EUR), notification of authorities (up to 100,000 EUR), audits (up to 500,000 EUR, essential and up to 350,000 EUR, important), use of required technology (up to 300,00 EUR) or training (up to 100,000 EUR).

Competent Authority and designated CSIRT (Legal reference: Art.3)
Other Provisions

The law includes provisions regarding the Chief Information Security Officer (CISO) role, including avoiding potential conflicts of interest between CISOs and Data Protection Officers (DPOs).

Hungary

Status: Transposed
Date of Transposition:23/05/2023; Entered into force on 19/10/2024
National law:Act LXIX of 2024 on cybersecurity in Hungary
Link: Primary Law
Implementing Act:Act LXIX of 2024, adopted on 20/12/2024; Entered into force on 01/01/2025
Link: Implementing Act

Scope (Legal reference: Art. 1 (new Act), Annex 1, 2 (old Act))

Sectors and subsectors in addition to NIS2:

(Banking and financial market infrastructures are out of scope and covered by DORA).

The new Act requires entities to classify their data assets, according the data classification, calssify the electronic information systems into three security levels: basic, significant, or high. This classification is based on the risks to data integrity, system availability, and data confidentiality, with stricter security measures applied to higher-risk systems.

Act LXIX of 2024 (adopted 20/12/2024; entered into force 01/01/2025) repealed Act XXIII of 2023.
Link: Government Decree 418/2024

Standards, guidelines, certifications – references (Legal reference: Chapter I, Section 7 (old Act), Art. 16 (new Act))

Reference to EU standards under the NIS2 Directive.

Entities must conduct an impact assessment and asset mapping of their systems, establish a risk management framework, and carry out vulnerability testing, regular evaluations, and continuous monitoring.

Service providers and organisations operating in high-risk and risk sectors are required to sign an agreement with an external auditor company (certified by authorities) within 120 days of registration to conduct a cybersecurity audit, and have a cybersecurity audit carried out for the first time within two years of its registration. The auditor company will check entities’ IS operational practices in every second year.

Incident reporting (Legal reference: Chapter I, Section 27 (old Act),Chapter II, Section 7 (old Act), Art. 1, Art. 66 (new Act), Art. 30 Government Decree 418/2024)

Incident reporting requirements vary by sector, with reporting obligations to the National Defence Cyber Incident Management Centre and sectoral Cyber Incident Management Centres differing for each entity covered by the law.

Article 1 of the new Act lists the subgroups of entities.
Incident constitutes as: a security incident occurred or imminent in the electronic information system where it causes serious disruption or damage to the operation or provision of services by the supervised entity, or causes significant material or non-material damage to other natural or legal persons.

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 19, 20 (new Act))

Main requested details (more information in Art. 20):

The new Act requires entities to register with the competent authorities by 31 January 2025. Organisations who already registered are not required to reregister but to provide additional information.

Fines (Legal reference: Art. 21 Government Decree 418/2024)

Corresponds to NIS2.

The competent authority may also impose a fine up to 15,000,00 HUF (failure to comply with statutory obligation by heads of entities).

Competent Authority and designated CSIRT (Legal reference: Art. 1, 38. (new Act), Art 27. Government Decree 418/2024)

Additional responsibilities listed under Chapter VII of the Government Decree 418/2024

Ireland

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: Schedule I, II)

NIS2.

Standards, guidelines, certifications – references (Legal reference: Head 30)

NIST 2.0 basis.

Incident reporting (Legal reference: Head 15)

Entities shall notify, without undue delay, the CSIRT of any incident that has a significant impact on the provision of their service.

Reporting requirements :

Corresponds to NIS2.

Process of registering as an entity in the scope to central authorities (Legal reference: Head 21, 31)

Entities are required to provide the following information to the relevant competent authorities:

Entities were requested to submit the information by 17 January 2025.

Fines (Legal reference: Head 44)

Corresponds to NIS2.

Competent Authority and designated CSIRT (Legal reference: Head 17)

Sectoral authorities.

Italy

Status: Transposed
Date of Transposition: 9/04/2024
National law:Legislative Decree No. 138
Link: Final Text

Scope (Legal reference: Annex I, II, III, IV)

Entities in NIS 2 scope (Annex I and II) plus Annex III (Central, regional, local, and other types of administrations) and Annex IV (Additional types of entities, e.g., local public transport, research institutions, cultural organisations, in-house companies, publicly controlled companies).

Annex III – Further details on public administrations.

Link: Visual representation of sectors in scope
Link: Further details
Link: Timeline for next steps

A safeguard clause, established by the DPCM on February 10, 2025, allows exemptions from regulatory size classifications under the NIS2 Decree (Legislative Decree 138/2024) if a company proves total independence of its NIS2 systems, activities, and services from linked companies. However, entities influencing cybersecurity decisions, managing critical NIS2 systems, or providing ICT/security services to essential entities are not eligible, with requests handled via the National Cybersecurity Agency (ACN) platform.

Standards, guidelines, certifications – references (Legal reference: Art. 24)

Reference to security domains as per NIS2 Directive with further modalities and specifics to be defined in the upcoming months.

Under NIS1, Italy relied both on the National Framework for Cybersecurity and Data Protection and on international frameworks

The technical annexes of the future determinations of the ACN will establish the minimum security requirements to be implemented by October 2026, following the National Framework for Cyber Security and Data Protection (FNCS), which is the Italian adaptation of the NIST Cybersecurity Framework.

Incident reporting (Legal reference: Art. 25)

By January 2026 (within 9 months from the receipt of the notification of inclusion in the list of NIS entities), entities must ensure compliance with the basic obligations regarding incident notification.

Significant incidents if:

Reporting requirements:

Para. 6 – further details on exceptions for trusted services.
Para. 7 – The CSIRT Italia can provide a response and directions and advising on mitigation measures and, if requested, further technical support.
Para. 8-12 – Further details on other notifications and disclosures

Art. 26 – Voluntary incident notifications

Process of registering as an entity in the scope to central authorities (Art. 3 paragraph 4, Art. 7)

Entities falling within one of the sectors/subsectors/types defined by Legislative Decree No. 138/2024 must register on the ACN platform within February 28th, 2025 – with the exception of providers of domain name system services, operators of top-level domain name registries, domain name registration service providers, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, search engines, and social network service platforms, who fall within the scope of the decree and are required to register by January 17th, 2025.

Entities in scope register on the digital platform, providing at least the following information:

The NIS 2 Directive provides the possibility of excluding an entity from the scope of applicability if it is independent from its linked companies that fall within NIS 2 Scope, in terms of ICT systems and networks (Transposition Legislative Decree, Article 3, Paragraph 4)

By March 31st, the competent national authority draws up the list of essential and important entities and communicates:

Organisations (besides public administrations) must perform a self-assessment before registration: https://www.acn.gov.it/portale/faq/nis

Fines (Legal reference: Art. 38)

Para. 8-9

These violations are punishable:

Para. 10-11

These violations are punishable:

Competent Authority and designated CSIRT (Legal reference: Art. 15)

The National Cybersecurity Agency acts as an intermediary to ensure cross-border cooperation between national authorities and the relevant authorities of other Member States, the Commission, and ENISA.

The National Cybersecurity Agency (in a coordinating role) and the Ministry of Defense are the National Authorities for the management of cybersecurity crises.

The CSIRT Italia, the national Computer Security Incident Response Team, also operates within the National Cybersecurity Agency.

Latvia

Status: Transposed
Date of Transposition: 20/06/2024; Entered into force on 01/09/2024
National law:National Cyber Security Act
Link: Final Text

Scope (Legal reference: Art. 3, 20, 21)

NIS2.

Besides essential and important entities, the law applies to holders of critical infrastructure of information technologies.

Standards, guidelines, certifications – references (Legal reference: Art. 45)

Reference to EU standards under the NIS2 Directive.

Incident reporting (Legal reference: Art. 34)

Significant incidents shall be reported, without delay, to the competent Cyber Incidents Response Instiution

Reporting requirements :

Corresponds to NIS2

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 22)

After conducting self-assessment, entities have to notify the National Cyber Security Centre.

Entities are required to submit the following information:

Fines (Legal reference: Art. 46)
Competent Authority and designated CSIRT (Legal reference: Art. 4, 9)

Cyber Incident Response Institutions: Military Intelligence and Security Service, Institute of Mathematics and Computer Science of the University of Latvia and Institute of Mathematics and Computer Science of the University of Latvia , Constitution Protection Bureau.

Lithuania

Status: Transposed
Date of Transposition:Adopted 11/07/2024; has entered into force 18/10/2024. Subordinated act-Governmental decree adopted 11/6/2024; has entered into force 12/11/2024
National law:XII-1428 Law on Cybersecurity of the Republic of Lithuania; Governmental decree on the implementation of the Law of the Republic of Lithuania on Cyber Security
Link: Final Text

Scope (Legal reference: Art. 1, 11)

In addition to NIS2: national security, public security, defence or law enforcement entities.

The Law on Cybersecurity, with the exception of Chapter VII (not a NIS2 regulatory domain), shall not apply to intelligence agencies. This Law shall not apply to credit unions, except credit unions that operate and/or manage network and information systems independently of central credit unions for the provision of services or activities.

Some articles of the Law on Cybersecurity may not apply to entities if EU legislation applicable to them contains requirements to implement cyber security risk management measures, to report major cyber incidents or to appoint persons responsible for cyber security and if the impact of these requirements is at least equivalent to the impact of the requirements set out in this law. It is decided by the Government’s resolution.

Standards, guidelines, certifications – references (Legal reference: Art. 3)

National framework similar to ISO 27001
Reference to ENISA’s Security Measures Reference Document.

The Cyber security measures framework in Lithuania is in force since 2016. It is based on ISO 27001 and was amended several times (first time during the NIS1 transposition).

Incident reporting (Legal reference: Art. 18)

Reporting requirements :

The proposed definition of the ‘incident’ in the amendment to the Cyber Security Law: ‘incident means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems.

Corresponds to NIS2.

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 11, 13, 19)

Entities are required to submit the following information:

Identification criteria are based on objective criteria, i.e. size and revenue thresholds, managing and/or maintaining state information resources, etc., and specific criteria ( i.e. assessing whether the entity is the only provider of the service, whether an incident on the entity’s systems could have a ‘cascading’ effect, etc.).

Entities will be registered in register of Cybersecurity entities. The process of identification of essential and critical entities would involve the ministries responsible for the relevant sector of activity, as well as legal and natural persons themselves. Individuals would also have the right to voluntarily apply to be included in the register. Entities will be informed accordingly by electronic notification of their inclusion in the register.

The Register would be regularly updated on the basis of information received from the entities. The detailed process for the identification of entities will be set out in the regulations of the register. Principle of self-declaration is applied only on a small scale.

Fines (Legal reference: Art. 30)
Competent Authority and designated CSIRT (Legal reference: Art. 4, 5, 7, 9, 10)

National Cyber Security Centre (as well national CSIRT).

The cyber security policy is formulated, its implementation is organized, controlled and coordinated by the Ministry of National Defense of the Republic of Lithuania.

It is implemented by the National Cyber Security Center, the Lithuanian Police and the State Data Protection Inspectorate.

The Ministry of Foreign Affairs participates in the formation of the cyber security policy to the extent that it is necessary to determine the legal regulation of the application of diplomatic measures in response to cyber threats and cyber incidents.

Luxembourg

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: Annex 1, 2 )

NIS2.

Standards, guidelines, certifications – references (Legal reference: to be updated)

To be updated.

Incident reporting (Legal reference: Art. 14)

Incidents will be reported to Competent Authorities

Reporting requirements :

Corresponds to NIS2.

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 17)

Entities in scope will be required to self-register via an online registration form.

Entities are required to submit the following information to the competent authority:

Link: Registration form

Entities were requested to submit the information by 17 January 2025.

The Forum of Industry Representatives was established as a communication channel allowing members to raise questions regarding the implementation of the measures and enforcement by national authorities.

Fines (Legal reference: Art. 26)

A provision establishing fines for budgetary bodies under GDPR practises is considered. GDPR is also used to guide the mechanism determining the amount and type of fines according to the ‘level’ of the infringement detected.

Competent Authority and designated CSIRT (Legal reference: Chapter 2, Art. 3)

Malta

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: Art. 15,20)

NIS2.

Standards, guidelines, certifications – references (Legal reference: Art. 15,20)

Reference to international and European standard.

Incident reporting (Legal reference: Art. 21)

Entities shall inform CSIRTMalta of significant incidents.

Reporting requirements:

Corresponds to NIS2.

Incident reporting obligations will be valid after 9 months from informing the entities about their inclusion in the list of essential and important entities provided by the national authority.

Process of registering as an entity in the scope to central authorities (Legal reference: Part 2, Article 8(3))

Entities in scope will be required to self-register via an online registration form.

Entities are required to register through the national self-registration mechanism, submitting the following information:

Fines (Legal reference: Art. 32)

Corresponds to NIS2.

Competent Authority and designated CSIRT (Legal reference: Art. 6, 8, 11)

Netherlands

Status: Draft Law
Date of Transposition: N/A
National law: Cyberbeveiligingswet
Link: Draft Law

Scope (Legal reference: Annex 1, 2)

NIS2.

Standards, guidelines, certifications – references (Legal reference: Art. 23, 89)

Reference to European and international standards.

Incident reporting (Legal reference: Art. 27, 28, 29, 30, 31)

Entities shall report significant incidents to the relevant CSIRT and the competent authority

Reporting requirements:

Corresponds to NIS2.

Significant incident is defined as one that:

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 45)

Essential entities, important entities and entities providing domain name registration services can register with the NCSC on a voluntary basis from 17 October 2024

Entities are required to provide the following information to the competent Minister:

Fines (Legal reference: Art. 77)
Competent Authority and designated CSIRT (Legal reference: Art. 16)

For now, incidents can be reported to NCSC on a voluntary basis.

Different Ministries as sector-specific authorities.

Poland

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: Annex 1)

In addition to NIS2, the following sectors and subsectors are covered under ‘sectors of high criticality:

Standards, guidelines, certifications – references (Legal reference: to be updated)

Not covered by the proposed Act

Incident reporting (Legal reference: Art. 11)

Entities must inform the relevant sectoral CSIRT of significant incidents.

Reporting requirements:

Corresponds to NIS2.

3 types of incidents:

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 7, 49)

Entities will apply for registration in the Register of Essential and Important Entities

The following information is collected:

The cybersecurity authority decides if entities can be classified as important or essential based on the requirements enshrined in the law.

Fines (Legal reference: Art. 73)

The amount of the financial penalty may not exceed EUR 10,000,000, expressed in złoty and determined using the average exchange rate announced by the National Bank of Poland applicable on 31 December in the year preceding the year of issuing the decision to impose the penalty or 2% of the revenues generated by the key entity from business activities in the financial year preceding the year of issuing the decision to impose the penalty, whichever is higher. However, the penalty may not be lower than PLN 20,000.

In the event that the period of conducting business activities is shorter than 12 months or the entity has not generated any revenue, the basis for assessing the financial penalty shall be the equivalent of EUR 500,000, expressed in złoty and determined using the average exchange rate announced by the National Bank of Poland applicable on 31 December in the year preceding the year of issuing the decision to impose the penalty.

The amount of the financial penalty may not exceed EUR 7,000,000, expressed in złoty and determined using the average exchange rate announced by the National Bank of Poland applicable on 31 December in the year preceding the year of issuing the decision to impose the penalty or 1.4% of the revenues generated by the important entity from business activities in the financial year preceding the imposition of the penalty. However, the penalty may not be lower than PLN 15,000.

If a key entity or an important entity violates the provisions of the Act, causing:

Competent Authority and designated CSIRT (Legal reference: Art. 5)

Minister of Digital Affairs.

Four types of CSIRTs:

Minister of Digital Affairs will maintain a list of essential and important entities.

Portugal

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: Annex 1, 2)

NIS2 (public administration excluded).

Essential, important and public entities.

Standards, guidelines, certifications – references (Legal reference: Art. 14, 26, 29)

National Reference Framework for Cybersecurity.

Reference to European and international Standards.

Incident reporting (Legal reference: Art. 41, 42, 43, 44)

For each incident subject to mandatory notification, the relevant essential, important and public entities shall submit to the competent authority:

In cases where the incident is resolved within two hours of its detection, the entities are only required to send the notification indicating the end of the incident.

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 35)

Important, essential and relevant public entities are obliged to register on the designated electronic platform providing:

Fines (Legal reference: Art. 61, 62, 63)

Serious Offences:

Besides serious offences, the provisions list two more levels of offences for essential, important and public entities.

Competent Authority and designated CSIRT (Legal reference: Art. 55)

Minister of Digital Affairs.

Four types of CSIRTs:

Romania

Status: Transposed
Date of Transposition: 1/1/2025
National law:Emergency Ordinance on the establishment of a framework for the cybersecurity of networks and information systems in civil national cyberspace
Link: Final Text

Scope (Legal reference: Chapter I, Section1 Annex 1, 2)

Framework based on:
NIS2

Link: Implementing acts expected in the first quarter of 2025

Standards, guidelines, certifications – references (Legal reference: Art. 11)

Framework based on:
ISO 27001
NIST 800-53

Incident reporting (Legal reference: Art. 15)

Entities should notify the national CSIRT of significant incidents via the National Platform for the Reporting of Cyber Security Incidents

Reporting requirements:

Corresponds to NIS2.

An incident shall be considered significant if:

Process of registering as an entity in the scope to central authorities (Legal reference: Chapter IV, Section 1 Art. 12, 18)

Essential and important entities were required to contact the DNSC regarding their registration within one month after the law entered into force

Entities submitted the following information:

Essential entities and important entities shall carry out and submit to the DNSC, on an annual basis, a self-assessment of the level of maturity of the cybersecurity risk management measures. Essential entities shall prepare and submit, within 30 days from the completion of the self-assessment, a plan of measures to remedy the identified deficiencies.

Fines (Legal reference: Art. 60)
Competent Authority and designated CSIRT (Legal reference: Chapter I, Section 1)

Slovakia

Status: Transposed
Date of Transposition: 01/01/2025; Entered into force on 22/01/2025
National law:Law on cyber security
Link: Final Text

Scope (Legal reference: Annex 1, 2)

Sectors and subsectors in addition to NIS2:

Standards, guidelines, certifications – references (Legal reference: Art. 18)

Reference to international standards.

Incident reporting (Legal reference: Art. 24)

Reporting of significant cybersecurity incidents should be carried out via the Unified Cybersecurity Information System, providing the following details:

Significant cyber threats should also be reported via the Unified Cybersecurity Information System if the entity:

A significant cyber security incident is considered to be a large-scale cyber security incident and a cyber security incident that:

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 21)

Entities that fall into the scope of the regulation are required to notify the Competent Authority via the Unified Cyber Security Information System and provide:

Fines (Legal reference: Art. 29(l)(n), 31)

Additional fines for service operators and failure to comply with inspection and registration obligations. For instance, up to 1,500 EUR (failure to comply with inspection obligations; up to a total of 15,000 EUR if the fines were imposed repeatedly).

Competent Authority and designated CSIRT (Legal reference: Annex 1, 2)

Competent Authorities for different sectors

Slovenia

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: Annex I, II)

NIS2

Standards, guidelines, certifications – references (Legal reference: Art. 5, 21 Explanatory memorandum)

For each incident subject to mandatory notification, the relevant essential, important and public entities shall submit to the competent authority:

Proposal is standard agnostic but supporting document explains that National and ENISA guidelines along with NIST, ISO 27001/27002, CIS Controls, and GDPR should be used.

Incident reporting (Legal reference: Art. 26)

Entities are required to report to the relevant CSIRT:

Corresponds to NIS2.

Incident: an event that compromises the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or services provided by or accessible through these network and information systems.

Significant incident: an incident that causes a disruption beyond the capability of the Republic of Slovenia to respond to it, or an incident that significantly affects at least two Member States of the European Union

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 7, 28)

Entities must register with the URSIV through the mechanism for self-registration within 10 working days from the day they meet the identified criteria .

Until the self-registration mechanism is established, the information shall be transmitted in digital form to the e-mail address of the competent national authority.

Fines (Legal reference: Art. 50 – 56)

Additional fines are listed under specific provisions for offences.

Competent Authority and designated CSIRT (Legal reference: Art. 9, 12)

CSIRT SI-CERT (acts as an internal organisational unit at the Public Infrastructure Institute Academic and Research Network of Slovenia).

CSIRT of the State Administration (acts as an internal organisational unit of SIGOV CERT at the competent national authority).

Spain

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: Art. 3 Annex 1, 2)

NIS2 plus the nuclear industry as a sector of ‘high criticality’ and private security as a sector in ‘other sectors’.

Standards, guidelines, certifications – references (Legal reference: Art. 33)

Reference to EU certification schemes. Based on the Esquema Nacional de Seguridad (ENS), a national law that defines cybersecurity processes and security controls to be implemented by companies, and provides an accreditation framework.

Incident reporting (Legal reference: Art. 18)

Entities shall notify the competent CSIRT without undue delay of significant incidents.

Reporting requirements:

Corresponds to NIS2.

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 26)

The National Cybersecurity Centre will maintain a register of providers of digital services and infrastructures, collecting the following information:

Corresponds to NIS2.

Fines (Legal reference: Art. 42)

The draft law includes additional fines based on the seriousness of the offence:

Competent Authority and designated CSIRT (Legal reference: Art. 7, 9)

Sweden

Status: Draft Law
Date of Transposition: N/A
National law: N/A
Link: Draft Law

Scope (Legal reference: Chapter 4)

NIS2

Standards, guidelines, certifications – references (Legal reference: Art. 11.2.3)

Reference to European and international standards.

Incident reporting (Legal reference: Art. 7.3)

Significant incidents should be reported to MSB, and all other incidents to the sectoral/regional authority.

Reporting requirements:

The oversight responsibility will be split by industry specific authorities and public sector to regional authorities (e.g. Digital services organisations will declare compliance and incidents to “Post och Telestyrelsen”, while public sector services will answer to their respective regional “Länsstyrelse”).

Corresponds to NIS2.

Process of registering as an entity in the scope to central authorities (Legal reference: Art. 6.2)

Each competent oversight authority will be required to establish their own registry of important and essential entities within their respective authority scope

Requested details:

The information was submitted by 17 January 2025.

The first register will be established and functional by 1 March 2025 and updated every two years after.

Fines (Legal reference: Art. 9.6.2)
Competent Authority and designated CSIRT (Legal reference: Art. 2.1.3)

Swedish Civil Contingencies Agency (MSB) is the assigned CSIRT, but oversight is split per sector/region.

MSB will have the responsibility to coordinate all sectoral/regional authority work, and to ‘hastily’ develop supporting guidance for the sectoral/regional authorities.