How is the NIS2 directive implemented across the European Union?  

As an EU directive, NIS2 sets out common objectives and minimum requirements for cyber security, but each EU Member State is responsible for transposing these rules into its own national legislation. This approach allows countries to tailor the directive’s provisions to their specific legal and regulatory environments, resulting in some variations in how NIS2 is implemented and enforced across the EU member states.  

As a result, organisations operating in several European jurisdictions must navigate a multiple national laws, deadlines, and reporting requirements, even though the overarching aim is to harmonise cyber security standards and strengthen resilience across critical sectors. 

As of mid-July 2025, 14 out of 27 EU Member States have transposed the NIS2 Directive into national law, according to ECSO

The following nations have not yet transposed the NIS2 Directive:

  • Austria
  • Bulgaria
  • Czechia
  • Estonia
  • France
  • Germany
  • Ireland
  • Luxembourg
  • Netherlands
  • Poland
  • Portugal
  • Spain
  • Sweden
Your contacts
Edward Starkie
Edward Starkie

Director, GRC | Cyber Risk

estarkie@thomasmurray.com

Shreeji Doshi
Shreeji Doshi

Director, GRC | Cyber Risk

sdoshi@thomasmurray.com

Country level NIS 2 adoption examples: Belgium, Germany, and Finland 

Belgium, Germany, and Finland are each advancing with the implementation of the NIS2 Directive, but at different paces and with distinct national nuances.  

1. Belgium: 

The NIS2 Law came into force on 18 October 2024.  

1.1 How it operates: 

  • The Centre for Cyber security Belgium (CCB) is designated as the national authority, overseeing compliance, registration, and enforcement. Essential and important entities must register with the CCB and implement robust cyber security risk management, incident reporting, and governance measures.
  • The supervision/regulator conformity assessment of essential entities takes a gradual approach:
    • For the CyberFundamentals (CyFun®) Framework 

 

Assurance Level (AL) Compliance Deadlines 
ComplianceDeadlineVerification Requirement 
Assurance Level - Basic

18 months (or until 18/4/26 at the latest) 

Basic verification by an accredited and authorised Conformity Assessment Body (CAB).
Assurance Level - Important

18 months (or until 18/4/26 at the latest)  

Basic or Important verification by an accredited and authorised CAB, with optional upgrade to Important level within 12 months (until 18/4/27) 
Assurance Level - Essential 

18 months (or until 18/4/26 at the latest)  

+ 12 months (or until 18/4/26 at the latest) 

Basic or Important verification by an accredited and authorised CAB within 18 months, followed by Essential certification within 12 months 
ISO/IEC 27001 Certification 18/4/26Transmit scope and statement of applicability to the CCB 
 18/4/27 Acquire certification by an accredited and authorised CAB 
Direct Inspection by CCB 18/4/26 Transmit self-assessment of CyFun® AL Basic or Important, or transmit ISO 27001 information security policy, scope, and statement of applicability to the CCB 

 

  • Entities must determine their required Assurance Level (AL) based on their risk assessment.
  • Compliance deadlines vary depending on the chosen AL.

1.2 Compliance Options: 

  • CyberFundamentals (CyFun) Framework: Developed by the Centre for Cybersecurity Belgium (CCB), CyFun is the primary national compliance framework.
  • ISO 27001: Recognised as an alternative to CyFun for demonstrating compliance. 

1.3 Non-compliance 

The law introduces fines of up to €10 million or 2% of global turnover for essential entities, and up to €7 million or 1.4% for important entities, highlighting the need for immediate action by affected organisations.  

Learn more about NIS2 in Belgium here.

2. Germany

The NIS2 Implementation Act (NIS2UmsuCG) is still under parliamentary review, due to ongoing legislative delays. Originally, the NIS2 Directive was due to be transposed into national law by October 17, 2024. But Germany and several other EU member states haven't met this deadline. Many governments have finalised the basics, but parliamentary approval of full legal implementation—particularly in Germany—has not yet been received. 

2.1 How it operates: 

The 2025 draft expands the scope to potentially more than 30,000 essential and important entities. The Federal Office for Information Security (BSI) will supervise compliance, and the law will introduce stricter requirements for risk management, incident reporting, and management accountability.

The law implementing EU NIS2 in Germany, the NIS2UmsuCG, is scheduled to come into force in Germany in 2025. Over 30,000 companies in Germany are affected by the NIS2UmsuCG law, which extends EU minimum standards for cyber security NIS2 Directive into German law. 

2.2 Compliance Options:  

  • BSI IT-Grundschutz: The German Federal Office for Information Security’s (BSI) own framework, often used as an alternative or supplement to ISO 27001.
  • B3S Industry-specific security standards (B3S) for companies from a critical infrastructure industry.  

These requirements are not exhaustive, and companies must consult the NIS2 directive and relevant German regulations for specific details on their obligations. 

2.3 Non-compliance  

For essential and critical entities, the fine for non-compliance of the NIS 2 Directive is up to €10 million or 2% of annual global turnover (whichever is higher). For important entities, the maximum fine is up to €7 million or 1.4% of annual global turnover (whichever is higher).  

Learn more about NIS2 in Germany here.

3. Finland

The law entered into force on July 1, 2025, and entities must register by September 30, 2025. Full compliance for essential entities is required by March 31, 2026. 

3.1 How it operates: 

  • Finland has implemented the EU's NIS2 Directive through the Cybersecurity Act (Kyberturvallisuuslaki), Act 124/2025. This Act centralises cyber security obligations and replaces previous sector-specific laws under the original NIS Directive (NIS1).
  • The Act establishes cyber security risk management and incident reporting requirements  for entities classified as either essential (välttämättömät toimijat) or important (tärkeät toimijat) based on criteria like employee count and turnover.
  • The scope of covered entities has expanded significantly, from about 1,100 under NIS1 to approximately 5,500 under NIS2. This includes large and mid-sized companies across sectors such as telecommunications, healthcare, manufacturing, energy, finance, and public administration.
  • Digital infrastructure providers (e.g., DNS services, cloud platforms) are regulated regardless of their size.
  • The National Cyber Security Centre Finland (NCSC-FI), operating within the Finnish Transport and Communications Agency (Traficom), coordinates supervision and incident response, including managing the CSIRT functions. 

3.2 Compliance Options: 

  • Certification such as ISO 27001 or Finnish Katakri Level IV accreditation can facilitate compliance, but does not fully replace the need to meet all requirements.
  • Cybermeter developed by the National Cyber Security Centre (NCSC-FI) is based on the international NIST Cybersecurity Framework and Cybersecurity Capability Maturity Model (C2M2).

For more information, see Traficom’s recommendations on cybersecurity risk management measures.  

3.3 Non-compliance 

Penalties for non-compliance can be severe: 

  • Regulators can fine major operators up to €10 million, or 2% of their global annual turnover from the previous financial year, whichever is greater.
  • For non-major operators, regulators can impose a fine of up to €7 million or 1.4% of their global annual turnover from the previous financial year, whichever is higher.
    • Fines of up to €10 million or 2% of global annual turnover, whichever is higher.
    • Temporary bans on responsible executives or managers can be imposed in cases of gross negligence, failure to implement remedial actions, or inadequate incident oversight. 

Management can also be held personally liable for gross negligence, including temporary bans from management positions in cases of serious or repeated violations.  

Learn more about NIS2 in Finland here.

How can my organisation ensure compliance with NIS2 regulations when operating in multiple European jurisdictions? 

For organisations operating across multiple EU jurisdictions, the NIS2 Directive introduces a complex landscape of cyber security related compliance obligations.  

Under NIS2, entities may need to comply with multiple jurisdictional rules depending on the types of services they provide. For instance, a single entity might: 

  • Operate under the service location rule for telecom services.
  • Fall under the establishment rule for electricity production.
  • Be subject to the main establishment rule for managed security services. 

The main establishment rule under the NIS2 Directive determines which EU Member State has primary supervisory authority over an entity when that entity operates in multiple EU countries. 

A Service Location Rule refers to a set of guidelines that determine the geographical location where a service is considered to be provided, and therefore, which jurisdiction's laws and regulations apply to that service. 

As a result, such entities could be governed by multiple national laws and supervisory authorities, depending on both the service type and the location of their operations.

Rule Applies toTrigger Legal Basis 
Establishment Rule EU-based entities Entity is legally or operationally established in an EU Member State Article 2(1) 
Service Location Rule Non-EU entities Entity offers services within the EU Article 2(2), Recital 17 

Additionally, the NIS2 Directive's applicability and obligations are determined on an individual organisational basis, not by group or holding company structures. Therefore, each entity must independently assess its services to ascertain if it falls within NIS2's scope. This can lead to situations where a subsidiary is subject to NIS2 compliance, while its parent company is not.  

Certain digital service providers such as cloud service, data centre, and managed security providers may benefit from a “one-stop-shop” approach, whereby compliance is overseen by the regulator in their primary EU location.

However, it is imperative for organisations to establish a control framework that aligns with compliance requirements across all relevant jurisdictions—or, at a minimum, with the most stringent among them.

In most cases, we recommend anchoring the framework to a recognised standard, such as ISO 27001 or the NIST Cybersecurity Framework (CSF). We also recommend addressing jurisdiction-specific variations at the control level.

As a result, firms must be proactive in harmonising their cyber security policies, ensuring robust risk management, and engaging with local legal and compliance experts. Early preparation is essential to avoid regulatory pitfalls, reputational risk, and significant financial penalties under the NIS2 framework.

Cyber Risk

NIS2 Directive Compliance Support

With over 30 years of experience enabling financial entities with managing risk, Thomas Murray is uniquely positioned to support your organisation through NIS2 compliance and beyond.

Our expertise lies at the intersection of cyber security, operational resilience, risk management, and regulatory compliance. Our consultants work closely with you to deliver insights based on real threat actor activity and industry-specific intelligence.

Learn more
DORA regulation

Compliance Digest Newsletter

Subscribe to Compliance Digest and stay up to date with regulations affecting the finance sector.