.png)
NIS2 is the European Union's cybersecurity directive, which builds on its forerunner to ensure stronger protection and resilience. In this blog article, we take a closer look at the national implementation required by the NIS2 Directive, and take a look at the local laws: which ones are available in Cyberday and how they differ from the European Directive?
NIS2 Directive is an updated version of the original NIS Directive, which extends the scope of the original Directive and aims to strengthen cybersecurity across the European Union. The NIS2 Directive applies to a wide range of sectors that are critical to the operation of the economy, such as energy, transport, water, food, health, finance, digital infrastructure operators, manufacturing industry and many others.
Spring 2024 we published an e-book on NIS2 ready with ISO 27001 best practices. In our free e-book, we will guide you through the world of NIS2, the contents of the directive and give you practical tips on how to achieve compliance. Grab yours here: cyberday.ai/ebook
.png)
EU Member States were required to adopt the NIS2 Directive into national law by 17 October 2024, with implementation to follow shortly after. While many missed the deadline, progress is ongoing, and most countries are expected to finalize their legislation soon. The Directive broadens the sectors covered and strengthens requirements for risk management, incident reporting, and cybersecurity measures, including stricter incident reporting and supply chain security standards.
Key national-level decisions include defining local authorities, implementation, and monitoring details. The Directive sets minimum control methods, allowing only national-level additions. Considerations include:
NIS2 places significant emphasis on the role of public authorities in ensuring the cyber security of critical services and critical infrastructure in the European Union and stresses the need for increased cooperation between public authorities in EU Member States.
National legislation should specify which authorities are responsible for monitoring the implementation of NIS2 in the country concerned, and whether, for example, the monitoring is divided between different authorities according to their areas of competence. Countries must designate local authorities to ensure compliance with NIS2 rules: this means designating national supervisory authorities or creating new supervisory teams for sectors such as energy, health and transport.
NIS2 establishes clear and stringent requirements for implementation and monitoring to ensure compliance by both organizations and Member States. Member States must enforce control measures against key actors that are effective, proportionate, and dissuasive, while considering the specific circumstances of each case. If monitoring reveals potential non-compliance by a significant operator, authorities must take appropriate action, including, if necessary, ex-post control measures. Additionally, countries should establish teams to handle and investigate cybersecurity incidents as needed.
According to NIS2, an organisation should have well-defined policies to manage information security risks, assess the effectiveness of security measures and identify key areas for improvement.
The NIS2 Directive specifically identifies the following areas of information security for which the organisation must document and implement its actions, and the organisation's management is responsible for the adequacy of those actions:
Each country must ensure that organisations implement measures to manage risks. These measures include ensuring that supply chains are secure, as well as carefully reviewing risks.
Under NIS2, significant incidents must be reported to the national supervisory authority, so national legislation defines when and how to report incidents. NIS2 thus sets the basic standards, but countries can set stricter or more detailed rules according to their own needs.
At national level, it is also possible to go beyond the scope of the NIS2 Directive, and to create specifications according to national needs. These agreements and actions at national level will ensure that the NIS2 Directive is tailored to each country's legislation while maintaining a coherent approach to cybersecurity across the EU.
Belgium has implemented the European Union's NIS2 Directive into national law as the NIS2 Act. This legislation closely aligns with the EU directive, incorporating only minor national adaptations. It establishes cybersecurity requirements for companies operating in critical sectors and registered in Belgium. Key national measures include specific registration procedures and conformity assessments.
Croatian implementation of the NIS2 The Cybersecurity Act (Zakon o kibernetičkoj sigurnosti NN 14/2024) has come into account in February 2024. It defines cybersecurity rules for Croatian companies with the same criteria as NIS2 with some exceptions, such as the inclusion of additional sectors, detailed categorization of entities, defined timelines for compliance, and specified penalties.
Finland's "Kyberturvallisuuslaki" is waiting for the last approval, but can already be used in implementation. The Cybersecurity Act creates a clear legal framework for information security risk management and incident reporting in line with the NIS2 Directive. The new law aims to unify Finland's current fragmented cybersecurity legislation and harmonise it with the EU-wide standards introduced by NIS2. It broadens the scope of risk management and reporting requirements and clarifies the number of companies and public institutions that have to comply with them. The Cybersecurity Act takes as its starting point the minimum level of the Directive, and defines mainly the points corresponding to the content of the Directive. The Cybersecurity Act does not add to the scope of the NIS2 Directive, nor to the means of control.
NIS2 has been adopted as "National Cyber Security Act" in Latvia. It improves the security of information and communication technologies, including setting requirements for the provision and receipt of essential and important services and operation of information and communication technologies. The Act expands the scope to include both public and private sector organizations, categorizing them into three groups based on criticality.
The Cybersecurity Act "Kibernetinio Saugumo Įstatymas" implements the European Union NIS2 law in Lithuania. It sets out requirements for various organisations to strengthen their cybersecurity risk management. Lithuanian act introduces expanded scope, detailed implementation timelines (12 months from inclusion), and defined supervisory roles.
You can now activate your national laws at Cyberday! You can find the General EU version of the NIS2 Directive, as well as the national laws of the countries under the NIS2 framework. Activate the legislation of your choice with a click of a button.
If you have any further questions, you can contact our team via chat or email team@cyberday.ai. We are also happy to receive feedback on the use of Cyberday
.png)
