How are the EU member states progressing in their implementation of the NIS Directive?

On 6 July 2016, the EU officially adopted the NIS Directive (Directive on security of network and information systems) and gave each EU member state just under two years to implement its requirements into national law.

At the time of the deadline, only eleven countries had managed to do this, but what’s the current situation? We take a look at the NIS Directive implementation tracker to find out.

Austria

Implementation status: Transposed, as the Federal Act for a High Common Level of Security of Network and Information Systems

Belgium

Implementation status: In progress

Bulgaria

Implementation status: Transposed, as the Cyber Security Act (94/2018)

Croatia

Implementation status: In progress

Cyprus

Implementation status: Transposed, as The Security of Network and Information Systems Law of 2018

Czech Republic

Implementation status: Transposed, as the National Cyber Strategy of the Czech Republic for 2015–2020

Denmark

Implementation status: Transposed, as the Danish Requirements for Security of Network and Information Systems within the Health sector, ACT (no. 440/2018), along with Executive Order (no. 458/2018) and Executive Order (no. 459/2018)

Estonia

Implementation status: Transposed, as the Cybersecurity Act

Finland

Implementation status: Transposed, with the necessary changes made to existing sector-specific acts.

France

Implementation status: Transposed, as Decree No. 2018-384

Germany

Implementation status: Transposed, with the Implementation Act (Federal Law Gazette, BGBI. I 2017 of 29 June 2017) amending the Act on the Federal Office for Information Security, Atomic Energy Act, Energy Industry Act, Social Insurance Code V and the Telecommunications Act

Greece

Implementation status: In progress

Hungary

Implementation status: Transposed, with Act 134 of 2017 and Government Decree 394/2017 (XII. 13) modifying certain interior-related tasks and corresponding laws.

Ireland

Implementation status: Transposed, as Statutory Instrument No. 360 of 2018

Italy

Implementation status: Transposed, as Legislative Decree 65/2018

Latvia

Implementation status: Transposed, as IT Security Law

Lithuania

Implementation status: In progress

Luxembourg

Implementation status: In progress

Malta

Implementation status: In progress

Netherlands

Implementation status: Transposed, as Network and Information Systems Security Act

Poland

Implementation status: Transposed, as Act of 5 July 2018 on the National Cyber Security System

Portugal

Implementation status: Transposed, as The legal regime of Cyberspace Security – Law No. 46/ 2018 of August 13

Romania

Implementation status: Transposed, as Ensuring high level of security of information networks and systems

Slovakia

Implementation status: Transposed, as Act of January 30, 2018 on Cybersecurity and on Amendments and Supplements to certain Acts

Slovenia

Implementation status: Transposed, as the Act on Information Security (Official Gazette of the RS, No. 30/18)

Spain

Implementation status: Transposed, as Royal Decree-Law 12/2019, September 7, on security of networks and information systems

Sweden

Implementation status: Transposed, as the Law on information security for socially important and digital services

United Kingdom

Implementation status: Transposed, as The Network and Information Systems Regulations 2018

Make the NIS Directive a priority

The number of member states that have implemented the NIS Directive has doubled since the compliance deadline, with only six lagging behind (Belgium, Croatia, Greece, Lithuania, Luxembourg and Malta).

Still, that’s hardly reason to celebrate. The Directive has been in effect for almost a year now, so there’s no reason why any member state shouldn’t have implemented it.  Failure of national governments to transpose the legislation into law prevents organisations from making the necessary changes, therefore increasing the possibility of serious breaches.

Fortunately, this isn’t a problem in the UK and many other countries. The UK government was one of the few to implement the Directive before the compliance deadline, and it has published plenty of guidance to help organisations understand their requirements.

Any organisation that wants help meeting the UK’s version of the Directive, the NIS Regulations, should take a look at our green papers. We explain the compliance requirements in an easy-to-understand way and offer tailored advice for OES (operators of essential services) and DSPs (digital service providers):

No Responses

Leave a Reply

Your e-mail address will not be published. Required fields are marked *