National cybersecurity laws across the European Union are undergoing fundamental transformation. The NIS2 directive requires member states to transpose its provisions into national legislation, replacing or significantly amending existing cybersecurity frameworks. From Germany’s IT Security Act to France’s national cybersecurity law to Poland’s National Cybersecurity System Act - every country is adapting.
This article analyzes how NIS2 is reshaping national cybersecurity legislation, what common patterns are emerging, and what organizations operating across borders need to know.
Why does NIS2 require national law changes?
NIS2 is a directive, not a regulation. Unlike GDPR or DORA, which apply directly, directives must be transposed into national law. This gives member states some flexibility in implementation while ensuring minimum harmonization.
The original NIS framework
The first NIS Directive (2016) created national cybersecurity frameworks across Europe. Each country established:
- A national cybersecurity strategy
- Competent authorities for different sectors
- Computer Security Incident Response Teams (CSIRTs)
- Cooperation mechanisms with other member states
However, implementation varied significantly. Some countries had strict requirements; others were more lenient. The definition of “operator of essential services” differed between jurisdictions.
What NIS2 changes
NIS2 addresses these inconsistencies by:
- Expanding scope dramatically - from a few hundred entities per country to potentially thousands
- Harmonizing requirements - minimum security measures are now specified in the directive
- Standardizing penalties - maximum fines are set at EU level
- Introducing board accountability - management responsibility is explicit
- Strengthening supervision - proactive oversight, not just reactive
📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać
What are the main changes in national laws?
Regardless of country, NIS2 transposition follows common patterns.
New entity classification
Previous classification:
- Operators of Essential Services (OES)
- Digital Service Providers (DSP)
New classification under NIS2:
- Essential entities
- Important entities
The distinction matters for supervision intensity and penalty levels, but both categories face similar security requirements.
Essential entities include:
- Large enterprises (250+ employees or EUR 50M+ turnover) in essential sectors
- Entities specifically designated by national authorities
- Qualified trust service providers
- Top-level domain registries and DNS providers
Important entities include:
- Medium enterprises (50-250 employees) in essential sectors
- Medium and large enterprises in important sectors
- Specifically designated entities
Expanded sectoral coverage
Essential sectors (11):
- Energy (electricity, gas, oil, district heating, hydrogen)
- Transport (air, rail, water, road)
- Banking
- Financial market infrastructure
- Health
- Drinking water
- Wastewater
- Digital infrastructure
- ICT service management (B2B)
- Public administration
- Space
Important sectors (7):
- Postal and courier services
- Waste management
- Chemical manufacturing and distribution
- Food manufacturing and distribution
- Manufacturing (medical devices, computers, electronics, machinery, vehicles)
- Digital service providers (marketplaces, search engines, social networks)
- Research organizations
Mandatory security measures
NIS2 specifies minimum measures that national laws must require. These ten areas form the baseline:
- Risk analysis and information system security policies
- Incident handling (prevention, detection, response)
- Business continuity (backup management, disaster recovery, crisis management)
- Supply chain security
- Security in system acquisition, development, and maintenance (including vulnerability handling)
- Policies and procedures to assess security measure effectiveness
- Basic cyber hygiene practices and training
- Cryptography and encryption policies
- Human resources security, access control, asset management
- Multi-factor or continuous authentication
Incident reporting requirements
National laws implement a three-stage reporting system:
Early warning:
- Within 24 hours of detection
- Initial indication of significant incident
- Preliminary assessment of cross-border impact
Incident notification:
- Within 72 hours of detection
- Update on early warning information
- Initial severity and impact assessment
Final report:
- Within one month of notification
- Detailed incident description
- Root cause analysis
- Remediation measures taken
- Cross-border effects (if applicable)
Penalty frameworks
NIS2 sets maximum penalties that national laws must implement:
For essential entities:
- Up to EUR 10,000,000, or
- 2% of total annual worldwide turnover
- (whichever is higher)
For important entities:
- Up to EUR 7,000,000, or
- 1.4% of total annual worldwide turnover
Management accountability:
- Possibility of temporary management bans
- Personal liability for violations
- Mandatory cybersecurity training for board members
How are different countries implementing NIS2?
While the directive sets minimum standards, implementation approaches vary.
Germany
Germany’s approach builds on its existing IT Security Act (IT-Sicherheitsgesetz). Key features:
- Federal Office for Information Security (BSI) as central authority
- Sector-specific regulations for critical infrastructure
- Strong emphasis on certification requirements
- Detailed technical standards and guidelines
Germany has historically had stringent cybersecurity requirements, so NIS2 represents an evolution rather than revolution.
France
France leverages its National Agency for Information Systems Security (ANSSI). Implementation highlights:
- Centralized coordination through ANSSI
- Sector-specific annexes with detailed requirements
- Strong public sector focus
- Integration with existing critical infrastructure protection
French implementation emphasizes strategic autonomy and national security considerations.
Netherlands
The Dutch approach focuses on:
- Sector-specific regulators with cybersecurity competencies
- Emphasis on public-private cooperation
- Integration with existing frameworks (like NCSC guidelines)
- Pragmatic, risk-based implementation
Poland
Poland is amending its National Cybersecurity System Act (Ustawa o krajowym systemie cyberbezpieczeństwa). Key elements:
- Three CSIRT structure (NASK, GOV, MON) maintained
- Sector-specific competent authorities
- Integration with critical infrastructure protection
- Emphasis on public administration coverage
Common implementation challenges
Across jurisdictions, similar challenges emerge:
Scope determination:
- Which entities meet size thresholds?
- How to handle groups and subsidiaries?
- Cross-border entity classification
Authority coordination:
- Multiple sector regulators
- CSIRT responsibilities
- Cross-border cooperation
Transition periods:
- Existing OES becoming essential/important entities
- New entities entering scope
- Grace periods for compliance
What does this mean for multinational organizations?
Organizations operating across multiple EU countries face specific challenges.
Jurisdiction determination
Under NIS2, entities are generally subject to the law of the member state where they have their main establishment. However:
- DNS providers and TLD registries may be subject to multiple jurisdictions
- Cloud providers have specific rules based on service location
- Groups may have different entities in different jurisdictions
Compliance harmonization
While NIS2 harmonizes requirements, national implementations can still differ in:
- Specific technical standards referenced
- Notification procedures and formats
- Supervision approaches and inspection frequency
- Penalty application guidelines
Strategy for multinationals:
- Implement the strictest interpretation across all jurisdictions
- Maintain jurisdiction-specific documentation where required
- Establish clear internal reporting lines to competent authorities
- Consider group-wide security policies with local annexes
Single point of contact
NIS2 allows for single points of contact for pan-European operations. Organizations should:
- Identify main establishment jurisdiction
- Designate representatives where required
- Establish communication channels with all relevant authorities
- Document group structure and responsibilities
How does NIS2 change the role of national CSIRTs?
Computer Security Incident Response Teams play a crucial role in the NIS2 framework.
Enhanced responsibilities
National CSIRTs under NIS2 must:
- Receive and process incident notifications
- Provide support to entities during incidents
- Coordinate vulnerability disclosure
- Analyze threats and provide early warnings
- Participate in EU-level coordination (EU-CyCLONe)
Cooperation framework
NIS2 strengthens CSIRT cooperation through:
- Mandatory information sharing between national CSIRTs
- Participation in EU CSIRT network
- Joint response to cross-border incidents
- Standardized communication protocols
Support for entities
CSIRTs are expected to actively support covered entities:
- Provide guidance on security measures
- Assist during incident response
- Share threat intelligence
- Offer technical expertise
What should organizations do to prepare?
Regardless of specific national implementation, organizations should take concrete steps.
Determine your status
Step 1: Sector assessment
- Identify which NIS2 sector(s) your organization operates in
- Check both essential and important sector lists
- Consider all business activities, not just primary ones
Step 2: Size assessment
- Calculate employee numbers (including subsidiaries)
- Determine turnover and balance sheet totals
- Apply the thresholds for your sector
Step 3: Designation check
- Monitor national authority communications
- Check if your organization might be specifically designated
- Consider critical function dependencies
Implement baseline measures
Don’t wait for final national laws. The NIS2 requirements are clear:
Immediate priorities:
- Conduct comprehensive risk assessment
- Implement multi-factor authentication
- Establish incident response procedures
- Document security policies
Short-term actions:
- Assess supply chain security
- Update business continuity plans
- Train staff on cyber hygiene
- Implement vulnerability management
Ongoing requirements:
- Regular security measure testing
- Continuous monitoring and improvement
- Board-level reporting and oversight
- Documentation maintenance
Prepare incident reporting
Establish processes for the three-stage reporting requirement:
Detection and classification:
- Define what constitutes a “significant incident”
- Establish detection capabilities
- Create classification criteria
Notification procedures:
- Identify competent authority and CSIRT contacts
- Prepare notification templates
- Define internal escalation paths
- Practice with tabletop exercises
Documentation:
- Maintain incident logs
- Document response actions
- Prepare for post-incident reporting
Engage the board
NIS2 explicitly requires management body involvement:
Board responsibilities:
- Approve cybersecurity risk management measures
- Oversee implementation
- Undergo cybersecurity training
- Bear accountability for compliance
Practical steps:
- Schedule regular cybersecurity briefings
- Include cyber risk in board agendas
- Ensure board training programs
- Document board decisions and oversight
How does national NIS2 implementation connect with other regulations?
National cybersecurity laws don’t operate in isolation.
NIS2 and GDPR
Both regulations address security, but with different focuses:
- GDPR protects personal data
- NIS2 protects networks and systems
An incident may trigger obligations under both frameworks. Organizations need integrated incident response that addresses:
- Personal data breach notification (72 hours under GDPR)
- Significant incident notification (24 hours early warning under NIS2)
- Different competent authorities (DPA vs. sector regulator/CSIRT)
NIS2 and DORA
For financial sector entities, DORA takes precedence as lex specialis:
- DORA has specific requirements for financial services
- NIS2 applies supplementarily where DORA doesn’t cover
- Both may require incident notification
NIS2 and CER
Critical infrastructure may be subject to both:
- CER addresses physical resilience
- NIS2 addresses cyber resilience
- Entities may need to comply with both frameworks
NIS2 and sector-specific regulations
Many sectors have additional requirements:
- Energy sector: network codes, security of supply
- Telecoms: European Electronic Communications Code
- Healthcare: medical device regulations, patient safety
- Financial services: sector-specific prudential rules
Summary - preparing for the new cybersecurity landscape
NIS2 national implementation represents the most significant change to European cybersecurity regulation in years. Organizations must adapt to new requirements regardless of where they operate in the EU.
Key changes at a glance
| Aspect | Previous (NIS1) | New (NIS2) |
|---|---|---|
| Entities | OES, DSP | Essential, Important |
| Sectors | ~7 | 18 |
| Maximum penalties | National variation | EUR 10M / 2% turnover |
| Incident reporting | 24-72 hours | 24h warning, 72h notification, 1 month report |
| Board responsibility | Implicit | Explicit with personal liability |
| Supply chain | Optional | Mandatory |
| MFA | Recommended | Required |
Action items for organizations
For entities already under NIS1:
- Conduct gap analysis against new requirements
- Plan board training and engagement
- Update incident reporting procedures
- Strengthen supply chain security
For newly covered entities:
- Determine if you’ll be essential or important
- Conduct baseline risk assessment
- Implement fundamental security measures
- Build cybersecurity competencies
For all organizations:
- Don’t wait for final national laws
- NIS2 requirements are known
- Starting preparation now provides advantage
National NIS2 implementation is not just a legal requirement - it’s an opportunity to genuinely improve cybersecurity posture. Organizations that treat it seriously will be better protected against the ever-growing cyber threat landscape.
Need support preparing for NIS2 national implementation? Contact us - we’ll help conduct compliance analysis and plan your adaptation activities.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- CSPM (Cloud Security Posture Management) — CSPM (Cloud Security Posture Management) is a category of cloud security tools…
- Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
- SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
- Network Security — Network security is a set of practices, technologies, and strategies aimed at…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
Learn More
Explore related articles in our knowledge base:
- How Does the NIS2 Directive Affect Enterprises? A New Era of Business Cybersecurity
- What Are the Penalties for Non-Compliance with the NIS2 Directive? Guide to Consequences of Violating New Cybersecurity Regulations
- Poland’s NIS2 Implementation 2025/2026: From Draft to Law - Everything You Need to Know
- Which Sectors Are Covered by the NIS2 Directive? Comprehensive Overview of the Expanded Cybersecurity Scope in the EU
- Board Responsibility for OT Cybersecurity Under NIS2
Explore Our Services
Need cybersecurity support? Check out:
- Security Audits - comprehensive security assessment
- Penetration Testing - identify vulnerabilities in your infrastructure
- SOC as a Service - 24/7 security monitoring
Related topics
See also:
