On 6 July 2016, the EU officially adopted the NIS Directive (Directive on security of network and information systems) and gave each EU member state just under two years to implement its requirements into national law.
At the time of the deadline, only eleven countries had managed to do this, but what’s the current situation? We take a look at the NIS Directive implementation tracker to find out.
Austria
Implementation status: Transposed, as the Federal Act for a High Common Level of Security of Network and Information Systems
Belgium
Implementation status: In progress
Bulgaria
Implementation status: Transposed, as the Cyber Security Act (94/2018)
Croatia
Implementation status: In progress
Cyprus
Implementation status: Transposed, as The Security of Network and Information Systems Law of 2018
Czech Republic
Implementation status: Transposed, as the National Cyber Strategy of the Czech Republic for 2015–2020
Denmark
Implementation status: Transposed, as the Danish Requirements for Security of Network and Information Systems within the Health sector, ACT (no. 440/2018), along with Executive Order (no. 458/2018) and Executive Order (no. 459/2018)
Estonia
Implementation status: Transposed, as the Cybersecurity Act
Finland
Implementation status: Transposed, with the necessary changes made to existing sector-specific acts.
France
Implementation status: Transposed, as Decree No. 2018-384
Germany
Implementation status: Transposed, with the Implementation Act (Federal Law Gazette, BGBI. I 2017 of 29 June 2017) amending the Act on the Federal Office for Information Security, Atomic Energy Act, Energy Industry Act, Social Insurance Code V and the Telecommunications Act
Greece
Implementation status: In progress
Hungary
Implementation status: Transposed, with Act 134 of 2017 and Government Decree 394/2017 (XII. 13) modifying certain interior-related tasks and corresponding laws.
Ireland
Implementation status: Transposed, as Statutory Instrument No. 360 of 2018
Italy
Implementation status: Transposed, as Legislative Decree 65/2018
Latvia
Implementation status: Transposed, as IT Security Law
Lithuania
Implementation status: In progress
Luxembourg
Implementation status: In progress
Malta
Implementation status: In progress
Netherlands
Implementation status: Transposed, as Network and Information Systems Security Act
Poland
Implementation status: Transposed, as Act of 5 July 2018 on the National Cyber Security System
Portugal
Implementation status: Transposed, as The legal regime of Cyberspace Security – Law No. 46/ 2018 of August 13
Romania
Implementation status: Transposed, as Ensuring high level of security of information networks and systems
Slovakia
Implementation status: Transposed, as Act of January 30, 2018 on Cybersecurity and on Amendments and Supplements to certain Acts
Slovenia
Implementation status: Transposed, as the Act on Information Security (Official Gazette of the RS, No. 30/18)
Spain
Implementation status: Transposed, as Royal Decree-Law 12/2019, September 7, on security of networks and information systems
Sweden
Implementation status: Transposed, as the Law on information security for socially important and digital services
United Kingdom
Implementation status: Transposed, as The Network and Information Systems Regulations 2018
Make the NIS Directive a priority
The number of member states that have implemented the NIS Directive has doubled since the compliance deadline, with only six lagging behind (Belgium, Croatia, Greece, Lithuania, Luxembourg and Malta).
Still, that’s hardly reason to celebrate. The Directive has been in effect for almost a year now, so there’s no reason why any member state shouldn’t have implemented it. Failure of national governments to transpose the legislation into law prevents organisations from making the necessary changes, therefore increasing the possibility of serious breaches.
Fortunately, this isn’t a problem in the UK and many other countries. The UK government was one of the few to implement the Directive before the compliance deadline, and it has published plenty of guidance to help organisations understand their requirements.
Any organisation that wants help meeting the UK’s version of the Directive, the NIS Regulations, should take a look at our green papers. We explain the compliance requirements in an easy-to-understand way and offer tailored advice for OES (operators of essential services) and DSPs (digital service providers):
- Network and Information Systems (NIS) Regulations 2018 – Compliance guidance for operators of essential services
- Network and Information Systems (NIS) Regulations 2018 – Compliance guidance for digital service providers
No Responses