Dejan KosuticUnfortunately, the implementation of NIS2 in EU countries is not straightforward — when EU countries transpose NIS2 (i.e., when they publish their cybersecurity laws and regulations based on NIS2), each country publishes its own rules.
This creates problems for cybersecurity professionals who want to stay on track with compliance; however, it seems that all those different rules can be categorized into four approaches — this article analyzes those approaches to transposition.
- NIS2 law + referencing external frameworks like ISO 27001
- NIS2 law + publishing detailed regulations that cover all sectors
- NIS2 law + publishing sector-specific regulations
- NIS2 law only
What is NIS2 transposition?
NIS2 (Directive (EU) 2022/2555) establishes minimum cybersecurity standards for essential and important entities across the EU. However, because it’s a directive, it doesn’t apply directly to companies. Instead, each EU country must transpose the directive into its own national legislation — creating local laws and regulations that companies must follow.
This basically means that each EU country interprets NIS2 in a different way.
The role of Commission Implementing Regulation (CIR) 2024/2690
To complicate matters further, the European Commission has also published Commission Implementing Regulation (EU) 2024/2690, which applies directly to sectors called “digital infrastructure” and “digital services.”
If your organization falls under one of these digital infrastructure categories, you must comply with both:
- The local NIS2 transposition laws, and
- CIR 2024/2690, which is a directly applicable EU law.
For companies outside these digital sectors, CIR 2024/2690 is not mandatory, but it can still serve as a valuable reference point for building a robust cybersecurity framework.
Learn more in this article: Overview of NIS2 Commission Implementing Regulation (CIR) 2024/2690 for digital critical infrastructure companies.
Common elements across EU countries
But there are some good news: Despite the diversity in national laws, several elements are consistently present across member states:
- Incident reporting mechanisms: Most countries follow similar timelines and formats for notifying authorities.
- Oversight structures: Regulatory bodies are typically assigned to monitor compliance and issue penalties.
- Baseline cybersecurity measures: These include several measures outlined in NIS2.
Interestingly, many countries also include requirements not explicitly mandated by NIS2, such as:
- The designation of a security manager within the organization
- Maintaining a register of digital assets for better control and accountability
These additions reflect a growing consensus on best practices, even beyond the directive’s minimum requirements.
4 approaches to NIS2 transposition
Now let’s analyze the differences in how the EU countries handle the transposition.
As of mid-2025, roughly half of the EU countries have published their own laws and regulations based on NIS2. Each of those countries published a local law based on NIS2, but what differs is how they handled the rest of legislation — four distinct approaches emerge:
1) Framework-based implementation
Some countries published a high-level cybersecurity law and referred to external frameworks for implementation details. For example, Belgium offers a choice between its national Cybersecurity Fundamentals (CyFun) framework and ISO 27001 — companies can select the approach that best fits their operational model. This approach enables more flexibility, especially since ISO 27001 is used internationally.
Read more: What are the additional requirements of Belgium’s cybersecurity law when compared to NIS 2?
2) Detailed regulations
Other countries published both the NIS2-based law and detailed regulations specifying how to implement it. For example, Italy and Croatia published detailed regulations specifying rules for cybersecurity measures (however, Croatia’s regulation is much more detailed than Italy’s). This approach reduces ambiguity but may increase complexity for cross-border operations.
Read more: Overview of the Italian NIS2 law and comparison with the EU NIS2 Directive, and What are the additional requirements of Croatia’s Cybersecurity Act when compared to NIS 2?
3) Sector-specific regulations
Some countries published separate laws or regulations on top of the basic NIS2 law. For example, Denmark has a dedicated cybersecurity law for the energy sector, with tailored requirements. This model ensures relevance but can fragment compliance efforts for multi-sector companies.
4) Single-document enforcement
Some countries opted for a single document that covers all requirements without additional regulations. For example, Malta issued a ministerial order that functions as the sole source of cybersecurity obligations based on NIS2. As of this writing, no further detailed guidance has been published. While simple, this approach may lack the granularity needed for complex implementations.
The table below shows an overview of these 4 approaches.
| Approach type | Country example | Referenced frameworks | Sector-specific | Level of details |
| Framework-based implementation | Belgium | CyFun, ISO 27001 | – | Moderate |
| Detailed regulations | Italy, Croatia | – | – | Moderate to high |
| Sector-specific regulations | Denmark | – | Yes | Moderate to high |
| Single-document enforcement | Malta | – | – | Low |
What if you operate in multiple countries?
For companies with operations across several EU member states, compliance becomes a multi-layered challenge. There’s no single answer to that problem, but two strategies can help:
Use CIR 2024/2690 as a reference model. Even if your company isn’t in the digital infrastructure sector, CIR 2690 offers detailed rules that, in many cases, are matched by laws and regulations in EU countries. Therefore, it can serve as unifying guidance across jurisdictions, even for non-digital businesses.
Leverage cross-country mappings. Advisera is currently developing resources that compare national NIS2 transpositions, and other providers will probably provide similar materials. Tools like these will help companies identify overlaps, gaps, and opportunities for harmonization.
Final thoughts
NIS2 transposition is not a one-size-fits-all process. While the directive sets a common foundation, each EU country builds its own structure on top of it. Understanding these national differences — and the patterns behind them — is essential for building a coherent, compliant cybersecurity strategy.
Whether you’re navigating sector-specific rules in Denmark or choosing between frameworks in Belgium, the key is to stay informed, stay flexible, and use frameworks like CIR 2024/2690 and ISO 27001 to guide your implementation.
Get country-specific cybersecurity and incident reporting templates with our NIS 2 Documentation Toolkit — adapted to local NIS2 laws across the EU.
