The Directive on measures for a high common level of cybersecurity across the EU (NIS2) aims to increase the level of cyber resilience across the EU. It does so by requiring all entities in the EU that provide critical services (e.g. energy, telecoms, cloud) to take appropriate cybersecurity measures.

Cullen International released a series of reports comparing how different aspects of NIS2 have been transposed by EU countries.

Request more information & access to the NIS2 report series

Analysis of the NIS2 Directive

Part 1: Transposition status of the NIS2 Directive

Cullen International is tracking and comparing the progress made by the 27 EU member states in transposing the NIS2 Directive.

Member states had until 17 October 2024 to transpose the directive. However, as of October 2025, 15 countries (Belgium, Croatia, Cyprus, Czech Republic, Denmark, Finland, Greece, Hungary, Italy, Latvia, Lithuania, Malta, Romania, Slovakia and Slovenia) have adopted national legislation to transpose NIS2.

Part 2: Entities in scope and authorities that oversee compliance

The Benchmark shows whether the scope of national transposition rules differs from that of NIS2, and maps competent authorities for sectors such as digital infrastructure (including telecoms), digital providers and ICT service management.  


In nine of the surveyed countries, the telecoms sector would be supervised by the national regulatory authority (NRA).

Part 3: Security risk-management and incident reporting requirements

Cullen International surveys differences in how the NIS2 transposition measures in 18 EU countries address cybersecurity risk-management and incident reporting requirements. 

The Benchmark shows that most of the countries surveyed have not introduced cybersecurity requirements beyond NIS2, except for Belgium and Poland. The Benchmark also shows that:
  • Belgium, Germany, and Portugal provide references to international standards or other instruments to demonstrate compliance with NIS2 requirements; andelgium, Germany, and Portugal provide references to international standards or other instruments to demonstrate compliance with NIS2 requirements; and
  • Portugal and Romania have introduced reporting requirements that go beyond those set out in NIS2.ortugal and Romania have introduced reporting requirements that go beyond those set out in NIS2.

Part 4: Enforcement

In cases of non-compliance with NIS2 obligations, national competent authorities may impose administrative fines and other penalties. Cullen International tracks the enforcement regimes established under NIS2 transposition laws in 18 EU countries. 

The Benchmark covers applicable maximum fines, whether members of management bodies and public sector authorities may be subject to administrative fines, and other types of penalties beyond administrative fines.
  • In Belgium and Italy, NIS2 maximum fines can be doubled (or even tripled in Italy) in the event of a repeated violation. taly) in the event of a repeated violation. 
  • In six countries, members of management bodies can be fined for non-compliance, while in most of the countries observed public administration entities are subject to fines like other NIS2 entities.
  • In addition, five EU countries could impose additional penalties to enforce compliance with NIS2 obligations.enalties to enforce compliance with NIS2 obligations.

All you need to know about the NIS2 Directive

Cullen International provides a detailed overview of the requirements and obligations under the NIS2 Directive, including the cybersecurity risk-management measures and incident reporting obligations.

Part 1: Scope

The NIS2 Directive classifies the entities covered into essential and important. As a rule, all medium and large size entities will have to comply with the NIS2 security risk-management and reporting requirements. However, the directive adjusts the classification as essential or important depending on the criticality and size.

Part 2: Security risk-management and incident reporting requirements

The NIS2 Directive establishes baseline security risk-management measures for all the entities operating across the sectors falling within its scope. The directive applies an “all-hazard” approach; thus the measures should also address physical and environmental security (e.g. natural disasters, system failures). 


Essential and important entities are expected to implement a minimum set of security measures listed in the directive and primarily focusing on establishing a cybersecurity risk mitigation strategy.

Part 3: Specific obligations for cross-border digital entities and ICT supply chain

The NIS2 Directive subjects certain cross-border digital entities (e.g. cloud, data centres, online search engines) and managed (security) services to a higher degree of harmonisation through an implementing regulation. It details the technical and methodological requirements to demonstrate compliance with the NIS2 security obligations. 

The requirements are based on European and international standards, such as ISO 27001 (by the International Organisation for Standardisation), ETSI EN 319401 (by the European Telecommunications Standards Institute). 

In addition, the implementing regulation includes specific incident reporting thresholds based on the type of entity (i.e. the thresholds for a cloud provider would differ from the ones of a data centre). 

Part 4: Supervision and enforcement 

Member states should designate a NIS2 competent authority responsible for overseeing compliance. As a rule, essential and important entities fall under the jurisdiction of the member states where they are established. However, an exception is made for the telecoms sector and cross-border digital entities subject to the Commission’s implementing regulation.


Telecoms operators fall under the jurisdiction of the member state in which they provide their services, whereas cross-border digital entities will be overseen by the member state where they have their main establishment.

​Request 
one of our 
NIS2 reports  

To request one of our NIS2 reports and/or a demo of our Digital Economy intelligenceplease just complete the form.

(Note: Our services are predominantly designed for the use of government entities, regulators, communications service providers or manufacturers. We reserve the right to offer access to our research only to selected organisations. Feel free to contact us if you have any question regarding your eligibility for free extracts or a demo.) 

Who? 

Founded in Brussels in 1986, we’ve built our reputation on our expertise and neutrality, as well as the ability to convey complex information in a concise way. This has won us the trust of customers in over 90 countries.
Discover how we make regulation simple

Don't miss any regulatory news

Subscribe to our newsletter!

Sign up!

Contact Us

Cullen International Brussels office

Clos Lucien Outers 11-21/1

1160 Brussels

Belgium


Phone: +32 2 738 72 00

Email: discover@cullen-international.com


Privacy

Terms


Cullen International - Copyright ©2025

Thank You!

Thank you ! Your form has been submitted