The Directive on measures for a high common level of cybersecurity across the EU (NIS2) aims to increase the level of cyber resilience across the EU. It does so by requiring all entities in the EU that provide critical services (e.g. energy, telecoms, cloud) to take appropriate cybersecurity measures.

Cullen International released a series of reports comparing how different aspects of NIS2 have been transposed by EU countries.

Request more information & access to the NIS2 report series

Analysis of the NIS2 Directive

Part 1: Transposition status of the NIS2 Directive

Cullen International is tracking and comparing the progress made by the 27 EU member states in transposing the NIS2 Directive. The deadline for member states to transpose NIS2 was 17 October 2024. 

Part 2: Entities in scope and authorities that oversee compliance

The Benchmark shows whether the scope of national transposition rules differs from that of NIS2, and maps competent authorities for sectors such as digital infrastructure (including telecoms), digital providers and ICT service management. 

Part 3: Security risk-management and incident reporting requirements

Cullen International surveys differences in how the NIS2 transposition measures in 19 EU member states include cybersecurity risk-management requirements beyond the core obligations of NIS2. It also outlines the approaches adopted by member states to verify compliance by essential and important entities with NIS2 obligations. 

Further, the Benchmark identifies the national competent authorities responsible for incident notification, the thresholds for notifying security incidents, and whether reporting timelines are aligned with the directive.

Part 4: Enforcement

In cases of non-compliance with NIS2 obligations, national competent authorities may impose administrative fines and other penalties. Cullen International tracks the enforcement regimes established under NIS2 transposition laws in 18 EU countries. 

The Benchmark covers applicable maximum fines, whether members of management bodies and public sector authorities may be subject to administrative fines, and other types of penalties beyond administrative fines.

All you need to know about the NIS2 Directive

Cullen International provides a detailed overview of the requirements and obligations under the NIS2 Directive, including the cybersecurity risk-management measures and incident reporting obligations.

Part 1: Scope

The NIS2 Directive classifies the entities covered into essential and important. As a rule, all medium and large size entities will have to comply with the NIS2 security risk-management and reporting requirements. However, the directive adjusts the classification as essential or important depending on the criticality and size.

Part 2: Security risk-management and incident reporting requirements

The NIS2 Directive establishes baseline security risk-management measures for all the entities operating across the sectors falling within its scope. The directive applies an “all-hazard” approach; thus the measures should also address physical and environmental security (e.g. natural disasters, system failures). 


Essential and important entities are expected to implement a minimum set of security measures listed in the directive and primarily focusing on establishing a cybersecurity risk mitigation strategy.

Part 3: Specific obligations for cross-border digital entities and ICT supply chain

The NIS2 Directive subjects certain cross-border digital entities (e.g. cloud, data centres, online search engines) and managed (security) services to a higher degree of harmonisation through an implementing regulation. It details the technical and methodological requirements to demonstrate compliance with the NIS2 security obligations. 

The requirements are based on European and international standards, such as ISO 27001 (by the International Organisation for Standardisation), ETSI EN 319401 (by the European Telecommunications Standards Institute). 

In addition, the implementing regulation includes specific incident reporting thresholds based on the type of entity (i.e. the thresholds for a cloud provider would differ from the ones of a data centre). 

Part 4: Supervision and enforcement 

Member states should designate a NIS2 competent authority responsible for overseeing compliance. As a rule, essential and important entities fall under the jurisdiction of the member states where they are established. However, an exception is made for the telecoms sector and cross-border digital entities subject to the Commission’s implementing regulation.


Telecoms operators fall under the jurisdiction of the member state in which they provide their services, whereas cross-border digital entities will be overseen by the member state where they have their main establishment.

​Request 
one of our 
NIS2 reports  

To request one of our NIS2 reports and/or a demo of our Digital Economy intelligenceplease just complete the form.

(Note: Our services are predominantly designed for the use of government entities, regulators, communications service providers or manufacturers. We reserve the right to offer access to our research only to selected organisations. Feel free to contact us if you have any question regarding your eligibility for free extracts or a demo.) 

Who? 

Founded in Brussels in 1986, we’ve built our reputation on our expertise and neutrality, as well as the ability to convey complex information in a concise way. This has won us the trust of customers in over 90 countries.
Discover how we make regulation simple

Don't miss any regulatory news

Subscribe to our newsletter!

Sign up!

Contact Us

Cullen International Brussels office

Clos Lucien Outers 11-21/1

1160 Brussels

Belgium


Phone: +32 2 738 72 00

Email: discover@cullen-international.com


Privacy

Terms


Cullen International - Copyright ©2025

Thank You!

Thank you ! Your form has been submitted