NIS 2 Update for Europe (March 2025)

The EU has set new standards in the area of cybersecurity with the Network and Information Security Directive 2.0 (NIS 2 Directive). To protect digital Europe, Member States were required to transpose the NIS 2 Directive into national law by 17 October 2024. However, many Member States have failed to meet this target and the EU Commission will initiate infringement proceedings against 23 Member States.

What has been happening in Germany and the other European Member States since the European Commission’s announcement? You will always find up-to-date information for the whole of Europe in the LexMundi NIS2 tracker.

Progress and delays ‒ the implementation of the NIS 2 Directive in Europe

Belgium, Italy, Croatia and Lithuania have been implementing the NIS 2 Directive for some time now.

The good news is that a lot has happened since the European Commission’s press release. The legislative process is underway in all European Member States. Greece, Latvia, Romania, Slovakia and Hungary have now (largely) managed to implement the NIS 2 Directive.

However, there are still some stragglers. While in Finland, Poland, Slovenia and Cyprus there are justified hopes of implementation in the first or second quarter of this year, in Denmark, Estonia, the Netherlands, Austria, Sweden and the Czech Republic full implementation is not expected until summer or autumn 2025.

Bulgaria, France, Ireland, Luxembourg, Malta, Portugal and Spain are likely to be even later. It is currently unclear when the NIS 2 Directive will be implemented in these countries.

Despite positive developments, the EU-wide implementation of the NIS 2 Directive remains a distant goal.

Political turbulence is slowing things down: German NIS 2 implementation is also stalling

Germany is also among the latecomers. In Germany, the coalition government planned to implement the directive as part of the NIS 2 Implementation and Cybersecurity Strengthening Act (see for example here).

After the first reading on 11 October 2024, the Federal Government’s draft bill was referred to the Committee on Internal Affairs for consultation. However, it is now clear that the adoption of the NIS 2 Implementation and Cybersecurity Strengthening Act will be delayed once again. After the end of the German “traffic light” coalition consisting of the Social Democrats, the Greens and the Free Democrats, no political majority was found in favour of the adoption of the law. Experts do not currently expect the NIS 2 Directive to be implemented by a new German government in autumn or winter 2025, which would mean that Germany would be the last country in Europe to implement it nationally. However, there are currently increasing indications that the Federal Ministry of the Interior is working on a “100-day plan”, which also includes the topic of cybersecurity and NIS 2 implementation. After failing to progress in the last legislative period, the project is now to be significantly accelerated. According to reports, the Ministry of the Interior aims to finalise the legislative process in the first few months after the new government is formed. This could render the previously discussed timetable, which anticipated adoption in autumn/winter 2025, obsolete. We will keep you updated on this.