What is transposition into national law?
Transposition is the process which each EU Member State adopts in order to achieve the goals and requirements of an EU Directive, and to align national legislation with EU legislation.
Fighting regulatory arbitrage in the EU
Arbitrage is the simultaneous buying and selling of securities, currencies, commodities etc., in different markets, in order to take advantage of different prices for the same asset.
For example, Sam Bankman-Fried, founder and former CEO of the cryptocurrency exchange FTX (that failed having unacceptable corporate governance practices), exploited arbitrage opportunities in crypto. While Bitcoin was priced at around $10,000 in the US, it was traded for $15,000 on Korean exchanges. This was because of a huge demand for Bitcoin in Korea.
Unfortunately, there is regulatory arbitrage too. There are differences and inconsistencies in the application of law in the EU member states, and important regulatory differences.
All EU countries must transpose the directives into national law. Some countries proceed with a more strict implementation (and increase the cost for compliance), and some other countries proceed with a less strict implementation (and minimise the cost for compliance). International companies often do “regulatory shopping” and establish their presence in the EU in countries where compliance is less expensive. This can lead to a competitive disadvantage for the countries that do a more proper implementation, that costs more.
Countries that do less, and even do not meet the objectives of a directive, can have advantages, and offer a higher return of equity for firms, just because the cost for compliance is lower. Cyber Risk GmbH does not support these practices in any way, as the increased impact and likelihood of cyber risks, especially after the recent war in Europe, can not justify any plan for regulatory arbitrage. We are pleased to see that year after year the EU introduces more regulations where it is possible, directly applicable to all EU Member States, instead of directives that must be transposed into national law (with national options and discretions).
Understanding the NIS 2 transposition in every EU country
Article 41, Transposition
"1. By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof.
They shall apply those measures from 18 October 2024.
2. When Member States adopt the measures referred to in paragraph 1, they shall contain a reference to this Directive or shall be accompanied by such reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States."
We will cover in the section that follows the information about the transposition of the NIS 2 Directive in every EU country, based on information provided by each Member State.
Cyber Risk GmbH
Tel: +41 79 505 89 60
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.
Understanding Cybersecurity in the European Union.