The Transposition of the NIS 2 Directive
What is transposition into national law?
Transposition is the process which each EU Member State adopts in order to achieve the goals and requirements of an EU Directive, and to align national legislation with EU legislation.
Fighting regulatory arbitrage in the EU
Arbitrage is the simultaneous buying and selling of securities, currencies, commodities etc., in different markets, in order to take advantage of different prices for the same asset.
For example, Sam Bankman-Fried, founder and former CEO of the cryptocurrency exchange FTX (that failed having unacceptable corporate governance practices), exploited arbitrage opportunities in crypto. While Bitcoin was priced at around $10,000 in the US, it was traded for $15,000 on Korean exchanges. This was because of a huge demand for Bitcoin in Korea.
Unfortunately, there is regulatory arbitrage too. There are differences and inconsistencies in the application of law in the EU member states, and important regulatory differences.
All EU countries must transpose the directives into national law. Some countries proceed with a more strict implementation (and increase the cost for compliance), and some other countries proceed with a less strict implementation (and minimise the cost for compliance). International companies often do “regulatory shopping” and establish their presence in the EU in countries where compliance is less expensive. This can lead to a competitive disadvantage for the countries that do a more proper implementation, that costs more.
Countries that do less, and even do not meet the objectives of a directive, can have advantages, and offer a higher return of equity for firms, just because the cost for compliance is lower. Cyber Risk GmbH does not support these practices in any way, as the increased impact and likelihood of cyber risks, especially after the recent war in Europe, can not justify any plan for regulatory arbitrage. We are pleased to see that year after year the EU introduces more regulations where it is possible, directly applicable to all EU Member States, instead of directives that must be transposed into national law (with national options and discretions).
Understanding the NIS 2 transposition in every EU country
Article 41, Transposition
"1. By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof.
They shall apply those measures from 18 October 2024.
2. When Member States adopt the measures referred to in paragraph 1, they shall contain a reference to this Directive or shall be accompanied by such reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States."
We will cover in the section that follows the information about the transposition of the NIS 2 Directive in every EU country, based on information provided by each Member State.
Austria, transposition of the NIS Directive
Belgium, transposition of the NIS Directive
Bulgaria, transposition of the NIS Directive
Croatia, transposition of the NIS Directive
Cyprus, transposition of the NIS Directive
Czech Republic, transposition of the NIS Directive
Denmark, transposition of the NIS Directive
Estonia, transposition of the NIS Directive
Finland, transposition of the NIS Directive
France, transposition of the NIS Directive
Germany, transposition of the NIS Directive
Greece, transposition of the NIS Directive
Hungary, transposition of the NIS Directive
Ireland, transposition of the NIS Directive
Italy, transposition of the NIS Directive
Latvia, transposition of the NIS Directive
Lithuania, transposition of the NIS Directive
Luxembourg, transposition of the NIS Directive
Malta, transposition of the NIS Directive
Netherlands, transposition of the NIS Directive
Poland, transposition of the NIS Directive
Portugal, transposition of the NIS Directive
Romania, transposition of the NIS Directive
Slovakia, transposition of the NIS Directive
Slovenia, transposition of the NIS Directive
Spain, transposition of the NIS Directive
Sweden, transposition of the NIS Directive
Contact us
Cyber Risk GmbH
Dammstrasse 16
8810 Horgen
Tel: +41 79 505 89 60
Email: george.lekatis@cyber-risk-gmbh.com
Web: https://www.cyber-risk-gmbh.com
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.
Understanding Cybersecurity in the European Union.
2. The European Cyber Resilience Act
3. The Digital Operational Resilience Act (DORA)
4. The Critical Entities Resilience Directive (CER)
5. The Digital Services Act (DSA)
6. The Digital Markets Act (DMA)
7. The European Health Data Space (EHDS)
10. The European Data Governance Act (DGA)
11. The EU Cyber Solidarity Act
12. The Artificial Intelligence Act
13. The Artificial Intelligence Liability Directive
14. The Framework for Artificial Intelligence Cybersecurity Practices (FAICP)
15. The European ePrivacy Regulation
16. The European Digital Identity Regulation
17. The European Cyber Defence Policy