EU member states should have transposed the Directive on measures for a high common level of cybersecurity across the EU (NIS2) by 17 October 2024. However, among 16 countries studied by Cullen International, only Belgium, Croatia, and Italy have adopted national legislation to transpose the directive.
None of the countries surveyed would cover additional sectors compared to the ones listed in the NIS2, except for the Czech Republic, which would also cover the defence industry.
Cullen’s research shows that all member states classify essential and important entities in line with the directive. However, (draft) transposition laws in Belgium, the Czech Republic and Italy foresee the possibility for national authorities to classify additional entities as essential based on certain conditions.
In most of the surveyed EU countries that have designated NIS2 authorities (or proposed to do so), the telecoms sector remains under the supervision of the national regulatory authority (NRA).
In Ireland and Sweden, NRAs would be the NIS2 competent authorities for the entire digital infrastructure (telecoms included), digital providers and ICT service management.
Cullen International’s new benchmark details how 16 EU member states transposed (or are in the process of doing so) certain aspects of the NIS2 Directive.
The benchmark shows whether the scope of national transposition rules differs from that of the NIS2, and maps competent authorities for sectors such as digital infrastructure (including telecoms), digital providers (e.g. online search engines) and ICT service management (e.g. managed security services).
For more information and access to the benchmark, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.
more news
09 July 25
Countries tighten IoT rules with new security, numbering and device measures
Our Quarterly Regulatory Update on IoT and M2M Services (Q2 2025) highlights how national regulators are shaping the future of IoT and M2M services in areas such as cross-border connectivity, device regulation, and security.
08 July 25
Copper decommissioning emerges as critical challenge in global transition to gigabit networks
Our latest Global Trends report examines how 15 major markets are approaching the transition from legacy copper infrastructure to future-proof gigabit networks.
04 July 25
Online intermediaries in the Americas are protected against liability for third-party copyright infringements
Cullen International’s latest benchmark shows that most countries in the Americas limit the liability of online intermediaries for third-party copyright infringements, reflecting digital-era updates to copyright laws. The research also examines liability rules for defamation and other IP violations, as well as varying takedown obligations across jurisdictions. Some countries have introduced specific measures to address the unconsented sharing of intimate content.