Cullen International’s latest Benchmark continues its analysis of NIS2 transposition across 18 EU countries, focusing on cybersecurity risk-management, incident reporting, and enforcement.

Most countries have not gone beyond NIS2 security obligations, however, additional requirements apply or could apply in six countries. Of the countries surveyed, some of them, for example Belgium, Germany, and Portugal, refer to technical standards (e.g. ISO 27000 series) or other national instruments to demonstrate compliance with NIS2.

In all countries covered, incidents reporting is in line with the NIS2 multi-step approach but in certain countries, such as in Portugal and Romania, additional notifications apply.

On enforcement, Cullen International’s research shows that in all the 18 EU countries surveyed, maximum fines are aligned with those set in NIS2. However, in Belgium and Italy, maximum fines can be doubled, or even tripled in Italy, for repeat violations.

In six countries, members of management bodies can be fined for non-compliance with their duties. Further, in nearly all countries surveyed, with few exceptions for example, Ireland and Spain, public authorities could be subject to fines similar to essential and important entities.

Five countries have also introduced additional penalties to strengthen compliance with NIS2.

For more information on the benchmark and Cullen International's complete NIS2 coverage, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.