22 Mar 2019

NIS Implementation Tracker

On the 6th July 2016, the EU officially adopted the EU Directive on Network and Information Systems (NIS). Since it’s adoption, Member States have had the task in transposing, and implementing the Directive by either updating their current national legislation and/ or adopting new legislation. The NIS Directive has far reaching obligations and requirements for both Operators of Essential Services (OES) and Digital Service Providers (DSP).

This NIS Directive national legislation tracker maps out each Member States national legislative implementation efforts and briefly lines out the national OES and DSP requirements. Relevant contact points for reporting any cyber incidents are also highlighted.

DIGITALEUROPE and ECSO have partnered together in order to develop a comprehensive mapping of national cybersecurity legislation and strategies, with a particular focus on national NIS implementation measures.

Please note that the information on this tracker is updated on a monthly basis. The information below is a summary and the more detailed description can be found on the Excel document.

Last update: 25 March 2019

Next update: 1 August 2019

 

Countries Tracked

Austria

NIS implementation legislation Status: Transposed (Federal Act for a High Common Level of Security of Network and Information Systems:date of application – 29/12/2018).

OES Summary:The scope for Operators of Essential Services is the same laid down in the NIS Directive, with the inclusion of public administration. Any ‘data incidents’ must be reported to competent CSIRT without undue delay.

DSP Summary:There are no registrations requirements for DSPs within Austria. Failure to comply or any ‘data incidents’ may result in administrative fines of 50 000 EURO and in case of recurrence up to 100 000 EURO.

Most recent national strategy: Transposition still in progress.


Belgium

NIS implementation legislation Status: In Progress.

OES Summary: Transposition still in progress.

DSP Summary: Transposition still in progress.

Most recent national strategy: Belgian National Cyber Security Strategy– implemented 23/11/2012


Bulgaria

NIS implementation legislation Status: Transposed (Cyber Security Act (94/2018): date of application – 31/10/2018).

OES Summary: The list of OES are the same listed out in the NIS Directive (ENISA guidance here) alongside the scope and OES requirements.

DSP Summary: Under the Bulgarian NIS transposition legislation, Digital Service Providers (DSP) do not have any registration requirements. If a DSP experiencing a ‘data incident’ they must report to the Bulgarian CSIRT (contact details here) 2 hours from the occurrence of the incident with baseline details of the incident. The DSP must then report a full conclusive 5 full days after the initial report.

Most recent national strategy: National Cyber Security Strategy “Cyber Sustainable Bulgaria 2020”– Implemented 13/07/2019.


Croatia

NIS implementation legislation Status: In Progress.

OES Summary: Transposition still in progress.

DSP Summary: Transposition still in progress.

Most recent national strategy: The National Cyber Security Strategy of the Republic of Croatia– implemented 07/10/2015


Cyprus

NIS implementation legislation Status: Transposed (The Security of Network and Information Systems Law of 2018: date of application – 05/04/2018).

OES Summary: Additional industries that are considered OESs include electronic communications, wastewater, food, government and national security/ emergency services and environmental. OESs must report any ‘data incidents’ to CSIRT (contact details here) without undue delay.

DSP Summary: Digital Service Providers must report any ‘data incident’ to national CSIRT (contact details here) without undue delay. Failure to comply with national requirements can result in imprisonment of up to 6 months and/ or a fine of up to 8 000 EURO or 10 000 EURO in certain situations.

Most recent national strategy: National Cybersecurity Strategy still be published.


Czech Republic

NIS implementation legislation Status: Transposed (date of application – 01/08/2017).

OES Summary: Some additional industries that are considered OESs include digital infrastructure and chemical industry.

DSP Summary: DSP must report to the National Cyber and Information Security Agency (contact details here). Failure to comply with legislation can result to an administrative fine of up to 200 000 EURO.

Most recent national strategy: The National Cyber Security Strategy of the Czech Republic for 2015 to 2020


Denmark

NIS implementation legislation Status: Transposed

Danish Requirements for Security of Network and Information Systems within the Healthcare sector, ACT (no. 440/2018):

Executive Order (no. 458/ 2018)

Executive Order (no. 459/ 2018)

date of application – 10/05/2018.

OES Summary: The Danish Government has transposed 12 new bills that are sectorial focussed.

DSP Summary: Through the 12 new transposed bills DSP will have various report schemes – more information will soon become available.

Most recent national strategy: Danish Cyber and Information Security Strategy– implemented May 2018


Estonia

NIS implementation legislation Status: Transposed (Cyber Security Act– date of application: 23/05/2018).

OES Summary: Under the Estonian implementation legislation Operators of Essential Services also include Electronic communication service providers, public broadcasting, providers of digital identification and digital signing service and district heating service providers.

DSP Summary: State supervision over DSPs will only occur for service providers that are established in Estonia, or parent company is established in Estonia and/ or the digital service provider has appointed a representative in Estonia. Non-compliance of the legislation can result in a administrative fine of up to 20 000 EURO.

Most recent national strategy: Cyber Security Strategy: 2014 – 2017.


Finland

NIS implementation legislation Status: Transposed (date of application: 09/05/2018).

OES Summary: With the Finnish national legislation industries such as online marketplaces, search engine, cloud providers and other digital infrastructures are considered OES.

DSP Summary: Requirements same as expressed in NIS Directive.

Most recent national strategy: Information Security Strategy for Finland– implemented September 2016


France

NIS implementation legislation Status: Transposed (Decree No. 2018-384: date of application – 25/05/2018).

OES Summary: Industries that are considered OES within the French legislation include, industries involved in the civil activities of the State, judicial activities, military activities of the State, food, electronic, audio-visual and information communication, space and research, and finance industries. For non-compliance OES can face an administrative fine either 75 000 EURO, 100, 000 EURO or 150 000 EURO.

DSP Summary: DSPs must have either a registered office and/ or an authorised representative based in France. For non-compliance DSPs can face an administrative fine of either 50 000 EURO, 75 000 EURO or 100 000 EURO.

Most recent national strategy: Stratégie Nationale pour la sécurité du numérique


Germany

NIS implementation legislation Status: Transposed (date of application – 10/05/2018).

OES Summary: No additional changes from the NIS Directive.

DSP Summary: DSP must report any ‘data incidents’ immediately to the Federal Office for Information Security (contact details here). Negligence from DSPs can result in an administrative fine of up to 50 000 EURO.

Most recent national strategy: Cybersecurity Strategy for Germany– implemented September 2016


Greece

NIS implementation legislation Status: In Progress

OES Summary: Transposition still in progress.

DSP Summary: Transposition still in progress.

Most recent national strategy: Greek Cybersecurity National Strategy.– implemented March 2018.


Hungary

NIS implementation legislation Status: Transposed.

OES Summary: OES within the Hungarian national legislation are the same as described in the NIS Directive. Any ‘data incident’ should be reported to the competent authority immediately, however further stipulations on ‘extraordinary incidents’ are described.

DSP Summary: DSPs described in the Hungarian national legislation must report any ‘data incidents’ to the General Directorate for Disaster Management of the Ministry of Interior. Non-compliance of the legislation can incur administrative fines ranging from 165 EURO to 16 500 EURO and can be imposed every two months (dependent on the incident).

Most recent national strategy: No Cybersecurity national strategy has been published.


Ireland

NIS implementation legislation Status: Transposed (Statutory Instrument No. 360 of 2018– date of application: 18/08/2018).

OES Summary: Sectors that revolve around energy, transport, banking, financial market infrastructure, health, water and digital infrastructure are all considered OES.

DSP Summary: The description and requirements for DSP are the not changed from the NIS Directive.

Most recent national strategy: National Cyber Security Strategy 2015 2017


Italy

NIS implementation legislation Status: Transposed (of application: 24/06/2018).

OES Summary: No additional changes from the NIS Directive.

DSP Summary: For any data incidents DSPs must report immediately to the Italian CSIRT (contact details here) and to the relevant authority (contact details here). Failure for non-compliance can result in an administrative fine of up to 150 000 EURO.

Most recent national strategy: Piano Nazionale Per La Protezione Cibernetica e La Sicurezza Informatica– implemented March 2017.


Latvia

NIS implementation legislation Status: Transposed (IT Security Law: date of application – 11/10/2018).

OES Summary: The OES Scope is the same as within the NIS Directive, however, both banking and financial market infrastructure sectors  have sector specific legislation and requirements. Any ‘data incidents’ must be reported to Latvian CSIRT (contact details here) within 4 hours or as soon as possible.

DSP Summary: With regards to DSPs, Latvian law is only applicable to the service if the providers are economically active in Latvia and/ or has an authorized representative based in Latvia. Any ‘data incidents’ must be reported to Latvian CSIRT (contact details here) within 4 hours or as soon as possible. Failure to comply with Latvian legislation can result in an administrative fine of up to 10 000 EURO.

Most recent national strategy: Cyber Security of Strategy of Latvia: 2014 to 2018– implemented March 2017.


Lithuania

NIS implementation legislation Status: In Progress

OES Summary: Although national legislation is still being transposed, the Lithuanian draft will look to include the industrial sector, chemical and nuclear sub-sector, state administration, civil safety, environmental, national defence and foreign and security affairs into the OES Scope.

DSP Summary: Any ‘data incidents’ must be reported to the Lithuanian Cyber and Security Centre (contact details here) in addition to State Data Protection Inspectorate (contact details here), without undue delay.

Most recent national strategy: National Cybersecurity Strategy– implemented 13th August 2018


Luxembourg

NIS implementation legislation Status: In Progress

OES Summary: Transposition still in progress.

DSP Summary: Transposition still in progress.

Most recent national strategy: National Cybersecurity Strategy III– implemented 26th January 2018


Malta

NIS implementation legislation Status: In Progress

OES Summary: Transposition still in progress.

DSP Summary: Transposition still in progress.

Most recent national strategy: No Cybersecurity national strategy has been published.


Netherlands

NIS implementation legislation Status: Transposed (Wet Beveiliging Netwerk – en Informatiesystemen (Wbni)date of application – 09/11/2018).

OES Summary: The requirements and scope of OES is the same as the NIS Directive, however, with the exclusions of health sector. For any ‘data incidents’ OES must report without undue delay to National Cyber Security Centre (contact details here) in addition to relevant competent authority (contact details here). Significant ‘data incidents can result in an administrative fine of 5 000 000 EURO in addition administrative fines of up to 1 000 000 EURO can be administered for entities that fail to cooperate.

DSP Summary: For any ‘data incidents’ OES must report without undue delay to National Cyber Security Centre (contact details here) in addition to relevant competent authority (contact details here). Significant ‘data incidents can result in an administrative fine of 5 000 000 EURO in addition administrative fines of up to 1 000 000 EURO can be administered for entities that fail to cooperate.

Most recent national strategy: Dutch Cyber Security Agenda– implemented 21st April 2018


Poland

NIS implementation legislation Status: Transposed (Act of 5 July 2018 on the National Cyber Security System: date of application – 26/08/2018).

OES Summary: According to the Polish national legislations OES are the same as mentioned within the NIS Directive with the inclusion of the heating and mining sub-sectors. If an OES experiencing a ‘data incident’ it must report to CSIRT MON, CSIRT NASK and CSIRT GOV (contact details here) within 24 hours of becoming aware of the incident. Failure to comply with the Act, OES can face an administrative fine of 35 000 EURO and following 230 000 EURO fine for persistent violation.

DSP Summary: DSP must have (at minimum requirement) an appointed representative based in Poland. If a DSP experiences a ‘data incident’ they must report to CSIRT NASK (contact details here) within 24 hours. DSPs can be fined 5 000 EURO for failure to meet the obligations imposed by the Act. In addition, DSPs can then be fined 230 000 EURO for persistent violation of the Act.

Most recent national strategy: Polish National Cyber Security Strategy– implemented 30th November 2017


Portugal

NIS implementation legislation Status: Transposed (The legal regime of Cyberspace Security – Law No. 46/ 2018 of August 13: date of application 14/08/2018).

OES Summary: Public administration and critical infrastructures fall within the jurisdictional oversight of the cybersecurity authority; however, they are not subject to the OES requirements. If an OES experiences a ‘data incident’ they must report to CSIRT (contact details here) without undue delay.

DSP Summary: DSP operating in Portugal must inform immediately to the National Cybersecurity Centre (contact details here) of their operations and activities in Portugal. For any reporting of ‘data incidents’ DSPs must report to CSIRT without undue delay. For any serious incidents, a fine of 5 000 EURO to 25 000 EURO, in the case of a natural person, and from 10 000 EURO to 50 000 EURO if it is a legal person. For serious offenses a fine of 1 000 EURO to 3 000 EURO, in the case of natural person, and from 3 000 EURO to 9 000 EURO, if it is a legal person. In case of mere negligence, the minimum and maximum limits of the fines are reduced to half.

Most recent national strategy: Portuguese National Cyber Security Strategy– implemented 28th May 2015


Romania

NIS implementation legislation Status: Transposed (Ensuring high level of security of information networks and systems: date of application 30/01/2018).

OES Summary: No divergence from NIS Directive obligations and scope for OES.

DSP Summary: DSPs must be offering relevant services in Romania alongside having a designated Romanian representative. For any ‘data incidents’ fines of 670 EURO to 11000 EURO can be administered. Repeated breaches may be fined up to 22 000 EURO. In case of companies with a turnover exceeding 440 000 EURO, the administrative fines may be of up to 2% of the company’s turnover and, for repeated breaches, of up to 5% of the company’s turnover.

Most recent national strategy: No Cybersecurity national strategy has been published.


Slovakia

NIS implementation legislation Status: Transposed (Act of January 30, 2018 on Cybersecurity and on Amendments and Supplements to certain Acts.date of application – 01/04/2018).

OES Summary: OES listed within the NIS Directive are the same as described in the Slovakian legislation, with the addition of pharmaceutical/ chemical industry, public administration, electronic communication, postal service. OES must report immediately any ‘data incident’ to the national CSIRT (contact details here).

DSP Summary: DSPs will have 30 days to register with Slovakian authorities of their operations and activities. For any ‘data incidents’ DSPs must report to National CSIRT (contact details here) without undue delay. Failure to comply with the legislation can incur an administrative fine of either 300 EURO or 1% of annual turnover, with maximum of 300 000 EURO.

Most recent national strategy: Cyber Security Concept of the Slovak Republic for 2015-2020


Slovenia

NIS implementation legislation Status: Transposed

OES Summary: The same scope and requirements listed in the NIS Directive apply to the national legislation, with the addition of environmental protection industries. For any ‘data incidents’ OESs must report to the national CSIRT (contact details here) immediately.

DSP Summary: DSPs must register with national authorities within 30 days of operation and/ or within 30 days of legislation application. Failure to comply with legislation can incur an administrative fine ranging from 10 000 EURO to 50 000 EURO for medium to large companies. For smaller companies administrative fines range from 500 EURO to 10 000 EURO.

Most recent national strategy: Cyber Security Strategy: Establishing a System to ensure High Level of Cyber Security– implemented February 2016


Spain

NIS implementation legislation Status: Transposed (Royal Decree-Law 12/2018, September 7, on security of networks and information systems – date of application20/09/2018).

OES Summary: No changes from NIS Directive requirements.

DSP Summary: No changes from NIS Directive requirements.

Most recent national strategy: National Cybersecurity Strategy– implemented 2013


Sweden

NIS implementation legislation Status: Transposed (Date of application 22/06/2017).

OES Summary: No changes from NIS Directive requirements.

DSP Summary: DSPs must report any ‘data incidents’ immediately to the Civil Contingencies Agency. Failure to comply with the legislation can result in an administrative fine ranging from 500 EURO to 100 000 EURO.

Most recent national strategy: A National Cyber security Strategy– implemented 22nd June 2016


United Kingdom

NIS implementation legislation Status: Transposed (The Network and Information Systems Regulation:date of application 10/05/2018).

OES Summary: No changes from NIS Directive requirements. Any ‘data incident’ must be reported to competent authorities (contact details here) within 72 hours.

DSP Summary: DSP must register with UK competent authorities 3 months since service providers operations begin and/ or since the inception of UK legislation. Any ‘data incident’ must be reported to the competent UK authorities without undue delay. Failure to comply to the legislation can result in administrative fine, with a maximum fine of 17 000 000 GBP.

Most recent national strategy: National Cyber Security Strategy 2016 to 2021– implemented November 2016

For more information please contact
Martin Bell
Policy Officer for Privacy and Cybersecurity
Back to Cybersecurity
View the complete Policy Paper
XLSX
Our resources on Cybersecurity
Policy Paper 24 Oct 2019
Defining the way forward for IoT security and certification schemes
Policy Paper 05 Sep 2019
Response to ENISA consultation on EU ICT industrial policy
Policy Paper 01 Sep 2019
DIGITALEUROPE and ESIA response to the Office of State Commercial Cryptography Administration Draft Cryptography Law
Hit enter to search or ESC to close