Skip to content

From Leading to Lagging: Europe’s NIS 2 Compliance Spectrum

NIS 2 aims to enhance cybersecurity and business resilience for key sectors, particularly around the visibility and understanding of risk. DNS security plays a crucial role in improving NIS 2 compliance by defending against cyber threats.

July 11, 2024 | Written by: Yaëlle Harel | , ,

Preparing for compliance with the NIS 2 Directive is a top priority for any organization that either operates in Europe or counts it as a target market. Set to take full effect by October 17, 2024, NIS 2 aims to enhance cybersecurity by expanding the scope of its predecessor for key sectors, particularly around the visibility and understanding of risk. DNS service and network security are integral in this effort, as they ensure the protection and proper management of DNS traffic. Consequently, DNS security plays a crucial role in defending against cyber threats and improving NIS 2 compliance.

However, preparations for NIS 2 adoption vary widely across Europe.

Expanding Scope and Strengthening Security

NIS 2 was constructed as a much-needed update to the original NIS Directive launched in 2016, reflecting the growing complexity and hostility of the cyber threat landscape. The new directive expands its reach to new fields including manufacturers of critical products, telecommunications, public administration, and food production and distribution. Alongside this, NIS 2 is aiming to improve the baseline of security across the EU with stricter requirements in key areas including:

  • Risk Management: Implement frameworks to identify, assess, and mitigate cyber threats.
  • Incident Response: Establish plans for prompt cyber incident detection, containment, and mitigation.
  • Business Continuity: Develop plans to ensure uninterrupted operations during cyber incidents.
  • Reporting: Disclose cyber incidents to stakeholders promptly, with a requirement to notify within 24 hours of any incident significantly impacting service provision, including cross-border effects.

NIS 2 Adoption Landscape in Europe

The growing awareness and preparation for NIS 2 across Europe mirrors the trend seen with EU General Data Protection Regulation (GDPR) in 2018. We have found Google search trends indicate a significant increase in interest and activity around NIS 2 as the enforcement date approaches, highlighting the critical nature of this directive.

ENISA, the European Union Agency for Cybersecurity, supports NIS 2 implementation with a comprehensive four-part plan that includes:

  • Enhanced Support: Increasing capabilities to offer tailored assistance, knowledge, and preparedness to member states and specific sectors.
  • Resource Allocation: Committing extensive resources for technical advice and harmonized NIS 2 implementation.
  • Risk Evaluations: Developing risk scenarios and maintaining threat awareness in relevant sectors under NIS 2.
  • Policy and Law Assistance: Assisting in developing and implementing cybersecurity policies and laws.

Compliance Progress in Specific Countries

However, mapping NIS 2 progress across Europe reveals a highly varied landscape, with some significant differences in preparation and implementation levels.

Considering some of the criteria detailed below, it is possible to create a compliance rating for each country, using an estimation based on publicly available documentation. Here, we’ll compare the current rate of progress, highlighting the countries pulling ahead and those regions that seem less advanced today.

Our rating considers several key criteria:

  1. Legislative Progress: Alignment of national laws with NIS 2.
  2. Institutional Setup: Establishment and activity of national cybersecurity agencies.
  3. Awareness and Education: Level of awareness regarding NIS 2, including available resources such as documentation, webinars, and videos.

The rating scale is as follows:

  • 1 (Minimal)
  • 2 (Limited)
  • 3 (Intermediate)
  • 4 (Progressing)
  • 5 (Advanced)

Countries Leading in NIS 2 Compliance

The following countries are rated as advanced and exemplify good NIS 2 preparation.They have all shown a high level of proactivity and organization, resulting in solid progress ahead of the compliance deadline. 

Hungary

Hungary has implemented proactive measures, including the Cyber Security Act and mandatory registration with the Regulated Activities Supervisory Authority (SARA). Full cybersecurity requirements and supervision began in January 2024, with protective measures set to start in December 2024.

Germany 

Germany’s IT Security Act 2.0 and the Federal Office for Information Security (BSI) demonstrate a comprehensive approach to NIS 2 compliance. The country has established robust risk management and incident response frameworks.

The Czech Republic 

The Czech Republic’s advanced implementation, driven by the National Cyber and Information Security Agency (NUKIB), emphasizes proactive cybersecurity measures and continuous monitoring, preparing beyond NIS 2 requirements.

Countries Actively Working Towards Compliance

Several countries are actively working towards meeting NIS 2 standards. While not yet fully compliant, their ongoing initiatives show a strong commitment to enhancing cybersecurity.

France 

France, through ANSSI, is integrating NIS 2 into the Military Programming Law, focusing on national defense and cross-sector collaboration.

Austria

Austria’s Network and Information System Security Act (NISG) emphasizes resilience and incident response, with continuous legislative updates and resource allocation for cybersecurity.

Other nations actively enhancing their cybersecurity strategies and fostering cross-border cooperation to meet NIS 2 standards include:

  • Italy: Reviewing and amending its cybersecurity framework to align with NIS 2 standards.
  • Netherlands : Working on integrating NIS 2 into national laws, although facing challenges in meeting deadlines.
  • Spain : Incorporating NIS 2 into its National Security Framework (ENS).
  • Sweden: Progressing with the proposed Cybersecurity Act led by the Swedish Civil Contingencies Agency (MSB).
  • Belgium: Updating cybersecurity measures under the guidance of the Centre for Cybersecurity Belgium (CCB).
  • Luxembourg: Broadening regulations and emphasizing ICT supply chain security.
  • Slovakia: Advancing NIS 2 implementation through the National Security Authority (NBU).

Countries Still Catching Up

Some countries are aligning their cybersecurity frameworks with NIS 2 but face challenges and are progressing slowly. Most notably:

Denmark has a phased approach to NIS 2 compliance, starting with the energy sector, led by the Danish Centre for Cyber Security.

Finland 

Finland is conducting legislative consultations led by the National Cyber Security Centre Finland (NCSC-FI) and is expected to propose updates to the Act on Electronic Communications Services.

Other regions include:

  • Ireland: Updating compliance guidelines through the National Cyber Security Centre (NCSC).
  • Portugal: Enhancing its cybersecurity framework via the National Cyber Security Centre (CNCS).
  • Romania: Public administration sectors are included in its NIS 2 strategy, led by the National Cyber Security Directorate (DNSC).
  • United Kingdom: Consulting on updates to align with NIS 2 principles. While NIS 2 is not mandatory following Brexit, many UK-based organisations rely heavily on working in European countries and are still obligated to comply.

Countries Facing Significant Challenges

Finally, these nations show minimal progress towards NIS 2 compliance and face significant obstacles. They are at risk of severely lagging behind when the October deadline arrives.

Poland  is working on unifying cybersecurity incident reporting procedures by amending the Act on the National Cybersecurity System.

Norway, despite not being an EU member, is aiming for compliance as, like the UK, many businesses are reliant on European operations. However, the country faces hurdles in aligning with NIS 2. Progress is minimal, with the delayed Digital Security Act highlighting challenges in meeting NIS 2’s requirements.

How DNS Security Can Help

Although the maturity of European countries with regard to NIS 2 compliance appears to be fragmented, it is still crucial for companies not to wait, as NIS 2 compliance is expected by October 18, 2024. This is where DNS Security comes into play.

DNS security is a critical component in enhancing cyber resilience and ensuring compliance with various regulations, including the NIS 2 Directive. Effective DNS security is valuable in meeting central regulatory demands around risk assessment, incident response, business continuity and reporting. 

By leveraging DNS Threat Intelligence to secure the Domain Name System, organizations can protect against a wide array of cyber threats that exploit DNS vulnerabilities. Effective DNS security aligns with major cybersecurity frameworks and regulations across multiple regions and industries.

The NIST Cybersecurity Framework for example emphasizes the importance of protecting critical infrastructure, which includes DNS. GDPR mandates stringent data protection measures, where DNS security helps prevent unauthorized access and data breaches, mitigating the risk of data exfiltration attempts that may go unnoticed by measures like traditional firewalls.

DORA (Digital Operational Resilience Act) requires financial entities to ensure operational resilience, where DNS security plays a role in maintaining service continuity and mitigating risks. With banking and finance being listed as essential under NIS 2, there is substantial overlap between the two.

Meanwhile PCI DSS requires robust security controls for payment systems, which can be fortified through DNS security to protect against data exfiltration and other threats.

Elsewhere, in the US, HIPAA’s focus on protecting health information is supported by DNS security measures that ensure data integrity and confidentiality.

Conclusion and Next Steps

The collective effort across Europe to strengthen cybersecurity through the NIS 2 Directive underscores a unified commitment to fortify digital infrastructure against escalating cyber threats. As the October 2024 deadline for transposition approaches, organizations must accelerate their compliance efforts to avoid severe penalties and ensure robust cybersecurity frameworks.

EfficientIP’s DNS security solution including DNS Guardian, DNS Intelligence Center and DNS Threat Pulse, provide advanced threat detection and mitigation capabilities. Check out our previous blog on NIS 2 for more information on how we can help deliver compliance.

To ensure your organization is fully prepared for NIS 2, contact a security expert at EfficientIP to learn how our protective DNS security solutions can help you achieve compliance and enhance your cyber resilience.

Want to learn more on how Protective DNS helps improve NIS 2 compliance?

Contact a Security Expert