Implementation of the NIS2 Directive in different national contexts – Germany, Belgium and the Czech Republic

The implementation of the NIS2 directive in European countries is proceeding in different ways. We will look in detail at selected approaches in countries such as Germany, Belgium and the Czech Republic.

Implementation of the NIS2 Directive in Germany – a centralized supervision model

In Germany, legislative work on the implementation of the NIS2 directive is at an advanced stage. The “NIS2 Implementation and Cyber Security Strengthening Act” was drafted in mid-2024 and is awaiting approval by the Bundestag. The planned implementation date is early 2025, which means some delay relative to the EU deadline.

Germany has adopted a model of centralized cybersecurity oversight, with the Federal Office for Information Security (BSI) as its central authority. BSI is responsible for overseeing key and important entities required by law to meet minimum cybersecurity requirements. With a unified oversight system, Germany can coordinate activities and respond to threats consistently at the national level.

Key aspects of the German model:

• Centralized supervision: The centralized model allows for the coordination of activities and unification of security standards across sectors. This makes responding to potential incidents faster and more efficient.
• Financial and certification obligations: German legislation requires federal institutions to allocate a minimum of 20% of IT spending to cyber security. In the future, this obligation may extend to other sectors. In addition, there is a requirement to use certified products and services, which increases the level of security.
• Sanctions and compulsory registration: every entity covered by the law must register with the BSI within 3 months after the new regulations take effect. If this obligation is not met, the BSI has the right to register the entity itself and impose sanctions for violations.

Implementation of the NIS2 Directive in Belgium – a flexible approach to critical actors and incidents

In Belgium, the legislation implementing NIS2 was tailored to local needs and a smaller number of regulated entities. The legislative process was completed in April 2024 with the adoption of a royal decree that gave key powers to the Cyber Security Center of Belgium (CCB). Belgium’s NIS2 implementation model features a flexible approach to cyber-security management, adapted to the country’s size and organizational structure.

Characteristics of the Belgian approach:

• Legal status of key entities: Key and important entities in Belgium are given status by law, but the national cybersecurity authority may recognize other organizations as key if they perform important social or economic functions, even though they do not meet all NIS2 requirements.
• Incident reporting: Belgian regulations provide a formula for voluntary incident reporting by entities that are not directly required to do so by law. This allows the CCB to collect valuable threat and incident data even from those organizations that are not formally covered by NIS2 obligations.
• Incident Response Plan: The new legislation provides for the implementation of an incident response plan, which takes the form of an executive act issued by the King. This allows for faster response and adaptation of actions in the event of cyber threats.

Implementation of the NIS2 Directive in the Czech Republic – advanced draft law and establishment of the Cyber Security Agency

In the Czech Republic, work is well advanced on a law implementing NIS2. The draft provides for the creation of a dedicated Cyber Security Agency responsible for coordinating cyber security activities and overseeing key sectors. The Czech Republic has opted for more detailed legislation that goes beyond the minimum requirements of the NIS2 directive.

Key tenets of the Czech model:

• New Cyber Security Agency: The agency will be responsible for identifying key entities and monitoring their compliance with NIS2 regulations. The structure, modeled after BSI in Germany and ANSSI in France, will enable effective coordination of activities and rapid response to incidents.
• Division into levels of cyber security: The Czech model involves a division into high or low cyber security regimes, depending on the type of business. For example, key service providers will have to apply stricter protection measures.
• Management’s responsibility: managers have an obligation to inform employees about threats and provide the resources necessary to carry out cyber security tasks. It is envisaged to create positions directly related to cyber security, such as cyber security manager or architect .
• Countermeasures and information exemptions: The Cyber Security Agency will be able to apply countermeasures, including warnings and other preventive measures. The legislation also provides for the possibility of declaring a cyber threat state and excluding public information if its disclosure could reduce the effectiveness of operations.

Analysis of common challenges and individual solutions in NIS2 implementation

Each EU member state takes a different approach to implementing the NIS2 Directive. However, some common challenges and unique solutions can be noted:

1. Supervision of key and important players: Germany has opted for a centralized model, Belgium for a flexible one, and the Czech Republic for a complex classification system that tailors requirements to market specifics.
2. Responsibility of managers: In all countries, increased responsibility for cyber security has been placed on the managers of key and important entities. It is their responsibility to implement appropriate procedures and training.
3. Self-identification of entities: In Belgium and the Czech Republic, key entities must self-report to the relevant registries, making them more accountable for compliance. In Germany, by contrast, stricter rules have been applied, requiring entities to register with BSI.
4. Preventive measures and warnings: Each country provides for the introduction of preventive measures and warnings. Examples are the BSI warnings in Germany or the NUKIB response systems in the Czech Republic, which provide adequate preventive measures in case of incidents.

Summary

Experience with the implementation of the first NIS Directive indicated the need to harmonize cyber security rules at the EU level and adapt them to new and increasingly complex cyber threats. The NIS2 Directive was therefore intended to introduce more consistent and stringent requirements, covering a wide range of sectors and actors. In practice, however, member countries are implementing the directive in different ways, tailoring it to their needs and legal requirements. Germany is taking a centralized and stringent approach, Belgium a flexible one, and the Czech Republic is introducing a dedicated agency and a layered surveillance system.

It is these differences in the implementation of the NIS2 directive that show that member countries are exercising autonomy in creating their own cybersecurity protection rules taking into account their realities and specificities.

Sources:

• Regulatory Impact Statement (RIA) for the bill to amend the KSC law of October 3, 2024.
• Information on the website of the Federal Office for Information Security (BSI)-Germany regarding the implementation of NIS2
• Information on the website of the Center for Cyber Security of Belgium (CCB) regarding the implementation of NIS2
• Information on the website of the National Office for Cyber Security and Information (NUKIB) – Czech Republic.