After years of negotiations and drafting between the European Parliament, the Commission and the Council of the EU, the second Directive on Networks and Information Systems (NIS2) came into force in January 2023. This new legislation follows and replaces the MIS Directive of 2018, expanding the scope of the organizations to which it applies.

The aim of NIS2 is to strengthen cybersecurity networks in different sectors in the EU in a harmonized way.

The NIS2 Directive will significantly change what cyber security measures are required of the public and private organizations covered by it. Once a scoping assessment has determined that NIS2 is applicable, the next step in an organization's preparation is to examine what controls are missing from its current security posture.

The deadline for the implementation of NIS2 (NIS2) expired on 17 October, but only 6 EU Member States met this deadline, and 3 of the Member States have an unclear implementation path for the regulation. 14 of the states are expected to implement the law in the first half of 2025.

Fortunately, Bulgaria is one of the member states that are close to implementing the law, despite the complicated political situation in the country. The changes under the law are well documented and all preliminary deadlines have been met. The draft law has been finalized and remains to be finalized by the Council of Ministers before it enters into force.

Bulgaria is among the leaders, as the Ministerial Council is expected to finally approve the implementation of the law in the country by the end of the first quarter.

The complexity and scope of the new cyber security requirements clearly pose challenges for Member States as well as organizations to comply. Our map below shows the state of NIS2 implementing legislation in each Member State and when this legislation is expected to come into force.

A large number of countries in the European Union are expected to complete the transposition of the NIS2 Directive into their respective legislations in the first quarter of the year, which is a telling sign of the importance of the law. The cyber resilience of companies operating in the countries of the European Union depends on this law, and the sooner it is implemented, the more secure, protected and predictable internet environment citizens in different countries will be able to count on.

Our advice to all our partners, contractors and suppliers is not to wait for the last possible moment to find out what is behind the draft law, but to take advantage of the moment before it enters into force. This will give them a competitive advantage, no urgent commitment of people and resources when it comes into force. Moreover, they will gain an improved reputation with partners and suppliers. Take advantage of our services now to deal with the complications, innovations and problems of tomorrow! It's all about preparation and the right attitude to information security!

Your reputation depends on the protection and resilience of your information assets!

What we can do for you and what services we offer regarding the Network and Information Security 2 (NIS 2) Directive 2020/0359 COM(2020) 823 Directive (EU) 2022/ 2555 (NIS 2) ?

1. Comprehensive check and diagnosis of your compliance with the Network and Information Security 2 (NIS 2) Directive 2020/0359 COM(2020) 823 Directive (EU) 2022/2555 (NIS 2). (NIS 2 gap analysis)
2. Consulting on already discovered non-conformities with the directive and easily dealing with them.
3. Trainings and seminars aimed at familiarizing staff with the Network and Information Security 2 (NIS 2) Directive 2020/0359 COM(2020) 823 Directive (EU) 2022/2555 (NIS 2).

Compliance with the Network and Information Security 2 (NIS 2) Directive 2020/0359 COM(2020) 823 Directive (EU) 2022/2555 (NIS 2) is a vital step in your development in response to the rising threats related to the integrity, confidentiality and availability of the information at the right time for you! 

The impact of NIS2 for major and important entities is not much different when it comes to implementing compliance controls, as they are the same for companies in both categories.

The operational effort to comply with NIS2 will be significantly greater for major entities as they are under constant surveillance, while important entities only have to report on an ad hoc basis. However, the supervisory requirements for key entities and therefore the impact can vary greatly from country to country!

Reduce the risk of your information security to the level acceptable to you!

Rely on our extensive expertise and proven track record in delivering top-tier information security consulting services.

If you have any questions or need advice about NIS 2, please contact us.