Who falls under the scope of NIS 2?
This directive applies to a wide range of sectors categorised by their level of criticality and size. To learn more about the full scope and find out if your company falls within it, read this comprehensive article.
Although NIS 2 has been in effect since January 2023, EU member states were given until 17 October 2024 to transpose it into national law. However, as of April 2025, only 10 of the 27 EU member states have completed this process (see table below). This delay means that if your business is not operating in one of these countries (Belgium, Croatia, Finland, Greece, Hungary, Italy, Latvia, Lithuania, Romania and Slovakia), you may still lack clarity on how the directive will be applied nationally. That is because member states can impose stricter rules or broader scopes beyond the directive’s minimum requirements.
Is your company under the NIS 2 scope?
A practical guide to determining your organisation's classification under the EU's updated cybersecurity directive.
Current status across EU member states
Here is an overview of each EU country’s progress in implementing NIS 2
|
Country |
NIS 2 stage |
Standard accept |
|---|---|---|
|
Austria |
To be determined |
|
|
Belgium |
Cyber Fundamentals Framework and ISO 27001:2022 (requires full company scope). A company can also be audited directly by the Centre for CyberSecurity of Belgium |
|
|
Bulgaria |
Draft law |
Reference to EU standards under the NIS2 Directive |
|
Croatia |
ISO 27001:2002 |
|
|
Cyprus |
Draft law |
Framework mapping ISO 27001, NIST SP 800-53, and NIS CG |
|
Czech Republic |
To be determined |
|
|
Denmark |
To be determined |
|
|
Estonia |
National Cyber Security Strategy 2023-2027. |
|
|
Finland |
ISO 27001 |
|
|
France |
To be determined |
|
|
Germany |
To be determined |
|
|
Greece |
Reference to EU standards under the NIS2 Directive. |
|
|
Hungary |
Reference to EU standards under the NIS2 Directive |
|
|
Ireland |
NIST CSF 2.0 |
|
|
Italy |
National Framework based on NIST CSF adapted to the Italian context |
|
|
Latvia |
References European and international standards without specifying frameworks |
|
|
Lithuania |
National framework aligned with ISO 27001 and ENISA |
|
|
Luxembourg |
To be determined |
|
|
Malta |
Reference to international and European standards |
|
|
Netherlands |
Reference to international and European standards |
|
|
Poland |
To be determined |
|
|
Portugal |
National Reference Framework for Cybersecurity; reference to European and international Standards. |
|
|
Romania |
Framework based on ISO 27001 and NIST SP 800-53 |
|
|
Slovakia |
Reference to international standards |
|
|
Slovenia |
Standard agnostic; supporting document suggests using ENISA guidelines, ISO 27001/27002, CIS Controls |
|
|
Spain |
Reference to EU certification schemes and the Esquema Nacional de Seguridad (ENS) |
|
|
Sweden |
Reference to European and international standards |
The European Cyber Security Organisation (ECSO) regularly updates this information here.
How cybersecurity frameworks like ISO 27001 and CyFun support NIS 2 compliance
Although many countries are still in the drafting phase of their laws, there is no reason to wait. Organisations can begin preparing for compliance by aligning with widely recognised cybersecurity frameworks such as ISO 27001, NIST or Belgium’s CyberFundamentals (CyFun)
For organisations already following these frameworks, complying with NIS 2 becomes far less overwhelming. In fact, these standards can serve as useful building blocks, helping you prepare before your national laws are finalised.
ISO 27001
ISO 27001 is widely recognised as a gold standard for information security management systems (ISMS). Many countries either reference it directly or align with it in their national frameworks. It provides a structured approach that aligns well with many of the requirements outlined in NIS 2:- Risk Management: ISO 27001 and NIS 2 emphasise identifying network and information systems risks and implementing controls to mitigate them.
- Incident Response: ISO 27001 includes specific controls for incident response, which directly support NIS 2’s mandates for incident reporting.
- Supply Chain Security: ISO’s supplier management controls help organisations meet NIS 2’s requirements for securing third-party relationships.
- Continuous Improvement: required by NIS2 and embedded in ISO27001 as a management system.
- Accountability: While ISO certification is voluntary, it demonstrates a commitment to best practices that align with corporate accountability measures required by NIS 2.
CyberFundamentals (CyFun) Framework
In Belgium, the government introduced the CyberFundamentals Framework (CyFun) to guide organisations toward structured cybersecurity maturity. It’s based on internationally recognised standards like ISO 27001/27002, NIST Cybersecurity Framework, CIS Controls, and IEC 62443, but tailored to Belgian businesses.CyFun is tiered into Basic, Important, and Essential maturity levels, making it accessible to companies of different sizes and risk profiles. Importantly, CyFun directly supports the goals of NIS 2, and Belgian companies using it are already aligned with key aspects of the directive.
Here is how CyFun maps to NIS 2 requirements:
- Risk Management: both CyFun and NIS 2 require risk-based thinking and control implementation.
- Governance and Responsibility: CyFun emphasises roles, responsibilities, and leadership involvement, which are key themes in NIS 2.
- Technical and Organisational Measures: The frameworks align closely on controls such as access management, logging, patching, and asset inventory.
- Incident Handling: Incident response planning and reporting processes are core to both.
By following CyFun, Belgian organisations align with nationally recognised best practices and lay a strong foundation for broader NIS 2 compliance, even though CyFun is not formally accepted outside Belgium.
Practical steps to start your NIS 2 compliance journey
Given the complexity of NIS 2 compliance, especially for organisations operating in multiple countries, it is crucial to start early. Whether you are working with CyFun, ISO 27001, or another framework, you can take concrete steps toward NIS 2 compliance today:
1. Assess current maturity
Conduct a maturity assessment to evaluate the current maturity level and create next steps based on priorities.
2. Map risks
Identify and document risks across operations, systems, and third-party vendors.
3. Evaluate and update controls
Close gaps by addressing deficiencies in policies, controls, and technical safeguards.
4. Establish governance
Define roles, responsibilities, and escalation paths in case of incidents.
5. Create visibility
Use dashboards and automation to gain real-time oversight of compliance and control effectiveness.
6. Manage third parties
NIS 2 requires organisations to assess and monitor risks introduced by external suppliers and partners.
7. Stay informed
Monitor the progress of NIS 2 transposition in your country and adapt as new requirements emerge. Especially if operating in multiple EU jurisdictions, staying informed about local laws is key.
How Maiky can help
Maiky can help organisations prepare for NIS 2 and maintain ongoing compliance monitoring with:- Maturity assessment: Assess your program’s maturity with visual graphs, helping identify improvement areas and guiding future program changes and budget decisions.
- Gap analysis: analyse the gaps between the current policy set and the requirements specified in one of the over 150 standards supported by the Maiky platform.
- NIS 2 Quick Start with pre-built policies, controls, and risks
- Third-party management: Manage your third-party suppliers, and send surveys to ensure your risks are covered by the proper controls at the third party.
- Trust Center: Maintain a public-facing webpage to showcase your security program to your customers and prospects.
- Automation of controls: Free your teams of repetitive work and ensure accuracy by automating tasks, evidence collection, and validation.
- Dashboard: Real-time monitoring using your favourite dashboard tools
Whether you are just starting or refining an existing program, we can help you move from uncertainty to confidence.
Final thoughts
The NIS 2 Directive sets a high standard for cybersecurity across Europe, but it’s not an impossible bar. Frameworks like ISO 27001 and CyberFundamentals (CyFun) offer practical, scalable roadmaps to get there. If your organisation is already working with these standards, you are not starting from scratch; you are simply adapting and improving to meet new legal expectations.
Start now, not later. NIS 2 compliance is a journey that requires time, strategy, and the right tools.
