This Report constitutes a direct continuation of our prior report, The Approach of the EU and Selected Member States to 5G Network Cybersecurity, and starts a series of forthcoming evaluation of European member states’ legislative proposals for the implementation of the directive on measures for a high common level of cybersecurity across the European Union1 (NIS 2 Directive) into their domestic laws. The NIS 2 Directive, establishing unified legal measures aiming to boost cybersecurity in the EU, entered into force on 16 January 2023, and EU member states must transpose it into national law by 17 October 2024 (Article 41, NIS 2 Directive).

The 2020 EU cybersecurity toolbox, jointly agreed upon between the EU Commission (Commission) and member states, advocates a risk-based approach to cybersecurity in line with general principles of EU law. The EU cybersecurity toolbox recommends a well-balanced and coordinated set of risk-mitigating measures, notably relying on EU-wide standardization and certification. In the same vein, the NIS 2 Directive proposes a risk assessment based on objective, transparent, and proportionate criteria and is technology neutral.