NIS 2 Compliance
Compliance with the NIS 2 Directive requires adherence to security frameworks specific to each Member State. These frameworks are listed and explained below for each country of the European Union.
SPAC Alliance keeps you informed of country-by-country developments and supports you on the path to compliance, from risk analysis to any certifications that may be required to be compliant or NIS 2-labelled.
Has your country not yet adopted a law or implementing decree? Do not wait to take action to strengthen your security.
There are numerous mappings between national frameworks (published or in progress) and international standards such as ISO/IEC 27001 or the NIST Cybersecurity Framework (CSF) 2.0. This makes it possible to initiate your compliance journey, and in some cases even to achieve compliance.
Page updated on March 9, 2026.
NIS 2 Compliance Frameworks by Country
> Compliance frameworks:
Here is the list of existing frameworks :
- Belgium / Ireland / Romania / Malta: Cyberfundamentals
- Italy: National Framework for Cybersecurity and Data Protection
- Cyprus: framework based on ISO/IEC 27001, NIST SP 800-53 and NIS Cooperation Group recommendations
- Finland / Greece / Latvia / Lithuania / Slovakia / Slovenia: ISO/IEC 27001 / ISO/IEC 27002 baseline with ENISA references and CIS Controls
- Hongrie : NIST SP 800-53
- The Netherlands : CBw NIS2 Control Framework
- Croatia: ISO/IEC 27001 + ISO/IEC 27002
Here is the current status of NIS 2 transposition for each country of the European Union:
> Adopted laws:
- Austria
- Belgium
- Bulgaira
- Croatia
- Cyprus
- Czech Republic
- Denmark
- Finland
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Malta
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Sweden
The adoption of these laws indicates an advanced transposition process but does not necessarily provide details on compliance requirements for the entities concerned.
> Draft legislation:
- Spain
- Estonia
- France
- Luxembourg
- Netherlands
Is your country listed above? Rely on other recognized frameworks to avoid losing time!
ISO 27001 and NIST CSF 2.0
ISO/IEC 27001 and the NIST Cybersecurity Framework (CSF) 2.0 provide a fairly comprehensive approach to security. These two frameworks highlight several objectives and actions that address the expectations of both NIS 2 and the CER Directive:
- Preliminary risk analysis
- Entity mapping to identify sensitive areas
- Information system mapping and asset inventory
- Access control
- Visitor management
- Training and awareness
- Resilience measures (business continuity planning, vulnerability management, etc.)
In some countries, Essential Entities certified under ISO/IEC 27001 may benefit from a presumption of compliance with NIS 2. However, this is not automatic. For example, France considers ISO/IEC 27001 to be insufficient in certain areas (notably backups) or too demanding for Important Entities.
ISO/IEC 27001 and the NIST Cybersecurity Framework (CSF) 2.0 can at a minimum help structure most security objectives. They can serve as guidance both for less mature entities and for those operating in countries where NIS 2 has not yet been transposed.
NIS 2 Support
The SPAC Alliance Shop brings together the products and services required to target compliance and achieve a level of security aligned with your needs:
- Audits, security testing, and mapping
- Training
- Support for CSPN and ISO 27001 certification
These services are exclusively provided by SPAC Alliance members!
Join SPAC Alliance
The SPAC Alliance Club is particularly well suited if you are concerned by NIS 2 and provides knowledge, tools, training, and support from all members.
You can submit your application to become a SPAC Alliance Member, contribute with us to building European sovereignty, and defend the interests of our market.
