Article 41
Omzetting
NIS2 Transposition Procedures and Requirements
The content is specifically about NIS2 transposition, which is a distinct regulatory process involving how member states convert EU directives into national law. This topic is not adequately covered by existing topics and deserves its own dedicated entry.
transposition national implementation member state transposition legislative transposition transposition deadline transposition procedures transposition requirements national legislation
Overview
Legal Framework
The transposition of Directive (EU) 2022/2555 (NIS2) into national law is governed by its general implementation provision (Article 40) and is specifically guided by Recitals 65 and 95. Recital 65 mandates that the Cooperation Group should work to facilitate an alignment of transposition among Member States by mapping national solutions, assessing impacts, and formulating recommendations. Recital 95 advises that, to avoid unnecessary disruption, existing national guidelines adopted for transposing similar security rules from the European Electronic Communications Code (Directive 2018/1972) should be taken into account, building on acquired knowledge.
Practical Application
The recitals establish a framework for a coordinated and efficient transposition process. The primary mechanism for alignment is the work of the EU Cooperation Group, which is tasked with identifying divergent national approaches and developing specific recommendations to foster convergence. In practice, this means Member States are expected to actively participate in this group's deliberations and consider its outputs when drafting national legislation. Furthermore, transposition should not be a greenfield exercise; competent authorities and legislators are directed to evaluate and, where appropriate, repurpose or adapt existing national guidelines and regulatory frameworks developed under the previous telecommunications security regime to implement NIS2's security and incident reporting measures.
Key Considerations
- Engage Proactively with Harmonization Efforts: Member State authorities should actively contribute to and monitor the deliverables of the Cooperation Group to align their national transposition strategy with emerging EU-level recommendations and avoid fragmentation.
- Conduct a Legislative Audit: Prior to drafting, a review of existing national laws and guidelines implementing Articles 40 and 41 of Directive 2018/1972 is essential to identify reusable elements, as advised by Recital 95.
- Focus on Substantive Alignment: The goal of the transposition process is not merely to transpose the text but to achieve a consistent level of security and resilience across the EU. National implementations should aim for substantive equivalence in obligations and enforcement, even where procedural differences remain.
Laws (10)
Case Law (11)
FASHION ID GmbH & Co. KG v. VERBRAUCHERZENTRALE NRW eV
Fashion ID
Representation of data subjects: Articles 22 to 24 of Directive 95/46 must be interpreted as “not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.” (¶63)
Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy
Puškár
Lawful Basis (Public Interest): Article 7(e) Directive 95/46 must be interpreted as not precluding the processing of personal data by the authorities of a Member State for the purpose of collecting tax and combating tax fraud such as that effected by drawing up the contested list in the main proceedings, without the consent of the data subjects, “provided that, first, those authorities were invested by the national legislation with tasks carried out in the public interest within the meaning of t
Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy
Puškár
Admissibility of illegally obtained evidence: Article 47 of the Charter of Fundamental Rights of the EU precludes national court from rejecting, as evidence of an infringement of the protection of personal data, a list, such as the contested list, submitted by the data subject and containing personal data relating to him, “if that person had obtained that list without the consent, legally required, of the person responsible for processing that data, unless such rejection is laid down by national
Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy
Puškár
Right to Adequate Legal Remedy: Making the admissibility of a legal action brought by a person alleging infringement of his right to data protection subject to the prior exhaustion of the administrative remedies available does not violate Article 47 of the Charter of Fundamental Rights of the EU “provided that the practical arrangements for the exercise of such remedies do not disproportionately affect the right to an effective remedy before a court referred to in that article.” It is important,
GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 (“GOOGLE v. Spain”)
Google Spain
Right to object: A data subject has a right to object to the processing based on legitimate interest. Data controllers must suspend processing and conduct a review as soon as an objection is received. (¶¶ 75–76)
WORTEN-EQUIPAMENTOS PARA O LAR SA V. ACT (AUTHORITY FOR WORKING CONDITIONS), 30.5.2013 (“WORTEN”)
Worten
Necessity/proportionality: Collection and processing of personal data contained in the record of working time to ensure compliance with national legislation relating to working conditions is lawful if it is necessary for compliance with a legal obligation to which the controller is subject. Access should be grated only to authorities having powers of monitoring compliance with legal requirements. An obligation to provide immediate access to the record could be necessary if it contributes to the
BONNIER AUDIO ABET AL. V. PERFECT COMMUNICATIONS WEDEN, 19.April.2012 (“BONNIER”)
Bonnier
Balancing of fundamental rights: EU data protection rules do not preclude national legislation from providing that national courts can order IP address information to be provided to copyright owners whose rights have been infringed.
COLLEGE VAN BURGEMEESTER EN WETHOUDERS VAN ROTTERDAM V. RIJKEBOER, 7.5.2009 (“RIJKEBOER”)
Rijkeboer
Right of Access: Rules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller (determinati
TIETOSUOJAVALTUUTETTU [FINNISH DATA PROTECTION OMBUDSMAN] V. SATAKUNNAN MARKKINAPORSSI OY AND SATAMEDIA OY, 16.12.2008 (“SATAKUNNAN&SATAMEDIA”)
SATAKUNNAN & SATAMEDIA
Processing for solely journalistic purposes: Member States are required to provide derogations in relation to protection of personal data, solely for journalistic purposes or artistic or literary expression, which fall within the fundamental right to freedom of expression, insofar as necessary for reconciliation of the two rights. Activities may be classified as “journalistic” if their sole object is the disclosure to the public of information, opinions or ideas, irrespective of the medium used
LINDQUIST, 6.11.2003 (“LINDQUIST”)
Lindquist
Balancing of fundamental rights: Data protection and freedom of expression must be balanced against each other, and data protection law provides in itself multiple mechanisms allowing a balancing of the different fundamental rights to be carried out. Therefore it is not a disproportionate violation of the principle of freedom of expression. (¶¶ 82–87 and ¶ 90)
RECHNUNGSHOF V. OSTER REICHISCHER RUNDFUNK, 20.5.2003 (“RUNDFUNK”)
Rundfunk
Lawful basis for proceeding (Necessity requirement): The CJEU held that for an employer to publish the names and incomes of employees to a third party is an interference with the right to respect for private life, protected by article 8 of the European Convention on Human Rights (para 74), but it might be justified if it was both necessary for and appropriate to the aim of keeping salaries within reasonable limits, (that being for the national courts to determine)
Guidance (40)
View all 40Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG
guidelines voor de toepassing van artikel 60 AVG
Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...
Guidelines 02/2022 on the application of Article 60 GDPR
Guidelines on the application of Article 60 GDPR
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...
Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
Guidelines on technical scope of art. 5(3) of ePrivacy Directive
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
Guidelines 3/2019 on processing of personal data through video devices
Guidelines on processing of personal data through video devices
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
Guidelines on certification and identifying certification criteria
Versiegeschiedenis
guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG
De AVG bevat geen juridische definitie van het begrip 'doorgifte van persoonsgegevens aan een derde land of aan een internationale organisatie'. Daarom verstrekt de EDPB deze richtsnoeren om te verduidelijken op welke scenario's de voorschriften van hoofdstuk V volgens hem moeten worden toegepast en heeft hij daartoe drie cumulatieve criteria vastgesteld waaraan een verwerkingsactiviteit moet voldoen om als een doorgifte te worden aangemerkt: - 1) Een verwerkingsverantwoord...
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)
Guidelines on the criteria of the right to be forgotten in the search engines cases under the GDPR (part 1)
Guidelines 06/2022 on the practical implementation of amicable settlements
Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects
Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement
Guidelines on the use of facial recognition technology in the area of law enforcement
More and more law enforcement authorities (LEAs) apply or intend to apply facial recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or photographs. It may be used for various purposes, including to search for persons in police watch lists or to monitor a person's movements in the public space. FRT is built on the processing of biometric data , therefore, it encompasses the processing of special categories ...
VERSIEGESCHIEDENIS
binding corporate rules voor verwerkingsverantwoordelijken
Versiegeschiedenis
guidelines accreditatie
Richtsnoeren 10/2020 met betrekking tot de beperkingen krachtens artikel 23 AVG
guidelines beperkingen rechten van betrokkenen
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Richtsnoeren 3/2019 inzake de verwerking van persoonsgegevens door middel van videoapparatuur
guidelines cameratoezicht
Richtsnoeren van 1/2018 voor certificering en het vaststellen van certificeringscriteria overeenkomstig de artikelen 42 en 43 van de verordening
guidelines certificering
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies