Which public administration entities are in scope of NIS2?

NIS2 automatically covers public administration entities at central government level. Regional public administration is in scope when included by the member state. Local authorities are a member state option and differ country by country. Parliaments, central banks, judiciary, and national security bodies are generally excluded.

How does NIS2 differ across the Netherlands, Germany, France, and Belgium?

In the Netherlands, the Cyberbeveiligingswet (Cbw) transposes NIS2 and includes central government and designated regional and local entities. Germany transposes NIS2 through NIS2UmsuCG, covering federal administration and selected state entities depending on state laws. France uses a dedicated transposition with ANSSI as central regulator and an explicit public administration scope. Belgium aligns federal administration through the CCB as competent authority, with regional coverage subject to regional laws.

Are public administration entities essential or important?

Central government public administration entities are listed under Annex I and classified as essential entities. Regional and local administration, when in scope, are typically also treated as essential under national law, though classification can vary.

What are the top cyber risks for government?

Public administration faces politically motivated attacks, ransomware on municipal services, theft of citizen data, legacy system exposure, and supply chain compromise through IT service providers. Identity systems, citizen portals, and inter-agency integrations are frequent targets.

How does NIS2 relate to existing national public-sector security laws?

Many member states already have baseline security frameworks for public administration. In the Netherlands this includes the BIO baseline, in Germany the IT-Grundschutz from BSI, in France SecNumCloud and the RGS, and in Belgium the BOSA and CCB frameworks. NIS2 overlays horizontal duties on these, and effective implementation aligns the two so evidence produced for one serves both.

Does procurement law change under NIS2?

Procurement rules do not change, but contract clauses and supplier assessments do. Article 21 supply chain duties require a structured approach to cybersecurity in public contracts, including security clauses, breach notification duties, and audit rights. Expect updated framework agreements and standard contract templates.

Who is personally accountable inside a public administration?

Article 20 places accountability on the management body. In a public administration this typically means the director general, secretary general, or equivalent senior executive, depending on national structure. These individuals must approve cybersecurity measures, oversee their implementation, and follow cybersecurity training.

How long does NIS2 implementation take for a public entity?

For a central government ministry with an existing BIO, Grundschutz, or equivalent baseline, six to twelve months is realistic to reach NIS2 readiness. Municipalities and regional bodies without strong baseline security can expect twelve to twenty-four months, often moving in parallel with broader modernisation programs.

NIS2 for Public Administration: Central, Regional, and National Variations

Key facts for public administration

Central government public administration is in scope by default under Annex I.
Regional and local coverage is a member state option and varies across the EU.
National public sector baselines (BIO, Grundschutz, RGS, BOSA) remain relevant and typically integrate with NIS2.
Typical risks include legacy systems, politically motivated attacks, and supply chain exposure through IT service providers.
Procurement rules stay the same, but contract clauses must now carry cybersecurity obligations.

Scope per member state

NIS2 includes public administration under Annex I, but leaves important discretion to member states. The directive defines central government public administration as the set of entities designated in accordance with national law. Regional and local authorities are optional. The result is significant variation across the EU, and the first step for any public body is to read the national transposition, not only the directive text.

Netherlands

The Dutch Cyberbeveiligingswet (Cbw) transposes NIS2. It covers central government ministries, executive agencies, and specific regional and local public entities designated by decree. The Cbw builds on top of the existing BIO (Baseline Informatiebeveiliging Overheid) baseline, and many duties map directly between the two. The Nationaal Cyber Security Centrum (NCSC-NL) functions as the national CSIRT and supervisor for large parts of the public sector, with RDI and sector-specific regulators in other domains. Municipalities and water boards should expect to fall in scope progressively.

Germany

Germany transposes NIS2 through the NIS2 Umsetzungs- und Cybersicherheitsstaerkungsgesetz (NIS2UmsuCG), which updates the BSI-Gesetz. Federal administration is in scope. State (Land) administration is covered by state-level cybersecurity legislation, which varies in maturity. The BSI remains the central authority for security standards and supervision at federal level, and its IT-Grundschutz framework forms the operational baseline that most federal bodies already use.

France

France transposes NIS2 through a dedicated cybersecurity resilience law, with ANSSI as central authority. Scope explicitly includes administrations d'Etat and extends selectively to collectivites territoriales through national and regional decisions. Existing frameworks such as the Referentiel General de Securite (RGS) and SecNumCloud for cloud services integrate with NIS2 obligations, and ANSSI publishes sector-specific guidance for public administration that maps directly to Article 21.

Belgium

Belgium's transposition is centrally coordinated by the Centre for Cybersecurity Belgium (CCB), which is the national authority under NIS2. Federal administration falls under the transposition directly, while regional administrations (Flemish, Walloon, Brussels-Capital) align through regional laws with the CCB as central reference point. BOSA provides shared services and baseline standards used across federal administration.

Top cyber risks for government

Politically motivated attacks

Public administration is a frequent target for hacktivist and state-aligned groups around geopolitical events, elections, and major policy decisions. DDoS attacks on citizen portals, defacements, and targeted phishing against ministries are routine. NIS2 continuity duties require documented response and communication plans for these scenarios.

Ransomware on municipal services

Municipal IT environments are often less mature than federal or central administration, with shared staff across functions, limited budgets, and heavy reliance on a small number of vendors. Ransomware incidents have taken down civil registration, permits, and social services for weeks in several European municipalities.

Citizen data and identity systems

Identity systems, civic portals, and case management systems hold sensitive citizen data. Compromise has both operational and political consequences. Segmentation, privileged access management, and strong audit logging on these systems are high-value controls under Article 21.

Legacy systems

Public administrations run some of the oldest production systems in Europe. Tax, social security, and land registry systems frequently predate modern security practices. NIS2 does not force rip-and-replace, but it does require documented risk treatment, compensating controls, and a modernisation plan with realistic milestones.

Supply chain and shared services

Public bodies rely heavily on shared services, framework contracts, and a small set of large IT providers. A compromise at a shared service center or managed IT provider can propagate across many entities at once. Article 21 supply chain duties require structured oversight and updated contract templates.

NIS2 and national public-sector security laws

The common pattern across member states is layering, not replacement:

Netherlands. Cbw (transposition) sits on top of BIO (baseline). Use BIO as the operational control set, and add NIS2-specific duties on reporting, supply chain, and board accountability.
Germany. NIS2UmsuCG sits on top of BSI-Gesetz and IT-Grundschutz. Grundschutz remains the control catalogue. NIS2 adds reporting and accountability layers.
France. ANSSI guidance, RGS, and SecNumCloud continue to apply. NIS2 integrates through ANSSI sector guides.
Belgium. BOSA baselines and CCB guidance remain the operational reference. NIS2 adds reporting flows and management body duties.

The practical deliverable is a single control framework mapping your national baseline to Article 21, with evidence documented once and used many times.

A 30-day, 90-day, and 12-month roadmap

First 30 days: clarity

Read the national transposition and confirm scope for your specific entity, including any secondary decrees designating regional or local bodies.
Map existing baseline controls (BIO, Grundschutz, RGS, BOSA) to Article 21 and identify the delta.
Name an accountable senior executive (director general, secretary general, or equivalent) and establish a steering committee.
Confirm reporting chain to the national CSIRT and sector regulator, including out-of-hours contacts.

Days 30 to 90: stabilise

Deliver mandatory cybersecurity training to the management body.
Publish or refresh the information security policy, approved at the top level.
Close top quick wins on identity and access: MFA for privileged users, removal of shared admin accounts, and reviewed privileged access to citizen-facing systems.
Run a ransomware tabletop that exercises both operational response and public communications.

Months 4 to 12: sustain

Roll out supply chain duties into procurement: standard security clauses, supplier assessments, and updated framework contracts.
Accelerate legacy system treatment: documented risk acceptance, compensating controls, and realistic modernisation milestones.
Integrate NIS2 reporting with existing national reporting regimes to avoid duplication.
Run an internal audit against Article 21 and close findings before the first external supervisory review.

Frequently asked questions

Which public administration entities are in scope?

Central government is in scope by default. Regional and local administration coverage is a member state option. Parliaments, central banks, judiciary, and national security bodies are generally excluded.

How does NIS2 differ across member states?

The Netherlands uses the Cbw and builds on BIO. Germany uses NIS2UmsuCG and builds on BSI Grundschutz. France uses a dedicated law with ANSSI guidance and RGS. Belgium is centrally coordinated by CCB with BOSA baselines. Read the national text, not only the directive.

Essential or important?

Central government public administration is classified as essential under Annex I. Regional and local entities, when in scope, are generally also treated as essential, though details depend on national law.

What are the top cyber risks?

Politically motivated attacks, ransomware on municipalities, citizen data compromise, legacy systems, and supply chain exposure through IT service providers.

How does NIS2 relate to national baselines?

National baselines remain the operational control set. NIS2 adds duties on incident reporting, supply chain, and management body accountability. Map the two into a single framework to avoid duplication.

Does procurement law change?

Procurement rules do not change, but Article 21 supply chain duties require updated contract clauses, supplier assessments, and audit rights. Expect new model clauses and revised framework agreements.

Who is personally accountable?

The management body is accountable under Article 20. In a public administration this is typically the director general, secretary general, or equivalent senior executive. They must approve measures, oversee implementation, and complete cybersecurity training.

How long does implementation take?

A ministry with a mature baseline typically reaches NIS2 readiness in six to twelve months. Municipalities and regional bodies without strong baselines should plan twelve to twenty-four months, often moving in parallel with wider IT modernisation.

NIS2 for Public Administration