Strengthening Cyber Governance in Europe: Board-Level Priorities and Updates for UK, Germany, Spain, France, and Italy

Grayson taylor

Grayson Taylor

Sr. Director, Global Assurance

September 8, 2025
Strengthening Cyber Governance in Europe Grayson

United Kingdom — tightening board-level governance with new bills and codes to raise baseline

What changed:

  • The UK published a new Cyber Governance Code of Practice (early 2025) aimed at putting cyber risk squarely at board level and supplying practical steps for governance and accountability. This is intended to complement existing schemes (Cyber Essentials) and the NCSC’s guidance.
  • The government is progressing a Cyber Security & Resilience (CS&R) Bill that will amend the UK’s NIS regulations and align some rules with NIS2-style expectations (shorter incident reporting windows, broader supervision for critical sectors), while keeping flexibility for UK needs. The bill also signals closer alignment of the NCSC’s Cyber Assessment Framework (CAF) with legislative requirements. 

Risk / impact:

  • Stronger board accountability, likely stricter incident reporting and supervision for “critical” entities, and tighter supplier/third-party expectations. Expect regulators to require demonstrable governance (board training, formal risk appetite, audit trails).

Immediate actions:

  1. Ensure board-level reporting on cyber — map current reporting to the new Code’s governance checklist.
  2. Review incident response timelines and prepare to shorten reporting windows.
  3. Map supply-chain dependencies & third-party contracts against CAF/NCSC guidance.

Germany — NIS2- transposition underway; bigger BSI powers; cloud & automotive-specific standards evolving

What changed:

  • Germany published drafts and moves towards a German NIS2- implementation / “IT-SiG 3.0” that would amend multiple laws (strengthen BSI powers, widen supervision and reporting). The government adopted a formal draft in July 2024; with parliamentary steps still underway.
  • C5 (BSI Cloud Compliance criteria) remains the government-backed cloud attestation standard; German market uptake and references continue.
  • TISAX (automotive information security assessment) is evolving — assessments are moving to updated VDA ISA versions (e.g., VDA ISA 6.0) which changes questionnaires and assessment scope (affects suppliers). 

Risk / impact:

  • Broader supervisory reach and more intrusive powers for BSI (and higher compliance burden for operators in critical sectors). Cloud providers serving German entities will face stronger demand for C5 evidence; automotive supply chain must adapt to VDA ISA 6.0/TISAX changes.

Immediate actions:

  1. Track final text of the German NIS2 transposition (IT-SiG 3.0) and BSI rulemaking; update incident-reporting procedures and point-of-contact info.
  2. If you’re a cloud provider or consumer in Germany, evaluate C5 attestation status and roadmap.
  3. Automotive suppliers: plan transition to VDA ISA 6.0 for upcoming TISAX cycles; gap-assess current scope against new ISA controls. 

Spain — ENS baseline already updated; NIS2 transposition still being pushed urgently

What changed:

  • Spain’s Esquema Nacional de Seguridad (ENS) is regulated by Royal Decree 311/2022 and the CNI/CCN (ENS authority) continues to operationalize certification and conformity processes under that RD. New guidance & certification processes flow from RD 311/2022.
  • Spain has been under pressure to fully transpose NIS2- (the Commission issued procedural steps and Spain has had accelerated/urgent legislative attention and, in 2025, a reasoned opinion related to incomplete transposition). Expect Spain to finalize transposition measures following that urgency. 

Risk / impact:

  • Public-sector and entities contracting with the Spanish Administration must comply with ENS requirements already (security categorization, risk management, accreditation). NIS2- transposition will expand obligations on incident reporting, supply-chain risk, and governance for many private-sector entities.

Immediate actions:

  1. Public-sector suppliers or contractors: confirm ENS certification/conformity path under RD 311/2022 and schedule audits/controls accordingly.
  2. All entities operating in Spain: monitor NIS2-transposition closely — identify whether you fall into the ‘essential’ or ‘important’ categories and prepare for NIS2-style obligations (governance, supply-chain risk, incident reporting). 

France — updated HDS (health-data hosting) + NIS2 transposition status to watch

What changed:

  • France updated its Hébergeur de Données de Santé (HDS) certification standard — a new version came into force for new applicants around November 16, 2024, tightening requirements (stronger ISO27001 alignment, contractual transparency, and restrictions on where health data may be stored / access/transfers outside the EEA).
  • France has been progressing NIS2- transposition but, as of May 2025, the Commission issued a reasoned opinion for incomplete transposition — so there is active legislative efforts ongoing. 

Risk / impact:

  • HDS-certified cloud/hosting providers must meet tighter rules (including EEA residency / transfer transparency). Entities in healthcare must check providers’ HDS status. NIS2-transposition timing/legal detail still evolving — private sector should be ready for alignment with stricter incident reporting and governance.

Immediate actions:

  1. Healthcare data controllers/processors: confirm HDS status of hosting providers and review contractual clauses on data residency and transfers.
  2. Prepare for NIS2-style governance & reporting — map critical services and identify whether French transposition will add sector-specific rules for you. 

Italy — NIS2- already transposed (Legislative Decree No. 138/2024); registration & agency rules now live

What changed

  • Italy transposed NIS2- into national law by Legislative Decree No. 138/2024 (published in Gazzetta Ufficiale 1 Oct 2024; entered into force 16 Oct 2024). The Decree expands scope (more entities become “essential/important”), sets supervisory rules, incident reporting duties, and assigns responsibilities to national authorities (ACN / CSIRT Italia).  

Risk / impact:

  • Many more companies in Italy are now captured by NIS2- obligations (including certain cloud providers and ICT suppliers). Immediate requirements include registration on national portals, strengthened governance, third-party risk management, and updated incident reporting.

Immediate actions:

  1. If operating in Italy, check Annex scopes in D. Lgs. 138/2024 to confirm whether you are in-scope; if so, register with ACN and prepare mandatory reporting and governance changes.
  2. Align internal controls to NIS2- Articles: board oversight, supplier risk processes, incident detection/reporting timelines, and crisis-management contact points.

Cross-cutting themes & recommended priority roadmap (applies to all five countries)

  1. Map scope now — identify whether you are “in-scope” (NIS2/UK CS&R proposals, national lists). This is the single highest-leverage action. (Italy already transposed; Spain/France/Germany/UK have active workstreams.)
  2. Governance & board readiness — train and document board-level responsibility, adopt the UK Cyber Governance Code checklist and NIS2- governance expectations.
  3. Incident reporting & playbooks — shorten detection-to-reporting pipelines; align with national regulators’ timeframes (and be ready for NIS2-style shorter windows).
  4. Third-party / cloud evidence — require C5 (Germany) or equivalent cloud assurances; verify HDS for French health hosting; ENS conformity for Spanish public-sector suppliers; plan for TISAX updates if in automotive.
  5. Regulatory watch & gap assessments — run a short gap-assessment against ISO27001 + NIS2- articles and country-specific frameworks (ENS, HDS, C5, TISAX), prioritizing critical services and suppliers.