NIS2 Implementation Across Europe
The transposition deadline was 17 October 2024. By early 2026, the majority of EU member states had missed it - triggering infringement proceedings and creating a fragmented compliance landscape across Europe.
Last updated: April 26, 2026
17
Operational
1
Pre-Registration
6
Planned
3
Not Yet Available
| Country | Competent Authority | Registration Portal | Registration Deadline | National Law |
|---|---|---|---|---|
| Germany | BSI (Bundesamt für Sicherheit in der Informationstechnik) | BSI NIS-2 Portal | 2026-03-06 | NIS2UmsuCG / BSIG |
| Belgium | CCB (Centre for Cybersecurity Belgium) | Safeonweb@Work | 2025-03-18 | NIS2 Law (Loi NIS2) |
| Italy | ACN (Agenzia per la Cybersicurezza Nazionale) | ACN NIS Portal | 2026-02-28 | D.Lgs. 138/2024 |
| Czech Republic | NUKIB (Národní úřad pro kybernetickou a informační bezpečnost) | Portál NUKIB | TBD | Zákon o kybernetické bezpečnosti (nZKB) |
| Denmark | SAMSIK (Styrelsen for Samfundssikkerhed) | Virk | 2025-10-01 | Danish NIS2 Act |
| Poland | Ministry of Digital Affairs / CSIRTs | System S46 | 2026-10-03 | Amended KSC Act (ustawa o KSC) |
| Croatia | NHCSC-HR (National Cybersecurity Center) | Not yet available | TBD | Zakon o kibernetičkoj sigurnosti |
| Lithuania | NKSC (National Cybersecurity Center) | Not yet available | TBD | Kibernetinio saugumo įstatymas |
| Latvia | CERT.LV / NCSC | Not yet available | 2025-04-01 | Kiberdrošības likums |
| Greece | NCSA (National Cyber Security Authority) | Not yet available | 2025-09-30 | Law No. 5160/2024 |
| Slovakia | NBÚ (Národný bezpečnostný úrad) | Not yet available | TBD | Zákon o kybernetickej bezpečnosti |
| Romania | DNSC (Directoratul Național de Securitate Cibernetică) | Not yet available | 2025-09-19 | Emergency Ordinance No. 155/2024; Laws No. 52/2025 & No. 124/2025 |
| Finland | Traficom / Sectoral authorities | Not yet available | 2025-05-08 | Kyberturvallisuuslaki |
| Estonia | RIA (Riigi Infosüsteemi Amet) | Not yet available | TBD | Küberturvalisuse seadus |
| Hungary | SZTFH (Szabályozott Tevékenységek Felügyeleti Hatósága) | Not yet available | TBD | Act XXIII of 2024 |
| Cyprus | DSA (Digital Security Authority) | NIS2 Self-Assessment Tool | TBD | Law on Security of Networks and Information Systems (Amendment) 2025 |
| Slovenia | URSIV (Information Security Agency) | Not yet available | 2025-12-19 | ZInfV-1 (Information Security Act) |
| Country | Competent Authority | Registration Portal | Registration Deadline | National Law |
|---|---|---|---|---|
| France | ANSSI (Agence nationale de la sécurité des systèmes d'information) | MonEspaceNIS2 | TBD | Loi Résilience (bundles NIS2 + DORA + CER) |
| Country | Competent Authority | Registration Portal | Registration Deadline | National Law |
|---|---|---|---|---|
| Austria | Bundesamt für Cybersicherheit | Unternehmensserviceportal (USP) | 2026-12-31 | NISG 2026 |
| Netherlands | NCSC (Nationaal Cyber Security Centrum) / RDI | Not yet available | TBD | Cyberbeveiligingswet |
| Sweden | MSB (Myndigheten för samhällsskydd och beredskap) | Not yet available | TBD | Cybersäkerhetslagen |
| Portugal | CNCS (Centro Nacional de Cibersegurança) | Not yet available | TBD | Decreto-Lei NIS2 |
| Bulgaria | State e-Governance Agency / Ministry of e-Government | Not yet available | TBD | Cybersecurity Act (amended) |
| Malta | CIPD (Critical Infrastructure Protection Department) | Not yet available | TBD | Legal Notice 71/2025 (SL 460.41) |
| Country | Competent Authority | Registration Portal | Registration Deadline | National Law |
|---|---|---|---|---|
| Spain | CCN-CERT / INCIBE | Not yet available | TBD | Not yet enacted |
| Ireland | NCSC (National Cyber Security Centre) | Not yet available | TBD | National Cyber Security Bill (draft) |
| Luxembourg | ILR (Institut Luxembourgeois de Régulation) | Not yet available | TBD | Bill 8364 (Projet de loi) |
Selling in a country is not the same as operating in a country
Many companies sell their products or services across the EU through a single legal entity registered in one country. In that case, registration with your home country's authority is sufficient, you are not "established" in every country you sell into.
However, if your company is fully operational in a country, meaning you have a registered legal presence, employees on the ground, and pay corporate tax there, then that country's NIS2 law applies to you as an entity established in that jurisdiction.
NIS2 Article 26 creates an important exception for specific digital service types: cloud computing providers, managed service providers, managed security service providers, data centre providers, content delivery networks, DNS service providers, online marketplaces, online search engines, and social networking platforms. These entities register in a single EU member state, the one where cybersecurity risk-management decisions are predominantly taken. If you operate one of these services, you do not need to register in every country where you are established. All other types of entities (manufacturers, food companies, energy suppliers, transport operators, hospitals, etc.) fall under the standard rule and must register in each country where they have a legal establishment.
Frequently asked questions
I have a sales office in Germany but my headquarters are in France, do I register with the BSI?▾
It depends on how the German sales office is structured. If it is a registered GmbH or Zweigniederlassung (branch) that files its own tax return in Germany, you likely need to register with the BSI in addition to ANSSI in France. If it is simply a cost centre of the French parent with no separate legal status in Germany, French registration alone may suffice. Consult a lawyer familiar with NIS2 in both jurisdictions.
Do I need to comply with different security requirements in each country?▾
NIS2 sets a harmonized baseline, but each country's transposition can add stricter sector-specific requirements. In practice, implementing the NIS2 baseline, risk management, incident reporting, access control, supply chain security, will meet requirements in most EU countries. Check each country's national law for any additional obligations.
What if a country hasn't finished transposing NIS2 yet?▾
Some EU countries were late transposing the directive (the deadline was October 2024). Until national law is in force, registration may not yet be possible. Monitor the relevant national authority's website and register as soon as the process opens. Late transposition by the government does not reduce your eventual legal obligation.
Can I register once at EU level and cover all countries?▾
No. There is no single EU-level NIS2 registry. Each country operates its own registration system. This is one of the known complexities of the directive's decentralised implementation and creates significant compliance overhead for pan-European companies.
- Directive (EU) 2022/2555 - NIS2 Directive, Official Journal of the European Union (27 December 2022)
- European Commission - NIS2 transposition tracker and infringement proceedings updates (2024-2025)
- Wavestone - NIS2 Transposition Radar: country-by-country implementation status (2025)
- NIS2UmsuCG - Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit (Germany)
- Loi NIS2 - Belgian NIS2 transposition law (April 2024)
- D.Lgs. 138/2024 - Italian NIS2 transposition decree
- ENISA - NIS2 implementation overview and cross-border coordination guidance (2025)
- BMI/BSI - Parliamentary documentation and guidance on NIS2UmsuCG implementation