NIS2 Implementation Across Europe
The transposition deadline was 17 October 2024. By early 2026, the majority of EU member states had missed it – triggering infringement proceedings and creating a fragmented compliance landscape across Europe.
A Directive Deadline Missed by Most
Directive (EU) 2022/2555 – the NIS2 Directive – required all 27 EU member states to transpose its provisions into national law by 17 October 2024. This deadline was explicit, non-negotiable, and established more than two years in advance when the Directive was published on 27 December 2022. Despite this, the vast majority of member states failed to meet it.
As of March 2026, roughly half of the 27 member states have fully transposed the Directive into national law. Belgium was notably first, enacting its Loi NIS2 in April 2024 — six months before the deadline. Croatia, Hungary, Latvia, and Lithuania were among the early adopters. Italy enacted its national transposition (D.Lgs. 138/2024) in October 2024. Germany followed in late 2025 with the NIS2UmsuCG.
The European Commission launched infringement proceedings against member states that had not communicated full transposition measures by the deadline. By November 2024, the Commission had sent letters of formal notice to 23 member states. This is not unusual for EU directives – but the scale of non-transposition for a cybersecurity regulation affecting critical infrastructure raised concerns about the EU's collective cyber resilience posture.
~6–8
Member states fully transposed by early 2026
23
Member states receiving infringement letters (Nov 2024)
17 Oct 2024
Directive transposition deadline
| Country | Status | Implementing Law | Notes |
|---|---|---|---|
| Germany | Transposed | NIS2UmsuCG (amending BSIG) | Passed after significant delays (November 2025, over a year late). Amends the BSI-Gesetz (BSIG) with new §§28–65 covering scope, measures, reporting, and penalties. BSI registration portal operational since January 6, 2026. |
| Austria | Transposed | NISG 2024 (Netz- und Informationssystemsicherheitsgesetz) | Austria adopted its NIS2 transposition law in 2024. Closely aligned with the German approach due to shared legal traditions and DACH coordination. |
| Belgium | Transposed | Loi NIS2 (April 2024) | First EU member state to transpose NIS2 – six months before the deadline. CCB (Centre for Cybersecurity Belgium) designated as national authority. |
| Croatia | Transposed | Zakon o kibernetičkoj sigurnosti | Among the early adopters. National CERT (CERT.hr) and competent sectoral authorities designated. |
| Hungary | Transposed | Government Decree 418/2024 | Transposed through government decree rather than parliamentary legislation. NDGDM designated as national cybersecurity authority. |
| Italy | Transposed | D.Lgs. 138/2024 | Decreto Legislativo adopted in October 2024. ACN (Agenzia per la Cybersicurezza Nazionale) is the competent authority. Registration portal launched. |
| Latvia | Transposed | Amendments to the National Cyber Security Law | Transposed by amending existing cybersecurity legislation. CERT.LV continues as national CSIRT. |
| Lithuania | Transposed | Kibernetinio saugumo įstatymas (amended) | Early adopter. Amendments to existing Cyber Security Law came into force in late 2024. |
| France | In progress | Projet de loi NIS2 (pending) | ANSSI published draft transposition text. Parliamentary process delayed by political instability in late 2024. Expected completion in 2026. ANSSI acting as de facto authority in the interim. |
| Netherlands | In progress | Cyberbeveiligingswet (Cbw) – in legislative process | Draft Cybersecurity Act (Cbw) published. Senate review ongoing as of early 2026. NCSC-NL designated as CSIRT, with sectoral authorities for specific sectors. |
| Poland | In progress | Amendment to KSC (Krajowy System Cyberbezpieczeństwa) | Draft amendments to the National Cybersecurity System Act published. Multiple rounds of public consultation. Delayed by scope discussions around public administration entities. |
| Spain | In progress | Anteproyecto de Ley NIS2 | Preliminary draft published. CCN-CERT and INCIBE share cybersecurity authority responsibilities. Legislative timeline uncertain as of early 2026. |
| Sweden | In progress | Cybersäkerhetslagen (proposed) | Government inquiry (SOU) completed. Draft legislation under review. MSB (Myndigheten för samhällsskydd och beredskap) designated as coordinating authority. |
Germany transposed NIS2 through the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), which amends the existing BSI-Gesetz (BSIG). The legislative process was delayed multiple times – the initial drafts circulated in mid-2023, but the law did not pass through the Bundestag (13 November 2025) and Bundesrat (21 November 2025) until over a year after the original October 2024 deadline.
The amended BSIG introduces a comprehensive NIS2 regime: §28 defines scope (besonders wichtige and wichtige Einrichtungen), §30 establishes the 10 cybersecurity measure areas, §32 implements incident reporting with the three-stage timeline, §33 creates the BSI registration obligation, §38 introduces management personal liability, and §65 defines the penalty framework. The BSI serves as the national competent authority and CSIRT.
The BSI registration portal went live on January 6, 2026, enabling entities to fulfill their §33 registration obligation. The registration deadline passed on March 6, 2026. The BSI has published sector-specific guidance documents and FAQs, and has begun outreach to entities that may be in scope but have not registered. Enforcement — including periodic audits and on-site inspections for besonders wichtige Einrichtungen — is now active.
Cross-Border Compliance Challenges
The fragmented transposition creates practical challenges for companies operating across multiple EU member states.
Regulatory fragmentation
Companies operating in multiple member states face different national implementations of the same Directive. While the core obligations are harmonised, member states have exercised discretion on scope (which sub-sectors to include), penalty levels (within the Directive's minimum thresholds), and supervisory approaches. A company present in Germany, France, and the Netherlands may face three different regulatory timelines and registration procedures.
Divergent scope definitions
The NIS2 Directive allows member states to extend scope beyond the minimum. Some countries (notably Belgium) have applied NIS2 to additional sectors. Others have applied different size thresholds or included public administration entities at varying levels. This makes pan-European scope assessment challenging – a company in scope in one country may not be in another.
Multiple reporting channels
An incident at a company with operations in multiple member states may trigger reporting obligations in each country where the affected services are provided. Each national CSIRT has its own portal and procedures. While ENISA coordinates cross-border incident sharing, the entity must file with each relevant national authority independently.
Uneven enforcement maturity
Countries that transposed early (Belgium, Croatia, Hungary) have a head start in building supervisory capacity. Countries still in the legislative process have no functioning enforcement regime. This creates an uneven playing field – and a risk that enforcement will be concentrated in the most mature jurisdictions, creating compliance pressure based on geography rather than risk.
- Directive (EU) 2022/2555 – NIS2 Directive, Official Journal of the European Union (27 December 2022)
- European Commission – NIS2 transposition tracker and infringement proceedings updates (2024–2025)
- Wavestone – NIS2 Transposition Radar: country-by-country implementation status (2025)
- NIS2UmsuCG – Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit (Germany)
- Loi NIS2 – Belgian NIS2 transposition law (April 2024)
- D.Lgs. 138/2024 – Italian NIS2 transposition decree
- ENISA – NIS2 implementation overview and cross-border coordination guidance (2025)
- BMI/BSI – Parliamentary documentation and guidance on NIS2UmsuCG implementation