NIS2 Implementation Status

    Track the transposition progress of the NIS2 Directive across all EU Member States, including competent authorities and enforcement timelines.

    As of 20 February 2026

    NIS2 Implementation Status Snapshot

    Fully Notified (8)
    Adopted (7)
    Draft (12)
    Member StateStatusCompetent AuthorityNotes
    Austria
    Adopted
    		Federal Chancellery (Bundeskanzleramt)National transposition law adopted (Dec 23, 2025); entry into force / secondary measures timed for 2026 — notification completeness under Commission review.
    Belgium
    Fully Notified
    		Centre for Cybersecurity Belgium (CCB)National implementing law adopted in April 2024 and registered; not listed among Commission reasoned-opinion cases.
    Bulgaria
    Draft
    		Ministry of Transport, Information Technologies & CommunicationsDraft amendments have been circulated but final national transposition stalled and Bulgaria was included in the Commission reasoned-opinion list.
    Croatia
    Fully Notified
    		National Cybersecurity Authority(s)Transposing legislation (Cybersecurity Act / regulation) adopted and operational; not among the Commission's outstanding reasoned-opinion list.
    Cyprus
    Adopted
    		Digital Security AuthorityAmendment published (Network and Information Systems Security (Amendment) Law of 2025 published 25 Apr 2025); Commission requested further notification details.
    Czechia
    Adopted
    		National Cyber and Information Security Agency (NUKIB)New Act on Cybersecurity (No. 264/2025) entered into force 1 Nov 2025 — law is in force while formal notification completeness is under Commission assessment.
    Denmark
    Draft
    		Center for Cybersecurity (CFCS) + sector authoritiesCommission issued a reasoned opinion for incomplete notification; implementing measures remain in legislative/administrative progress.
    Estonia
    Draft
    		Estonian Information System Authority (RIA)Draft/amendment process progressing (first readings reported); Estonia was included in the Commission's reasoned-opinion list.
    Finland
    Draft
    		Finnish Transport and Communications Agency (Traficom) / DVVCommission sent a reasoned opinion; legislative package/secondary rules are still being finalised.
    France
    Draft
    		ANSSI (French National Agency for Information Systems Security)Transposition incorporated into broader resilience bills; Parliament activity ongoing and Commission has issued a reasoned opinion requesting completion.
    Germany
    Adopted
    		Bundesamt für Sicherheit in der Informationstechnik (BSI)Germany adopted its NIS2 implementation / revised BSI Act in late 2025 and the law is in force (Dec 2025); Commission notification completeness remains under administrative review.
    Greece
    Fully Notified
    		Ministry of Digital Governance / National Cybersecurity AuthorityGreece adopted its transposition into national law and is not listed among Commission reasoned-opinion cases.
    Hungary
    Adopted
    		National Cybersecurity Agency & Ministry of DefenceHungary passed a consolidated Cybersecurity Act and supporting decrees in early 2025; Commission had previously raised notification concerns but national measures are in place.
    Ireland
    Draft
    		National Cyber Security Centre (NCSC-IE)Ireland has an active legislative bill (National Cyber Security Bill) but the Commission issued a reasoned opinion for incomplete notification.
    Italy
    Fully Notified
    		Italian National Cybersecurity Authority (ACN) + sector regulatorsItaly adopted and notified implementing legislation and is not among the Commission's reasoned-opinion list.
    Latvia
    Adopted
    		Latvian National Cyber Security AuthorityLatvia adopted a National Cybersecurity Law (mid-2024) and has secondary rules pending; Commission flagged notification completeness in May 2025.
    Lithuania
    Fully Notified
    		Lithuanian National Cyber Security CentreLithuania transposed NIS2 in 2024 and entered key provisions into force on 18 Oct 2024; it is listed among states that completed transposition.
    Luxembourg
    Draft
    		Institut Luxembourgeois de Regulation (ILR)Luxembourg was included in the Commission reasoned-opinion list and remains in the draft/legislative phase.
    Malta
    Fully Notified
    		Malta Information Technology Agency (MITA)Malta transposed NIS2 via Legal Notice(s) in 2025 and brought the framework into force (legal notices effective Jan 2026); it is not in the Commission's May-2025 reasoned-opinion list.
    Netherlands
    Draft
    		Minister of Digital Affairs + NCSC unitsThe Netherlands appears among the Member States cited by the Commission for incomplete notification; transposition work was ongoing at national level.
    Poland
    Draft
    		Ministry of Digital Affairs (Cybersecurity Dept)Poland was included in the Commission reasoned-opinion list and national amendments were still under development.
    Portugal
    Adopted
    		National Cyber Security Directorate (DNSC)Decree-Law No. 125/2025 published 4 Dec 2025 transposes NIS2; it becomes effective 120 days after publication (April 2026) while Commission completeness review is ongoing.
    Romania
    Fully Notified
    		National Cybersecurity Directorate (DNSC)Romania is reported to have completed its national transposition and is not listed among the Commission's outstanding reasoned-opinion cases.
    Slovakia
    Fully Notified
    		National Cybersecurity Authority (Prime Minister's Office)Slovakia adopted implementing legislation and is not included in the Commission's reasoned-opinion list.
    Slovenia
    Draft
    		Information Security Administration (ASIM-SI)Slovenia was included in the Commission's reasoned-opinion list; national transposition activity remains ongoing.
    Spain
    Draft
    		National Cybersecurity Institute (INCIBE) / Security CouncilSpain was cited by the Commission for incomplete notification; legislative and secondary measures remain in progress.
    Sweden
    Draft
    		Swedish Civil Contingencies Agency (MSB)Sweden received a Commission reasoned opinion for incomplete notification; national transposition remains in parliamentary/administrative proceedings.

    Many of these Member States have adopted primary laws but still need full secondary legislation and Commission notification before enforcement is considered complete.

    Status Legend

    • Fully Notified = national transposition adopted and no open Commission reasoned opinion about incomplete notification.
    • Adopted = national transposition law adopted (or published) but Commission has requested further information / notification completeness (or notification still to be confirmed). If the law is already in force but notification is pending review, it is indicated.
    • Draft = legislative process ongoing / no final national law published.

    Key Implementation Notes

    Deadline & Commission Action

    All Member States were required to transpose NIS2 by 17 October 2024; most missed this deadline. On 7 May 2025, the European Commission issued reasoned opinions to 19 Member States for failing to notify full transposition.

    "Adopted" vs "Fully Notified"

    Some Member States have enacted national laws but have not yet fully notified all implementing measures to the Commission. Other Member States are still in draft or legislative/parliamentary review.

    Enforcement & Regulatory Readiness

    Where national law is in force, entity registration, incident reporting, supervisory powers, and penalties (up to EUR 10 million or 2% of turnover for essential entities) are being phased in through secondary regulations.

    Pending Enforcement

    In Member States with Adopted or Draft status, registration and reporting obligations are not yet enforceable until national law is in force and authorities have published legal instruments and portals. This does not preclude diligent SMEs from starting their NIS2 compliance journeys now.

    Competent Authority Clarifications

    Across the EU, Member States designate one or more competent authorities responsible for NIS2 implementation and enforcement.

    Supervising Compliance

    Overseeing adherence to NIS2 obligations across essential and important entities

    Receiving Incident Reports

    Processing and coordinating responses to cybersecurity incident notifications

    Maintaining Entity Lists

    Keeping registers of essential and important entities within their jurisdiction

    Enforcing Requirements

    Implementing risk management and governance requirements through regulatory action

    Typical Authority Types

    • National Cybersecurity Authorities/Agencies or dedicated cybersecurity regulators (e.g., CCB, ACN, NUKIB, ANSSI)
    • Sectoral regulators for finance, telecoms, energy where responsibilities are delegated
    • CSIRTs serve coordination and reporting functions under national law