NIS2 Implementation Status
Track the transposition progress of the NIS2 Directive across all EU Member States, including competent authorities and enforcement timelines.
As of April 2026
NIS2 Implementation Status Snapshot
Fully Notified (16)
Adopted (6)
Draft (5)
| Member State | Status | Competent Authority | Notes |
|---|---|---|---|
| Austria | Adopted | Federal Ministry of the Interior (BMI) / Bundesamt für Cybersicherheit (operational 1 October 2026) | NISG 2026 promulgated 23 December 2025; enters into force 1 October 2026; entity registration deadline 1 January 2027 — notification completeness under Commission review. |
| Belgium | Fully Notified | Centre for Cybersecurity Belgium (CCB) — CyFun® / Safeonweb@Work | NIS2 Law in force 18 October 2024; registration via Safeonweb@Work closed 18 March 2025; CyFun® self-assessment or ISO 27001 SoA deadline 18 April 2026 (now passed); full certification by 18 April 2027. |
| Bulgaria | Adopted | Multiple national competent authorities (Ministry of Defence, Ministry of Interior, State Agency for National Security) — Minister of e-Government maintains national register | Cybersecurity Act amendments in force 17 February 2026; reduced sanctions for breaches before 1 June 2026; Council of Ministers designation methodology due ~17 August 2026 — administrative designation model. |
| Croatia | Fully Notified | Security and Intelligence Agency (SOA) — National Cybersecurity Center (NCSC-HR); CERT.hr (CARNET) for incident reporting via PiXi; autonomous sector supervisors (HNB, HANFA, HACZ) | Cybersecurity Act (NN 14/2024) in force 15 February 2024 — among earliest EU transpositions; Cybersecurity Regulation (NN 135/2024) in force 30 November 2024; authority-led notification model with 12-month compliance window; national deviations include Education sector, biennial self-assessment for important entities, and stricter technical controls. |
| Cyprus | Adopted | Digital Security Authority (DSA) — primary; Commissioner of Communications also designated as supervisory authority | Network and Information Systems Security (Amendment) Law 60(I)/2025 enacted 10 April 2025, in force 25 April 2025; national deviations include a 6-hour early warning deadline (stricter than the Directive's 24h) and a DSA-led entity identification model (no self-registration); Commission notification completeness under review. |
| Czech Republic | Adopted | National Cyber and Information Security Agency (NUKIB) | Act on Cybersecurity No. 264/2025 Coll. in force since 1 November 2025; self-identification via NÚKIB portal (registration deadline 31 December 2025 for entities in scope); 12-month compliance window for security and reporting measures from registration decision; essential entities must report all cyber-origin incidents (stricter than Directive); NÚKIB empowered to restrict or prohibit insecure supply chain vendors for strategically important entities. |
| Denmark | Adopted | Ministry for Societal Resilience and Contingency (MSSB) — coordinator; sector regulators (Danish Energy Agency, Finanstilsynet, telecom regulators) — primary supervisors; CFCS — National CSIRT | NIS2 Act (L 141) in force since 1 July 2025 with no transitional grace period; self-registration via Virk.dk (deadline 1 October 2025 — passed); minimum transposition approach (no gold-plating); national deviations: direct administrative fines not available (sanctions follow criminal prosecution via the public prosecution authority) and personal management liability not transposed (governed by Danish Companies Act duty of care); Commission notification completeness under review. |
| Estonia | Fully Notified | Estonian Information System Authority (RIA) | Amended Cybersecurity Act in force since 1 January 2026; ~3,500 → ~6,500 entities in scope; research institutions added as national sector beyond Directive baseline; risk management aligned with E-ITS baseline controls; phased compliance — self-registration via RIA deadline ~1 April 2026 (now passed), governance controls by 1 January 2027, full technical compliance and first audits by 1 January 2028. |
| Finland | Fully Notified | Traficom (NCSC-FI) — coordinator; sector authorities supervise | Cybersecurity Act (124/2025) in force since 8 April 2025; registration deadline 8 May 2025 and risk management deadline 8 July 2025 both passed; decentralised supervision across seven sector-specific authorities coordinated by Traficom's NCSC-FI; administrative fines imposed by a separately established sanctions board on supervisory authority proposal; public sector entities cannot be fined; financial sector excluded (covered by DORA). |
| France | Draft | ANSSI (French National Agency for Information Systems Security) | Loi Résilience (consolidating NIS2, CER, DORA) cleared Senate 12 Mar 2025 and National Assembly special committee 10 Sep 2025; final vote and promulgation pending, expected H1–H2 2026 (not yet enacted as of April 2026). EC reasoned opinion issued 7 May 2025. ANSSI's MonEspaceNIS2 pre-registration portal already live; ~15,000–18,000 entities expected in scope across 18 sectors. |
| Germany | Fully Notified | Bundesamt für Sicherheit in der Informationstechnik (BSI) | NIS2UmsuCG in force since 6 December 2025 with no transitional period; ~4,500 → ~29,000–30,000 entities in scope; BSI registration deadline of 6 March 2026 has passed; two-step BSI portal / Mein Unternehmenskonto (MUK) registration; mandatory 3-yearly management cybersecurity training; "negligible activities" exemption under § 28(3) BSIG. |
| Greece | Fully Notified | National Cybersecurity Authority (NCSA) | Law 5160/2024 in force since 28 November 2024; supplemented by MD 1645/2025 (registration) and MD 1689/2025 (22-topic security framework); registration deadlines (28 Mar 2025 for digital infrastructure; 30 Sep 2025 general) have passed; mandatory ICSSO appointment (incompatible with DPO); NCSA audits commenced Q4 2025. |
| Hungary | Adopted | SZTFH (primary) / NKI/NCSC (CSIRT) | Act LXIX of 2024 in force since 1 January 2025; SZTFH is the primary regulator (registration, auditor registry, supervisory fees); NKI/NCSC is the national CSIRT; banking, financial market infrastructure, and public administration are excluded from scope; registration and auditor-contract deadlines have passed; first cybersecurity audit deadline 30 June 2026 (upcoming); EC reasoned opinion 7 May 2025 — Commission assessment ongoing. |
| Ireland | Draft | National Cyber Security Centre (NCSC-IE) | National Cyber Security Bill 2024 not yet enacted as of April 2026; Ireland missed the 17 October 2024 EU transposition deadline and is subject to European Commission infringement proceedings; NIS1 (S.I. 360 of 2018) continues to apply; federated supervisory model proposed (NCSC lead + CRU, ComReg, Central Bank of Ireland); enactment and registration portal expected during 2026. |
| Italy | Fully Notified | Italian National Cybersecurity Authority (ACN) + sector regulators | Legislative Decree No. 138/2024 in force since 16 October 2024. The ACN is the primary regulator and operates a centralized digital portal for registration and reporting. Italy extended scope beyond the Directive's minimum via national Annexes III & IV (central government bodies, local public transport, cultural-interest entities) and includes a safeguard clause for ICT-independent group subsidiaries. Compliance is phased: registration deadlines passed in early 2025, mandatory incident reporting to ACN/CSIRT Italia has been in effect since 1 January 2026, and full compliance with security measures is required by 1 October 2026. Italy is fully notified to the European Commission. |
| Latvia | Fully Notified | National Cybersecurity Centre (NCSC) | Latvia's National Cybersecurity Law has been in force since 1 September 2024 (replacing the former IT Security Law); Cabinet Regulation No. 397 (minimum cybersecurity requirements) in force since 2 July 2025; the European Commission's May 2025 reasoned opinion has been resolved. The National Cybersecurity Centre (NCSC) — Ministry of Defence with CERT.LV — is the primary supervisor, while the Constitution Protection Bureau oversees critical ICT infrastructure. Entities must appoint a cybersecurity manager, classify systems into three tiers (A/B/C), and conduct annual ICT security reviews. All initial deadlines (entity registration, cybersecurity manager appointment, first self-assessment) have passed; transposition fully notified. |
| Lithuania | Fully Notified | National Cyber Security Centre (NCSC) | Lithuania's amended Law on Cybersecurity entered into force on 18 Oct 2024; the Government Resolution on Implementation followed on 12 Nov 2024. The NCSC notified the initial register of 1,443 entities around 17 Apr 2025; phased compliance follows (organisational measures ~17 Apr 2026 — imminent; technical measures ~17 Apr 2027). Lithuania expands scope beyond the Directive (local public administration, critical R&D entities, electronic information hosting providers), mandates appointment of a cybersecurity manager, and requires essential entities to undergo a triennial independent conformity assessment. Fully notified to the European Commission. |
| Luxembourg | Draft | ILR (proposed) / CSSF (financial, proposed); HCPN coordination | Bill 8364 introduced 13 March 2024, not yet enacted as of April 2026; missed EU deadline 17 October 2024; EC reasoned opinion 7 May 2025; Council of State complementary opinion December 2025; NIS1 framework still applies; proposed split supervisory model (ILR most sectors / CSSF financial / HCPN coordination); expanded scope (~6,000–8,000 entities); SERIMA platform launched by ILR; enactment expected during 2026. |
| Malta | Fully Notified | CIPD (primary) / MCA (digital + postal); CSIRT Malta (incidents) | NIS2 transposed via Legal Notice 71 of 2025 (S.L. 460.41), published 8 April 2025 and fully in force on 23 January 2026 via L.N. 22 of 2026; replaces NIS1 (L.N. 216/2018). CIPD is primary supervisor; MCA is competent for digital infrastructure and postal/courier; CSIRT Malta (within CIPD) handles incident response; CIPAB advises on penalties. Entities must self-register with the CIPD and designate an internal/autonomous CSIRT; first formal audits expected H2 2027. |
| Netherlands | Draft | Sector-specific competent authorities (proposed under Cbw); NCSC (CSIRT) | The Netherlands is transposing NIS2 via the Cyberbeveiligingswet (Cbw), a new statute that will replace the Wbni. The Cbw was submitted to the Tweede Kamer on 4 June 2025 and, as of April 2026, has not yet been enacted; entry into force is expected in Q2 2026 (imminent). The Netherlands missed the 17 October 2024 transposition deadline and received an EC reasoned opinion on 7 May 2025. The Cbw establishes a multi-regulator supervisory model with sector-specific competent authorities (e.g., RDI for digital infrastructure, ILT for transport); the NCSC serves as national CSIRT and coordinator. Incident reporting creates a dual obligation (NCSC + sector authority); management cybersecurity training is mandatory. Voluntary registration via mijn.ncsc.nl has been active since 17 October 2024. |
| Poland | Fully Notified | Ministry of Digital Affairs (lead) / sectoral ministries (supervision); CSIRT GOV, NASK, MON (incidents) | Poland completed NIS2 transposition via amendment to UKSC (Act on the National Cybersecurity System); adopted by Sejm 23 Jan 2026; signed by President 19 Feb 2026; in force 3 Apr 2026 (one-month vacatio legis); ~18 months after 17 Oct 2024 deadline; EC reasoned opinion 7 May 2025 — infringement resolved on transposition. Multi-authority model — Ministry of Digital Affairs leads + maintains register; sector-specific competent ministries supervise; three national CSIRTs (GOV/NASK/MON) + sectoral CSIRTs handle incidents. Mandatory ISMS (PN-EN ISO/IEC 27001 + ISO 22301); biennial audit; non-delegable board training + personal liability; cross-sector high-risk vendor mechanism (under Constitutional Tribunal review); elevated penalties up to PLN 100M (~€24M). Phased compliance: registration by 3 Oct 2026; full ISMS by 3 Apr 2027; first audit by 3 Apr 2028. |
| Portugal | Fully Notified | CNCS (lead) / sectoral + special supervisory authorities; Crisis Office (coordination) | Portugal completed NIS2 transposition via Decree-Law No. 125/2025 (Regime Jurídico da Cibersegurança); published 4 December 2025; in force 3 April 2026 (120 days after publication); replaces Law 46/2018 and Decree-Law 65/2021 entirely; missed 17 October 2024 deadline; EC reasoned opinion 7 May 2025 resolved on publication. Multi-layered supervisory model — CNCS lead + sectoral and special supervisory authorities + new Crisis Office. Mandatory cybersecurity officer (management body member or direct report) + permanent 24/7 CNCS point of contact, both due 4 May 2026 (20 working days from entry into force — upcoming). Group A / Group B classification for public entities. Phased compliance — CNCS platform registration 60 days from launch (date TBC); major obligations (risk management, supply chain, annual reporting) apply 24 months after CNCS implementing regulations are published. |
| Romania | Fully Notified | National Cybersecurity Directorate (DNSC) | Romania completed NIS2 transposition via GEO 155/2024 (adopted 30 Dec 2024; in force 31 Dec 2024); refined by Law 124/2025 (in force 10 Jul 2025) extending healthcare to pharmaceutical supply chain and retail pharmacies (NACE 4773); operationalized via DNSC Orders 1/2025 (registration) and 2/2025 (risk assessment), both in force 20 Aug 2025; sanction provisions from 30 Jan 2025; primary authority DNSC; doubled-maximum-fine power in aggravated cases (incl. €10M / 2% caps); mandatory designation of person responsible for cybersecurity (independent from operational IT head) and mandatory management cybersecurity training; entity registration via NIS2@RO platform — initial deadline ~19 Sep 2025 (passed); only post-20 Aug 2025 registrations legally valid; four-step compliance chain — registration → risk-level self-assessment → maturity self-assessment (within 60 days) → remediation plan (within 30 days); national defence, public order, national security, MFA, law enforcement entities excluded. |
| Slovakia | Fully Notified | NBÚ (lead) / sector ministries (supervision); SK-CERT (incidents) | Slovakia completed NIS2 transposition via Act No. 366/2024 Coll. amending Cybersecurity Act No. 69/2018 Coll.; National Council adoption 28 Nov 2024; Collection of Laws publication 19 Dec 2024; in force 1 Jan 2025; Slovakia 4th EU Member State to complete transposition; ~3,500–14,000 entities expected in scope; primary authority NBÚ (Národný bezpečnostný úrad); SK-CERT (National Cyber Security Centre, within NBÚ) handles incident response; sector-specific ministries (e.g., Health, Transport) have supplementary roles; framework aligned with ISO 27000 family of standards; supporting Ordinance on Security Measures developed during 2025; supply-chain third parties explicitly regulated as direct entities (beyond Directive minimum); registration via JISKB portal — initial deadline ~1 Mar 2025 (passed); new entities 60 days from becoming in-scope; full compliance with all obligations required by 31 Dec 2026; intermediate incident report may be requested by SK-CERT between 72-hour notification and final report. |
| Slovenia | Fully Notified | URSIV (lead/NCC-SI/SPOC); SI-CERT (private) / SIGOV-CERT (gov) (incidents) | Slovenia completed NIS2 transposition via the Information Security Act (ZInfV-1) (Zakon o informacijski varnosti); adopted by the National Assembly 23 May 2025; published in Official Gazette No. 40/25 on 4 June 2025; in force 19 June 2025; new comprehensive statute replacing the prior ZInfV (2018); adopted under emergency procedure following EC reasoned opinion of 7 May 2025; primary authority URSIV (Government Office for Information Security), also acting as NCC-SI and national single point of contact; SI-CERT (operated by ARNES) as national CSIRT for private sector; SIGOV-CERT for government institutions; scope extended beyond Directive minimum to include research and higher-education institutions; cybersecurity requirements framework annexed to the law; ISO/IEC 27001 referenced as applicable standard; ISMS + BCMS mandatory; URSIV registration deadline 19 December 2025 (passed); new entities 30 days from becoming in-scope; phased risk-management deadlines — 19 June 2026 (prior ZInfV essential service providers) / 19 December 2026 (all other essential/important entities); compliance assessment by accredited CAB at least every 2 years for essential entities. |
| Spain | Draft | CNC (proposed lead/SPOC); CCN-CERT (public) / INCIBE-CERT (private) / ESPDEF-CERT (defence) (CSIRTs) | Spain has not yet enacted its NIS2 transposition; the Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad was approved by the Council of Ministers on 14 January 2025; pending parliamentary debate in the Cortes Generales as of April 2026; missed the 17 October 2024 deadline; EC reasoned opinion 7 May 2025; CJEU referral remains possible; the existing NIS1 framework (RD-Law 12/2018) continues to apply; the draft establishes a new Centro Nacional de Ciberseguridad (CNC) as lead authority, single EU point of contact, and crisis coordinator; three reference CSIRTs designated — CCN-CERT (public sector), INCIBE-CERT (private entities), ESPDEF-CERT (Armed Forces); incident reporting via the Plataforma Nacional de Notificación y Seguimiento de Ciberincidentes; scope expanded beyond Directive minimum to include universities, research centres, large municipalities, private security companies, entities with national defence implications, and foreign companies with permanent establishment in Spain; tiered national fine structure (minor €10k–€100k; serious €100,001–€500k; very serious €500,001–€2M; higher NIS2-style caps for the most serious cases); a Responsable de Seguridad de la Información required per entity once enacted. |
| Sweden | Fully Notified | MSB/MCF (lead/coordinator/SPOC/CSIRT); PTS (digital sectors); sector authorities | Sweden completed its NIS2 transposition via the Cybersäkerhetslagen (Cybersecurity Act, SFS 2025:1506), adopted by the Riksdag 10 Dec 2025 and in force 15 Jan 2026 — a new comprehensive statute replacing Information Security Act 2018:1174, with the Cybersäkerhetsförordningen issued concurrently. Sweden missed the 17 Oct 2024 deadline and received an EC reasoned opinion 7 May 2025 (resolved post-enactment). MSB (Myndigheten för samhällsskydd och beredskap) was renamed MCF (Myndigheten för civilt försvar — Swedish Civil Defence and Resilience Agency) as of 1 Jan 2026; MSB/MCF serves as national coordinator, EU single point of contact, and national CSIRT. Sweden operates a decentralised supervisory model — sector-specific authorities supervise their respective sectors, with PTS (Post- och telestyrelsen — Swedish Post and Telecom Agency) co-regulating digital infrastructure, digital providers, ICT service management (B2B), space, and postal and courier services. Whole-entity approach — the entire IT footprint of in-scope entities must comply. Mandatory management training is sanctionable. Trust service providers must submit both early warning and incident notification within 24 hours (deviation from 72h). Time-limited prohibition on holding management functions possible for essential-entity board members. Registration deadline 16 Feb 2026 (passed); MSB/MCF notification portal launched 2 Feb 2026; all obligations apply immediately from 15 Jan 2026 with no general grace period. |
Many of these Member States have adopted primary laws but still need full secondary legislation and Commission notification before enforcement is considered complete.
Status Legend
- Fully Notified = national transposition adopted and no open Commission reasoned opinion about incomplete notification.
- Adopted = national transposition law adopted (or published) but Commission has requested further information / notification completeness (or notification still to be confirmed). If the law is already in force but notification is pending review, it is indicated.
- Draft = legislative process ongoing / no final national law published.
Key Implementation Notes
Deadline & Commission Action
All Member States were required to transpose NIS2 by 17 October 2024; most missed this deadline. On 7 May 2025, the European Commission issued reasoned opinions to 19 Member States for failing to notify full transposition.
"Adopted" vs "Fully Notified"
Some Member States have enacted national laws but have not yet fully notified all implementing measures to the Commission. Other Member States are still in draft or legislative/parliamentary review.
Enforcement & Regulatory Readiness
Where national law is in force, entity registration, incident reporting, supervisory powers, and penalties (up to EUR 10 million or 2% of turnover for essential entities) are being phased in through secondary regulations.
Pending Enforcement
In Member States with Adopted or Draft status, registration and reporting obligations are not yet enforceable until national law is in force and authorities have published legal instruments and portals. This does not preclude diligent SMEs from starting their NIS2 compliance journeys now.
Competent Authority Clarifications
Across the EU, Member States designate one or more competent authorities responsible for NIS2 implementation and enforcement.
Supervising Compliance
Overseeing adherence to NIS2 obligations across essential and important entities
Receiving Incident Reports
Processing and coordinating responses to cybersecurity incident notifications
Maintaining Entity Lists
Keeping registers of essential and important entities within their jurisdiction
Enforcing Requirements
Implementing risk management and governance requirements through regulatory action
Typical Authority Types
- National Cybersecurity Authorities/Agencies or dedicated cybersecurity regulators (e.g., CCB, ACN, NUKIB, ANSSI)
- Sectoral regulators for finance, telecoms, energy where responsibilities are delegated
- CSIRTs serve coordination and reporting functions under national law