NIS2 Transposition Status: Which EU Member States Are Compliant, Delayed, or Facing Infringement [Q2 2026]
The October 2024 Deadline: Where Does Europe Stand?
The NIS2 Directive set October 17, 2024 as the hard deadline for all 27 EU member states to transpose its requirements into national law. Twenty-three failed to meet it. On November 28, 2024, the European Commission opened formal infringement proceedings — sending letters of formal notice to each non-compliant state — making this the largest simultaneous enforcement action in EU cybersecurity history.
Eighteen months later, most member states have enacted their national NIS2 legislation, but significant gaps remain. Two countries are still working their bills through parliament. One has a law published but deliberately deferred enforcement to October 2026. Registration deadlines vary widely — from closed in early-transposing states to twelve months from threshold confirmation in Poland.
This tracker documents the transposition status of all 27 EU member states as of Q2 2026, including the national law name and entry date, the designated competent authority, and the registration window for in-scope entities. We update this page quarterly — verify against the European Commission’s official transposition tracker before making compliance decisions.
How NIS2 Transposition Works: Directive, National Law, Enforcement
The NIS2 Directive creates obligations for member states, not directly for organisations. Organisations become subject to those obligations only once a member state has enacted a transposing national law and that law has entered into force. Three milestones shape your compliance calendar — and they are not the same date.
The transposition deadline (October 17, 2024) was the date by which member states were legally required to complete their national legislation and notify the European Commission. Nineteen of 27 missed it.
The entry into force date is when the national law becomes legally binding in that member state. This is when in-scope organisations’ obligations legally commence. Germany’s NIS2UmsuCG entered into force on December 6, 2025 — 13 months after the EU deadline. That December date is the correct compliance start point for German entities, not October 2024.
The active enforcement date is when the national competent authority begins audits, inspections, and potential penalty proceedings. Some member states built transition periods between publication and entry into force. Austria is the most striking example: its implementing act was published in December 2025 but will not enter into force until October 1, 2026 — a deliberate nine-month preparation window for in-scope organisations.
For the full framework of obligations that apply once a member state’s law is in force, see our NIS2 Directive overview. For guidance on whether your organisation is classified as essential or important, see our NIS2 scope guide.
Full Transposition Status: All 27 EU Member States [Q2 2026]
The table below reflects the transposition state as of Q2 2026, drawing on the European Commission’s official transposition tracker, country-level EC implementation pages, the Wavestone transposition monitor, and the Matproof live tracker. Data is updated quarterly — last verified May 2026. The EC’s own page notes it reflects information provided by member states “without prejudice to the formal assessment of the compliance of transposition measures.”
Status definitions:
- In Force: National law enacted and legally binding on in-scope organisations
- Enacted — Delayed Entry: Law passed by parliament but not yet in effect (deliberate transition period)
- Bill Pending: National legislation not yet enacted; interim authority arrangements in place
| Member State | Status (Q2 2026) | National Law / Date in Force | Competent Authority | Registration Window |
|---|---|---|---|---|
| Austria | Enacted — Oct 1, 2026 | NISG (published Dec 23, 2025; in force Oct 1, 2026) | BMI + Bundeskanzleramt | 3 months after scope trigger (from Oct 2026) |
| Belgium | In Force (Oct 18, 2024) | Law of Apr 26, 2024 | Centre for Cybersecurity Belgium (CCB) | Closed Mar 2025 |
| Bulgaria | In Force (Apr 15, 2025) | Amended Cybersecurity Act | State Agency for Electronic Governance + CERT.BG | 6 months from scope trigger |
| Croatia | In Force (Feb 15, 2024) | Cybersecurity Act — earliest adopter | SDURDD (Central State Office for Digital Society) | 3 months after scope trigger |
| Cyprus | In Force (Apr 25, 2025) | Law 40(I)/2025 | Digital Security Authority (DSA) | 3 months after scope trigger |
| Czech Republic | In Force (Nov 1, 2025) | Cybersecurity Act (revised) | NÚKIB (National Office for Cyber Security) | 60 days after entry into force |
| Denmark | In Force (Jul 1, 2025) | General Cybersecurity Act (sector-specific laws follow) | CFCS (Center for Cyber Security) | 3 months after scope trigger |
| Estonia | In Force (Jan 1, 2026) | Amended Cybersecurity Act (approved Dec 18, 2025) | RIA (Information System Authority) | 3 months after scope trigger |
| Finland | In Force (Apr 8, 2025) | Cybersecurity Act 124/2025 | Traficom / NCSC-FI | Closed May 8, 2025 |
| France | Bill Pending | Senate: Mar 12, 2025; National Assembly: ongoing | ANSSI | TBD — pre-register at MonEspaceNIS2 |
| Germany | In Force (Dec 6, 2025) | NIS2UmsuCG (NIS2 Implementation and Cybersecurity Strengthening Act) | BSI + sectoral authorities | Closed Mar 6, 2026 |
| Greece | In Force (Nov 27, 2024) | Law 5160/2024 | National Cybersecurity Authority (NCSA) | Closed Sep 30, 2025 |
| Hungary | In Force (Jan 1, 2025) | Cybersecurity Act | National Cybersecurity Institute | Closed Aug 2025 |
| Ireland | Bill Pending | Network and Information Security Bill (in parliamentary process) | NCSC Ireland + Central Bank of Ireland (financial sector) | TBD |
| Italy | In Force (Oct 16, 2024) | Legislative Decree 138/2024 | ACN (National Cybersecurity Agency) | 180 days from scope trigger |
| Latvia | In Force (Sep 1, 2024) | Cybersecurity Law 2024 | CERT.LV + Cabinet of Ministers | Closed Apr 1, 2025 |
| Lithuania | In Force (Oct 17, 2024) | Law XII-1428 | NKSC (National Cybersecurity Center) | Entity self-identification required |
| Luxembourg | Enacted — Framework Pending | Bill 8364 (adopted late 2025) | HCPN + ILR + CSSF (financial sector) | 3 months after entry into force |
| Malta | In Force (May 1, 2025) | Legal Notice 71/2025 | Malta Communications Authority (MCA) | 3 months after scope trigger |
| Netherlands | Enacted — Q2 2026 expected | Cybersecurity Bill (before House of Representatives as at Q1 2026) | NCSC-NL + Agentschap Telecom + sector regulators | 3 months after entry into force |
| Poland | In Force (Apr 3, 2026) | Amended National Cybersecurity System (KSC) Act | Ministerstwo Cyfryzacji + CSIRT NASK + sectoral CSIRTs | 12 months from threshold confirmation — longest in EU |
| Portugal | In Force (Dec 4, 2025) | Decree-Law 125/2025 | CNCS (National Cybersecurity Center) | 3 months after scope trigger |
| Romania | In Force (Mar 20, 2025) | Government Emergency Ordinance 155/2024 | DNSC (National Cybersecurity Directorate) | Closed Sep 19, 2025 |
| Slovakia | In Force (Jan 1, 2025) | Amended Cybersecurity Act | NBÚ (National Security Authority) | 3 months after scope trigger |
| Slovenia | In Force (Jun 19, 2025) | ZInfV 1 (Information Security Act) | URSIV (Information Security Administration) | 3 months after scope trigger |
| Spain | In Force | Royal Decree-Law (approved by Council of Ministers Jan 2025) | CCN-CERT + INCIBE (shared competence) | 3 months after scope trigger |
| Sweden | In Force (Jan 15, 2026) | Cybersäkerhetslagen (Parliament approved Dec 10, 2025) | MSB + sectoral authorities | 3 months after scope trigger |
Key Notes on the Table
Croatia led Europe: With its Cybersecurity Act entering force on February 15, 2024 — eight months before the EU deadline — Croatia was the EU’s first mover and remains a benchmark for rapid transposition.
Germany’s long road: The NIS2UmsuCG was 13 months late, delayed by the collapse of the Ampel coalition which sent the original draft through parliamentary discontinuity. The new coalition reintroduced it rapidly; the Bundestag passed it on November 13, 2025, the Bundesrat on November 20, 2025, and it was promulgated December 6, 2025 with no transition period. BSI registration for in-scope entities opened immediately and closed March 6, 2026 — if your German operations missed that window, contact BSI directly.
France: interim arrangements only: ANSSI has published the ReCyF security framework (March 2026) and operates a pre-registration portal (MonEspaceNIS2). The transposing law has passed the Senate but remains in the National Assembly. Until promulgation, France operates under interim ANSSI arrangements without the full penalty enforcement framework in place.
Ireland: the most significant open gap: Ireland’s NCSC Ireland is the designated competent authority but the Network and Information Security Bill has yet to be enacted. Ireland’s position as EU headquarters for many major digital platforms makes this delay particularly notable for cross-border compliance planning in the digital sector.
Austria’s deliberate nine-month gap: The NISG was published December 23, 2025 but enters force October 1, 2026. Austrian organisations should treat this period as mandatory preparation time: complete your entity classification, conduct a gap analysis against the ten Article 21 requirements, and register as soon as the authority opens its portal. The BMI has indicated it will not wait for organisations to self-identify — supervisory contact will begin promptly from the October entry date.
Poland’s 12-month registration window: Poland’s NCS Act amendment is the outlier in registration timing. Where most member states require registration within 3 months of determining you are in scope, Poland allows 12 months from the date you confirm you meet the threshold criteria. This is the longest registration window in the EU — though it does not delay the obligation to comply with the security requirements themselves.
European Commission Infringement Proceedings: A Two-Step Process
The EU infringement procedure — governed by Articles 258–260 TFEU — is the formal mechanism by which the Commission enforces treaty obligations against non-compliant member states. For NIS2, the proceedings progressed in two confirmed steps by Q2 2026, with a third step available but not yet formally deployed.
Step 1 — Letters of Formal Notice (November 28, 2024): The Commission sent formal notices to 23 member states for failing to transpose NIS2 by the October 17, 2024 deadline. This is the formal opening of infringement proceedings — it puts the member state on notice that the Commission considers EU law has been breached and gives it the opportunity to respond. The four states that had already complied by this date were Belgium, Croatia, Italy, and Lithuania.
Step 2 — Reasoned Opinions (May 7, 2025): Between December 2024 and April 2025, four more member states completed transposition and resolved their infringement: Greece (November 2024), Slovakia (January 2025), Romania (March 2025), and Malta (April 2025). The Commission issued reasoned opinions — the formal statement that EU law has been breached — to the remaining 19 states: Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, the Netherlands, Austria, Poland, Portugal, Slovenia, Finland, and Sweden. The 19 states were given two months to respond and complete transposition.
Step 3 — Potential CJEU Referral: The Commission stated it “may decide to refer the cases to the Court of Justice of the European Union” if states failed to respond adequately within the two-month window following the May 2025 reasoned opinions. Between July 2025 and Q1 2026, the majority of the 19 enacted their national legislation and resolved their proceedings. As of Q2 2026, France and Ireland remain the member states with the most incomplete legislative processes. CJEU referral status for remaining cases should be verified through the Commission’s infringement proceedings database.
CJEU referrals result in consequences for member states — not for individual organisations. The Court can impose lump-sum financial penalties and daily penalty payments on non-compliant states until they comply. This is a state-level enforcement mechanism, not a route to penalties against individual companies.
What Delayed Transposition Means for Your Organisation
If your member state has not yet enacted its NIS2 national law, your compliance position is more nuanced than “no obligations yet.”
Interim authority activity: France’s ANSSI and Ireland’s NCSC Ireland are both operating pre-registration and advisory programmes while their legislation completes. ANSSI opened MonEspaceNIS2 in November 2025 to allow likely in-scope organisations to self-identify. Engaging with these interim channels reduces the compliance gap between law entry and your first supervisory contact — and positions you ahead of competitors who wait for the formal enforcement date.
Cross-border exposure: Organisations operating in multiple member states cannot wait for the slowest jurisdiction. If you have an establishment in Germany, Belgium, or Italy, you are already subject to active enforcement in those jurisdictions regardless of your home member state’s transposition status. The practical guidance from compliance specialists: design your NIS2 programme to satisfy the most stringent requirements across all jurisdictions where you have an establishment. A compliance programme designed to the German BSI’s standard will meet or exceed the requirements in all other transposed member states.
Registration deadlines are jurisdiction-specific: Many early-transposing states have already closed their initial registration windows. If you have operations in Belgium, Finland, Greece, Romania, or Latvia and have not yet registered, contact the relevant authority directly — these deadlines are not automatically extended. For guidance on the entity registration process, see our entity registration guide.
For guidance on what supervisory measures to expect once your national authority is active, see our supervisory measures overview. For a breakdown of penalty exposure by entity type and jurisdiction, see our NIS2 penalties guide.
Key Differences Between National Implementations
NIS2 sets minimum floors — member states can and do exceed them. Several differences have material compliance implications for in-scope organisations.
Scope extensions above the NIS2 minimum: Germany’s NIS2UmsuCG covers approximately 30,000 entities versus the roughly 4,500 subject to the prior BSIG regime — a sixfold expansion driven by integrating NIS2 with the existing KRITIS critical infrastructure framework. Belgium extended scope beyond the directive’s 18 minimum sectors. France maintains a three-tier system with its existing “operators of vital importance” (OIV) framework sitting above the NIS2 baseline. Organisations that assumed they were out of scope under NIS1 should reassess their classification under each member state’s national law.
Supervisory structures vary significantly:
- Centralised model: Belgium (CCB), France (ANSSI), Finland (Traficom/NCSC-FI) — a single authority handles most sectors, simplifying supervisory contact
- Sectoral / decentralised model: Italy (ACN coordinates sector ministries), Netherlands (NCSC-NL + Agentschap Telecom + 10+ sector regulators), Denmark (CFCS + sector-specific bodies) — organisations must identify which authority covers their sector
- Shared competence: Spain (CCN-CERT handles public sector and sensitive industries; INCIBE handles private sector and SMEs)
The supervisory structure determines who audits your organisation, what evidence format they expect, and how enforcement is coordinated across sectors. For a multinational with operations in Italy and the Netherlands, supervisory contact may come from four or five different bodies across those two jurisdictions alone.
National security frameworks diverge: Member states have adopted different security reference frameworks for demonstrating compliance with NIS2’s Article 21 requirements. Belgium and Malta adopted the CyFun® framework; Hungary aligns to NIST SP 800-53; Germany operates through BSI sector-specific guidance; France published the ReCyF framework in March 2026; the Netherlands developed the CBw NIS2 Control Framework. Organisations with multi-jurisdiction footprints should map their controls to the most demanding framework — typically Germany’s BSI guidance or Belgium’s CyFun® — and verify coverage against country-specific requirements before registration.
Penalty ceilings: NIS2 sets minimum floors at €10 million or 2% of global annual turnover for essential entities, and €7 million or 1.4% for important entities (Article 34). Member states can impose higher ceilings. Some align national penalty maxima to GDPR levels, creating potential for materially higher exposure in those jurisdictions. See our penalties guide for the jurisdiction-specific breakdown.
How to Use This Tracker: Registration Deadlines and Next Steps
This page is updated quarterly. For compliance decisions, always verify against the European Commission’s official transposition tracker and your national competent authority’s portal — both of which publish real-time updates not reflected in quarterly snapshots.
Five practical steps for using this data:
- Confirm your jurisdictions: List every EU member state where your organisation has an establishment or provides services to in-scope entities. NIS2’s primary establishment rule determines which competent authority has supervisory jurisdiction over you — it is not necessarily your country of incorporation.
- Check the entry-in-force date for each jurisdiction: Your obligations started on that date, not on October 17, 2024. Germany, Sweden, Estonia, and Poland all have dates in 2025–2026.
- Determine your registration window: If a deadline is listed as “closed,” contact the relevant authority directly rather than assuming you have missed your opportunity. Most authorities have a process for late self-identification.
- Apply the most stringent standard across all jurisdictions: design your Article 21 security programme to the tightest requirement set. A BSI-compliant programme will meet or exceed what other member state authorities require.
- Return quarterly: France and the Netherlands are the next major milestones to watch. When those laws enter force, their registration windows open and supervisory programmes activate.
For a step-by-step compliance action plan, see our NIS2 compliance checklist. For organisations building a programme from scratch, the 90-day SME roadmap provides a practical sequence of actions.
Frequently Asked Questions
Does NIS2 apply to my organisation if my country has not yet transposed it?
The NIS2 Directive itself has been legally in effect across the EU since October 18, 2024. Enforcement against individual organisations depends on national transposing legislation. The absence of a national law limits what your national authority can do against your organisation directly — but it does not eliminate risk if you have cross-border operations where other member states’ laws are in force.
Can the Commission fine my organisation for my country’s late transposition?
No. EU infringement proceedings under Articles 258–260 TFEU run between the Commission and the member state. Individual organisations are not parties to those proceedings and cannot be fined directly through this mechanism.
Can the Commission take a member state to the CJEU over NIS2?
Yes. Following a reasoned opinion, the Commission may refer a case to the Court of Justice of the European Union. The CJEU can impose lump-sum penalties and daily penalty payments on the member state until it complies. The Commission confirmed this option explicitly in its May 2025 reasoned opinion communications.
Which member states are the longest holdouts?
As of Q2 2026, France and Ireland have the most incomplete legislative processes — both with bills in parliamentary process and no promulgated national law. Both have designated competent authorities (ANSSI and NCSC Ireland respectively) operating under interim arrangements.
Italy registered entities by 180 days — what does “from scope trigger” mean?
The “scope trigger” is the date on which your organisation determines — or is formally identified by the competent authority — that you meet the threshold criteria for essential or important entity classification. The registration window runs from that date, not from the law’s entry into force. This distinction matters: if you have not yet formally assessed your classification, your registration window may not have started — but your security obligations under the law have.
Sources
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
- NIS2 Directive transposition in EU countries — European Commission
- Commission calls on 19 Member States to fully transpose the NIS2 Directive — European Commission (May 7, 2025)
- The Commission calls on 23 Member States to fully transpose the NIS2 Directive — European Commission (November 28, 2024)
- NIS2 Directive implementation in France — European Commission
- NIS2 Directive implementation in Ireland — European Commission
- NIS2 Directive implementation in the Netherlands — European Commission
- NIS2 Member State Tracker — Live Transposition Status — Matproof
- NIS 2 directive: transposition status and what companies must do — Wavestone
- NIS2 Country Transposition: What Varies and What’s Consistent — Glocert
