# NIS2 Implementation Status by Country

**Canonical URL:** https://www.nis2pro.com/status  
**Last reviewed:** April 2026  
**Source:** NIS2 Pro regulatory research team

---

## Overview

The NIS2 Directive required all EU member states to transpose it into national law by 17 October 2024. Most member states missed this deadline. On 7 May 2025, the European Commission issued reasoned opinions to 19 member states for failing to notify complete transposition. As of April 2026, transposition is at various stages across the EU.

### Status Definitions

- **Fully Notified:** National transposition adopted and no open Commission reasoned opinion about incomplete notification.
- **Adopted:** National transposition law adopted or published, but the Commission has requested further information or notification completeness is still being confirmed.
- **Draft:** Legislative process ongoing; no final national law published.

---

## Implementation Status — All 27 EU Member States

### Austria
- **Status:** Adopted
- **Competent Authority:** Federal Ministry of the Interior (BMI) / Bundesamt für Cybersicherheit (operational 1 October 2026)
- **Key Dates:** NISG 2026 promulgated 23 December 2025; enters into force 1 October 2026; entity registration deadline 1 January 2027.
- **Notes:** Notification completeness under Commission review.

### Belgium
- **Status:** Fully Notified
- **Competent Authority:** Centre for Cybersecurity Belgium (CCB) — CyFun® / Safeonweb@Work
- **Key Dates:** NIS2 Law in force 18 October 2024; registration via Safeonweb@Work closed 18 March 2025; CyFun® self-assessment or ISO 27001 SoA deadline 18 April 2026 (passed); full certification by 18 April 2027.

### Bulgaria
- **Status:** Adopted
- **Competent Authority:** Multiple national competent authorities (Ministry of Defence, Ministry of Interior, State Agency for National Security); Minister of e-Government maintains national register.
- **Key Dates:** Cybersecurity Act amendments in force 17 February 2026; reduced sanctions for breaches before 1 June 2026; Council of Ministers designation methodology due ~17 August 2026.

### Croatia
- **Status:** Fully Notified
- **Competent Authority:** Security and Intelligence Agency (SOA) — National Cybersecurity Center (NCSC-HR); CERT.hr (CARNET) for incident reporting; autonomous sector supervisors (HNB, HANFA, HACZ).
- **Key Dates:** Cybersecurity Act (NN 14/2024) in force 15 February 2024 — among the earliest EU transpositions; Cybersecurity Regulation (NN 135/2024) in force 30 November 2024.
- **Notes:** National deviations include Education sector, biennial self-assessment for important entities, and stricter technical controls.

### Cyprus
- **Status:** Adopted
- **Competent Authority:** Digital Security Authority (DSA) as primary; Commissioner of Communications also designated.
- **Key Dates:** Law 60(I)/2025 enacted 10 April 2025, in force 25 April 2025.
- **Notes:** National deviations include a 6-hour early warning deadline (stricter than the Directive's 24-hour requirement) and a DSA-led entity identification model (no self-registration).

### Czech Republic
- **Status:** Adopted
- **Competent Authority:** National Cyber and Information Security Agency (NUKIB)
- **Key Dates:** Act on Cybersecurity No. 264/2025 in force 1 November 2025; self-identification via NÚKIB portal (registration deadline 31 December 2025 for in-scope entities); 12-month compliance window from registration decision.
- **Notes:** Essential entities must report all cyber-origin incidents (stricter than Directive); NÚKIB empowered to restrict insecure supply chain vendors for strategically important entities.

### Denmark
- **Status:** Adopted
- **Competent Authority:** Ministry for Societal Resilience and Contingency (MSSB) — coordinator; sector regulators (Danish Energy Agency, Finanstilsynet, telecom regulators); CFCS — National CSIRT.
- **Key Dates:** NIS2 Act (L 141) in force 1 July 2025 with no transitional grace period; self-registration via Virk.dk (deadline 1 October 2025 — passed).
- **Notes:** Minimum transposition (no gold-plating); direct administrative fines not available (sanctions follow criminal prosecution); personal management liability not transposed (governed by Danish Companies Act).

### Estonia
- **Status:** Fully Notified
- **Competent Authority:** Estonian Information System Authority (RIA)
- **Key Dates:** Amended Cybersecurity Act in force 1 January 2026; self-registration via RIA deadline ~1 April 2026 (passed); governance controls by 1 January 2027; full technical compliance and first audits by 1 January 2028.
- **Notes:** Scope expanded from ~3,500 to ~6,500 entities; research institutions added as national sector.

### Finland
- **Status:** Fully Notified
- **Competent Authority:** Traficom (NCSC-FI) — coordinator; sector authorities supervise.
- **Key Dates:** Cybersecurity Act (124/2025) in force 8 April 2025; registration deadline 8 May 2025 and risk management deadline 8 July 2025 both passed.
- **Notes:** Decentralised supervision across seven sector-specific authorities; public sector entities cannot be fined; financial sector excluded (covered by DORA).

### France
- **Status:** Draft
- **Competent Authority:** ANSSI (French National Agency for Information Systems Security)
- **Key Dates:** Loi Résilience cleared Senate 12 March 2025 and National Assembly special committee 10 September 2025; final vote and promulgation pending, expected H1–H2 2026 (not yet enacted as of April 2026).
- **Notes:** EC reasoned opinion issued 7 May 2025. ANSSI's MonEspaceNIS2 pre-registration portal already live; ~15,000–18,000 entities expected in scope across 18 sectors.

### Germany
- **Status:** Fully Notified
- **Competent Authority:** Bundesamt für Sicherheit in der Informationstechnik (BSI)
- **Key Dates:** NIS2UmsuCG in force 6 December 2025 with no transitional period; BSI registration deadline 6 March 2026 (passed).
- **Notes:** Scope expanded from ~4,500 to ~29,000–30,000 entities; two-step BSI portal/Mein Unternehmenskonto (MUK) registration; mandatory 3-yearly management cybersecurity training.

### Greece
- **Status:** Fully Notified
- **Competent Authority:** National Cybersecurity Authority (NCSA)
- **Key Dates:** Law 5160/2024 in force 28 November 2024; registration deadlines (28 March 2025 for digital infrastructure; 30 September 2025 general) passed; NCSA audits commenced Q4 2025.
- **Notes:** Mandatory ICSSO appointment (incompatible with DPO role); supplemented by MD 1645/2025 (registration) and MD 1689/2025 (22-topic security framework).

### Hungary
- **Status:** Adopted
- **Competent Authority:** SZTFH (primary) / NKI/NCSC (CSIRT)
- **Key Dates:** Act LXIX of 2024 in force 1 January 2025; first cybersecurity audit deadline 30 June 2026.
- **Notes:** Banking, financial market infrastructure, and public administration excluded from scope; EC reasoned opinion 7 May 2025 — Commission assessment ongoing.

### Ireland
- **Status:** Draft
- **Competent Authority:** National Cyber Security Centre (NCSC-IE)
- **Key Dates:** National Cyber Security Bill 2024 not yet enacted as of April 2026; Ireland subject to European Commission infringement proceedings.
- **Notes:** NIS1 (S.I. 360 of 2018) continues to apply; federated supervisory model proposed (NCSC lead + CRU, ComReg, Central Bank of Ireland); enactment and registration portal expected during 2026.

### Italy
- **Status:** Fully Notified
- **Competent Authority:** Italian National Cybersecurity Authority (ACN) + sector regulators
- **Key Dates:** Legislative Decree No. 138/2024 in force 16 October 2024; mandatory incident reporting to ACN/CSIRT Italia since 1 January 2026; full compliance with security measures required by 1 October 2026.
- **Notes:** Expanded scope via national Annexes III & IV (central government bodies, local public transport, cultural-interest entities); safeguard clause for ICT-independent group subsidiaries.

### Latvia
- **Status:** Fully Notified
- **Competent Authority:** National Cybersecurity Centre (NCSC) — Ministry of Defence with CERT.LV; Constitution Protection Bureau for critical ICT infrastructure.
- **Key Dates:** National Cybersecurity Law in force 1 September 2024; Cabinet Regulation No. 397 in force 2 July 2025.
- **Notes:** Entities must appoint a cybersecurity manager and classify systems into three tiers (A/B/C); annual ICT security reviews required.

### Lithuania
- **Status:** Fully Notified
- **Competent Authority:** National Cyber Security Centre (NCSC)
- **Key Dates:** Amended Law on Cybersecurity in force 18 October 2024; NCSC notified initial register of 1,443 entities ~17 April 2025; organisational measures deadline ~17 April 2026; technical measures deadline ~17 April 2027.
- **Notes:** Expanded scope includes local public administration, critical R&D entities, and electronic information hosting providers; essential entities must undergo triennial independent conformity assessment.

### Luxembourg
- **Status:** Draft
- **Competent Authority:** ILR (proposed) / CSSF (financial, proposed); HCPN coordination
- **Key Dates:** Bill 8364 introduced 13 March 2024; not yet enacted as of April 2026; missed EU deadline; enactment expected during 2026.
- **Notes:** Proposed expanded scope of ~6,000–8,000 entities; SERIMA platform launched by ILR; NIS1 framework still applies.

### Malta
- **Status:** Fully Notified
- **Competent Authority:** CIPD (primary) / MCA (digital + postal); CSIRT Malta (incidents)
- **Key Dates:** Legal Notice 71 of 2025, published 8 April 2025; fully in force 23 January 2026 via L.N. 22 of 2026; first formal audits expected H2 2027.
- **Notes:** Entities must self-register with CIPD and designate an internal/autonomous CSIRT.

### Netherlands
- **Status:** Draft
- **Competent Authority:** Sector-specific competent authorities (proposed under Cbw); NCSC (CSIRT)
- **Key Dates:** Cyberbeveiligingswet (Cbw) submitted to Tweede Kamer 4 June 2025; not yet enacted as of April 2026; entry into force expected Q2 2026.
- **Notes:** Multi-regulator supervisory model; incident reporting creates dual obligation (NCSC + sector authority); voluntary registration via mijn.ncsc.nl active since 17 October 2024.

### Poland
- **Status:** Fully Notified
- **Competent Authority:** Ministry of Digital Affairs (lead) / sectoral ministries; CSIRT GOV, NASK, MON (incidents)
- **Key Dates:** Amendment to UKSC in force 3 April 2026; registration by 3 October 2026; full ISMS by 3 April 2027; first audit by 3 April 2028.
- **Notes:** Mandatory ISMS (ISO 27001 + ISO 22301); biennial audit; non-delegable board training and personal liability; elevated penalties up to PLN 100 million (~€24 million).

### Portugal
- **Status:** Fully Notified
- **Competent Authority:** CNCS (lead) / sectoral and special supervisory authorities; Crisis Office (coordination)
- **Key Dates:** Decree-Law No. 125/2025 in force 3 April 2026; mandatory cybersecurity officer due 4 May 2026; registration 60 days from CNCS platform launch (date TBC); major obligations apply 24 months after CNCS implementing regulations are published.
- **Notes:** Group A / Group B classification for public entities; mandatory permanent 24/7 CNCS point of contact.

### Romania
- **Status:** Fully Notified
- **Competent Authority:** National Cybersecurity Directorate (DNSC)
- **Key Dates:** GEO 155/2024 in force 31 December 2024; DNSC Orders in force 20 August 2025; initial entity registration deadline ~19 September 2025 (passed).
- **Notes:** Four-step compliance chain: registration → risk-level self-assessment → maturity self-assessment (within 60 days) → remediation plan (within 30 days); mandatory designation of person responsible for cybersecurity; extended scope includes pharmaceutical supply chain and retail pharmacies.

### Slovakia
- **Status:** Fully Notified
- **Competent Authority:** NBÚ (lead) / sector ministries; SK-CERT (incidents)
- **Key Dates:** Act No. 366/2024 in force 1 January 2025; registration deadline ~1 March 2025 (passed); full compliance with all obligations required by 31 December 2026.
- **Notes:** Supply-chain third parties explicitly regulated as direct entities (beyond Directive minimum); framework aligned with ISO 27000 family.

### Slovenia
- **Status:** Fully Notified
- **Competent Authority:** URSIV (lead/NCC-SI/SPOC); SI-CERT (private) / SIGOV-CERT (government)
- **Key Dates:** Information Security Act (ZInfV-1) in force 19 June 2025; URSIV registration deadline 19 December 2025 (passed); risk-management deadlines: 19 June 2026 (prior ZInfV essential service providers) / 19 December 2026 (all other essential/important entities).
- **Notes:** Scope extended to research and higher-education institutions; ISMS + BCMS mandatory; compliance assessment by accredited CAB at least every 2 years for essential entities.

### Spain
- **Status:** Draft
- **Competent Authority:** CNC (proposed lead/SPOC); CCN-CERT (public) / INCIBE-CERT (private) / ESPDEF-CERT (defence)
- **Key Dates:** Anteproyecto de Ley approved by Council of Ministers 14 January 2025; pending parliamentary debate as of April 2026; existing NIS1 framework (RD-Law 12/2018) continues to apply.
- **Notes:** Expanded scope to include universities, research centres, large municipalities, private security companies, and entities with national defence implications. Tiered fine structure proposed.

### Sweden
- **Status:** Fully Notified
- **Competent Authority:** MSB/MCF (lead/coordinator/SPOC/CSIRT); PTS (digital sectors); sector authorities
- **Key Dates:** Cybersäkerhetslagen (SFS 2025:1506) in force 15 January 2026; registration deadline 16 February 2026 (passed); all obligations apply immediately from 15 January 2026 with no general grace period.
- **Notes:** MSB renamed to MCF (Myndigheten för civilt försvar) from 1 January 2026; trust service providers must submit both early warning and incident notification within 24 hours (deviation from 72-hour standard); time-limited prohibition on holding management functions possible for essential-entity board members.

---

## Key Cross-EU Implementation Notes

### Missed Deadline
All 27 member states were required to transpose NIS2 by 17 October 2024. Most missed this deadline. On 7 May 2025, the European Commission issued reasoned opinions to 19 member states for failing to notify full transposition.

### Penalty Ranges (EU-Wide)
- Essential entities: Up to €10 million or 2% of total worldwide annual turnover (whichever is higher)
- Important entities: Up to €7 million or 1.4% of total worldwide annual turnover (whichever is higher)
- Some member states (e.g., Poland) have enacted higher national maximums

### Enforcement Status (as of mid-2026)
- 16 member states: Fully Notified — supervision and enforcement active
- 6 member states: Adopted — national law in force, full Commission notification pending
- 5 member states: Draft — legislation still pending

### Proactive Compliance Recommended
Even in member states with Adopted or Draft status, NIS2 obligations will apply upon enactment. Organisations are strongly advised to begin compliance preparation now rather than waiting for final national enforcement mechanisms.

---

## Links

- [Country & Sector Guides →](https://www.nis2pro.com/guides)
- [Start NIS2 Compliance Assessment →](https://app.nis2pro.com/signup)
- [FAQ →](https://www.nis2pro.com/faq)
