NIS 2 directive: transposition status and what companies must do

Key Takeaways

The European NIS2 Directive (Network and Information Security 2) aims to strengthen cybersecurity and the resilience of essential and important entitites across the European Union, with increased obligations for risk management and incident reporting for numerous sectors (energy, healthcare, transportation, telecommunications, digital services, etc.).
Its transposition is progressing very unevenly among Member States, with varying levels of advancement.

The European NIS 2 Directive (Network and Information Security) must be transposed into the national law of each European Union Member State.

In response to increasingly sophisticated and well-equipped malicious actors targeting a growing number of entities that are too often insufficiently protected, NIS 2 reinforces the foundations laid by the original NIS Directive to strengthen overall cybersecurity. The European regulation significantly expands the scope of entities subject to the regulation, covering organizations of various sizes and sectors, from SMEs to large firms.

The diversity of this scope undoubtedly represents a major challenge for national authorities. In transposing NIS 2, they must address and specify multiple aspects:

Alignment with local regulations
Compliance timelines
Applicable security requirements
Entity registration procedures
Cybersecurity incident reporting mechanisms

To define this elements, authorities have adopted different approaches to the transposition process—ranging from public consultations to closed discussions, creating new cybersecurity standards versus leveraging existing market standards, and varying levels of communication, including online support tools for entities.

The majority of EU Member States have missed the transposition deadline set by the European Commission (EC) for October 17th, 2024. As a result, the Commission launched infringement procedures. Following the first wave of formal notices in November 2024, 19 Member States were issued reasoned opinions in May 2025, requiring them to finalize transposition or face possible sanctions.

As of today, 20 of the 27 Member States have officially completed the transposition of NIS 2 into national law. Meanwhile, the United Kingdom and Norway, both non-Eu countries, have also initiated work on the matter.

This article provides an overview of the state of NIS 2 transposition across EU Member States, updated as of January 1st, 2026. The progress scale used in this article has been updated compared to previous publications.

Discover where are European countries in transposing the CER directive.

NIS 2 transposition in Europe

This article, updated on January 1, 2026, presents the different levels of maturity of all European countries regarding the NIS2 Directive.

Maturity level 1:
First transposition efforts initiated. The countries concerned are: Ireland, Norway.
Maturity level 2:
Draft law under submission to legislative authorities. The countries concerned are: United Kingdom, Luxembourg, France, Spain, Netherlands, Poland, Bulgaria.
Maturity level 3:
Approved bill and cybersecurity framework not available yet. The countries concerned are: Sweden, Denmark, Austria, Portugal, Malta, Finland, Estonia, Romania, Cyprus.
Maturity level 4:
Approved bill with finalized cybersecurity framework. The countries concerned are: Belgium, Germany, Italy, Hungary, Greece, Czech Republic, Slovakia, Slovenia, Latvia, Lithuania, Croatia.

NIS2 Directive - Maturity levels - jan2026

Countries with a maturity level 4

NIS2 Directive - Maturity level 4 countries (part1) - jan2026 — This map, updated on January 1, 2026, shows the **level 4 maturity countries that have an approved draft law and a cybersecurity framework available in its final version**. The countries concerned are: Belgium, Germany, Italy, Hungary, Greece, Czech Republic, Slovakia, Slovenia, Latvia, Lithuania, Croatia.

**Belgium:**

The transposition came into force on October 18th, 2024.

The entities concerned were required to register with the CCB before March 18th, 2025.

They must comply with the requirements of the CyFun® framework or the ISO 27001 standard within 18 to 30 months from the confirmation of their eligibility.

In October 2025, the CCB published an updated version of the CyFun® framework.

**Germany:**

A draft law came into force on December 6th, 2025.

Regarding the applicable security framework, the BSI has not published a single framework specifically dedicated to NIS 2 but instead refers to existing sectoral regulations. For sectors not covered, entities are free to choose the cybersecurity framework to apply.

**Italy:**

The legislative decree n°138, transposing NIS 2, came into force on October 16th, 2024.

The entities concerned had until February 28th, 2025, to register on the ACN services portal.

The ACN published the cybersecurity framework in April 2025, which must be implemented within 18 months.

In December 2025, Italy issued administrative decisions detailing the procedures for entity registration and incident reporting.

**Hungary:**

The Cybersecurity Act XXII, effective since May 2023, has been complemented with additional regulations following a formal notice from the European Commission for incomplete transposition. The act LXIX therefore came into force in January 2025 and was supplemented in July by the law XXXII.

Following this update, a postponement of the compliance deadlines was announced. Entities now have until August 2025 to select an audit body and until June 2026 to carry out the audit.

The cybersecurity framework is based on the NIST SP 800-53 framework. Entities are required to comply with these requirements by January 2027.

**Greece:**

The law n° 5160/2024, transposing the NIS 2 directive, came into force on November 27th, 2024.

The registration of entities was extended until September 30th, 2025, and must be carried out via the NCSA digital platform.

On May 6th, 2025, a cybersecurity framework composed of 22 topics was published in the Official Journal.

NIS2 Directive - Maturity level 4 countries (part2) - jan2026 — This map, updated on January 1, 2026, shows the **level 4 maturity countries that have an approved draft law and a cybersecurity framework available in its final version**. The countries concerned are: Belgium, Germany, Italy, Hungary, Greece, Czech Republic, Slovakia, Slovenia, Latvia, Lithuania, Croatia.

**Czech Republic:**

The law n°759 implementing NIS 2 was published in the Collection of Laws in August 2025. The text came into effect on November 1st , 2025.

The entities concerned must submit their registration request to NÚKIB within 60 days following the entry into force of the law.

Two implementing decrees published in October 2025 specify, respectively, the cybersecurity measures for EE and EI.

**Slovakia:**

The amendment to the cybersecurity law n° 69/2018, transposing the NIS 2 Directive, came into force on January 1st, 2025.

The entities concerned must declare themselves to the National Security Authority (NBU) via a digital portal.

On September 1st, decrees n° 226/2025 and n° 227/2025 came into effect, specifying the minimum cybersecurity requirements.

**Slovenia:**

Following a formal notice from the European Commission, Slovenia initiated an emergency procedure that led, in May 2025, to the adoption of the Information Security Act ZInfV-1. This law, transposing NIS 2, came into force on June 19th, 2025.

The companies must register by sending an email to the Government Office, pending the implementation of an official platform.

A framework, annexed to the ZInfV-1 law, defines the cybersecurity requirements applicable to the entities.

**Latvia:**

The national cybersecurity law came into force on September 1st, 2024.

The entities concerned were required to register with the NCSC before April 1st, 2025.

On July 2nd, 2025, the regulation defining the Minimum Cybersecurity Requirements came into effect.

**Lithuania:**

The cybersecurity law n° XII-1428 came into force on October 17th, 2024.

The entities concerned were directly identified by the National Cybersecurity Center (NKSC).

The cybersecurity framework, defined by the government resolution of November 12th, 2024, consists of 12 topics. From their registration in the official register, entities have 12 months to implement the general requirements and 24 months to implement the technical requirements.

**Croatia:**

The Croatian Cyber Security Act (CSA, or Zakon o kibernetičkoj sigurnosti No. 14/2024) came into force on February 15th , 2024.

A complementary regulation (NN135/2024) has enhanced the transposition by specifying incident notification procedures and cybersecurity requirements.

Entities covered by NIS 2 were directly notified by the competent sectoral authorities in spring 2025.

On March 3rd, 2025, the National Cybersecurity Center (NHCSC-HR) published several guidelines intended for sectoral authorities and entities to facilitate the implementation of the regulation.

Countries with a maturity level 3

NIS2 Directive - Maturity level 3 countries - jan2026 — This map, updated on January 1, 2026, shows the **level 3 maturity countries that have an approved draft law but do not have a cybersecurity framework available**. The countries concerned are: Sweden, Denmark, Austria, Portugal, Malta, Finland, Estonia, Romania, Cyprus.

**Sweden:**

On December 10th, 2025, the parliament approved the new cybersecurity law aimed at incorporating NIS 2.

Its entry into force is scheduled for January 15th, 2026.

**Denmark:**

The NIS 2 Directive was transposed through a main cross-sectoral law, supplemented by sector-specific laws for finance, energy, and telecommunications. These texts entered into force progressively until July 1st, 2025.

The entities concerned were required to register no later than October 1st, 2025, on the national Virk platform.

The CFCS published various guidelines to support entities in their compliance efforts.

**Austria:**

On December 23rd, 2025, the Austrian government officially published the NIS 2 transposition law, called NISG 2026.

This law will enter into force 9 months after its publication on October 1st, 2026.

**Portugal:**

On December 4th, 2025, the government officially published Decree-Law n.º 125/2025, which transposes NIS 2 into Portuguese law.

**Malta:**

On April 8th, 2025, the NIS 2 Ordinance (Legal Notice 71 of 2025) was published in the Official Journal, marking its entry into force.

Its practical implementation depends on forthcoming decisions by the Malta Critical Infrastructure Directorate regarding registration procedures and cybersecurity requirements. However, the CyFun® framework developed by Belgium was recognized by Malta.

**Finland:**

The Cybersecurity law came into force on April 8th, 2025.

Entities covered by NIS 2 were required to register with their competent sectoral authority before May 8th, 2025.

On April 8th, 2025, an initial cybersecurity framework intended for supervisory authorities was published. These authorities must adapt it to the specificities of their sector.

**Estonia:**

On December 18th, 2025, the bill amending the 2018 Cybersecurity Law was approved by the President following parliamentary validation.

It came into force on January 1st, 2026.

**Romania:**

NIS 2 was transposed through Emergency Ordinance n° 155/2024, which came into effect in January 2025, and through laws n° 52/2025 and n° 124/2025, which came into effect in July 2025.

The entities concerned were required to submit their registration notification to the DNSC before September 19th, 2025.

No NIS 2 cyber framework specific to Romania has been shared. However, the CyFun® framework developed by Belgium was recognized by Romania.

**Cyprus:**

The law amending the existing cybersecurity framework to incorporate NIS 2 came into force on April 25th, 2025.

The registration procedures for the entities concerned will be defined by the Digital Security Authority (DSA), which has provided a self-assessment tool allowing entities to verify their eligibility.

Countries with a maturity level 2

Countries with a maturity level 1

NIS2 Directive - Maturity level 1 countries - jan2026 — This map, updated on January 1, 2026, shows the level 1 maturity countries that have initiated initial transposition work. The countries concerned are: Ireland, Norway.

**Ireland:**

The transposition process has been delayed mainly because of the 2024 general elections, which disrupted the legislative calendar.

The bill remains among the government’s legislative priorities, while designated operators continue to follow NIS 1 framework.

Ireland has joined the CyFun®, originally developed in Belgium, as a scheme co-owner. It recommends to entities to use this framework.

**Norway:**

Although Norway is not an EU Member State, it transposed certain EU directives.

In late 2023, it adopted a law built on the NIS 1 framework.

The Ministry of Justice and Public Security has confirmed plans to incorporate the NIS 2 Directive into national law.

Focus on selected European countries

Germany

Maturity Level: 4

The NIS 2 bill was approved a first time by the German Federal Government on July 24th, 2024. However, due to early elections, the parliamentary process could not be completed. Following the formation of the new government in May 2025, a revised version of the text was published. This updated draft was approved by both the Bundestag and the Bundesrat in November 2025 and entered into force on December 5th, 2025. Regarding the applicable cybersecurity framework, BSI has not published a single dedicated reference but instead refers to existing sector-specific regulations. For sectors not covered, entities are free to choose which cybersecurity framework to apply.

Key Stages:

November 13th, 2025: Adoption of the draft law by the Parliament (Bundestag).
November 21st, 2025: Adoption of the draft law by the Federal Council (Bundesrat).
December 5th, 2025: Publication of the law in the Official Journal.
December 6th, 2025: Entry into force of the law.

National Specificities:

The BSI Act, adopted in 1991, grants the BSI the mandate to ensure the security of information systems.
The IT Security Act, enacted in 2015 and updated in 2021 through IT Security Act 2.0, extends the BSI’s responsibilities and impose security measures on operators of critical infrastructures. In parallel, the KRITIS regulation identifies a list of critical sectors within the German economy (energy, water, food, healthcare, etc.) and strengthens the security measures to be applied by these entities.
The BSI has not published one single standard dedicated to NIS 2 but rather refers to existing regulations and standards:
- If the entity is subject to sector-specific regulations, it must apply the framework associated with those regulations.
- Entities not subject to this type of regulation can choose the framework that suits them.
The BSI recommends certain frameworks such as ISO 27001, BSI-400, or the B3S sectorial frameworks.

Competent Authority(ies):

BSI (Bundesamt für Sicherheit in der Informationstechnik)

Belgium

Maturity Leve: 4

The transposition law of the NIS 2 entered into force in October 2024. The entities concerned were required to register with the CCB by March 18th, 2025. A period of 18 to 30 months from the notification of their eligibility by the CCB is granted to entities to comply with cybersecurity requirements, either by following the Cyfun® framework or by adopting the ISO/IEC 27001 standards. In addition, an updated version of Cyfun® was published in October 2025. As of April 18th, 2027, it will replace the previous 2023 version.

Key Stages:

November 10th, 2023: The Belgian Council of Ministers approved the draft bill of the European Directive in its first reading.
November 16th, 2023 – December 21st, 2023: The CCB organized a public consultation on this first draft.
March 27th, 2024: The draft bill was approved by the Internal Affairs Committee of the Chamber of Representatives.
April 26th, 2024: The NIS 2 law was adopted in a plenary session by the Chamber of Representatives and published in the Belgian Official Gazette on May 17th, 2024. Official name of the law: “Law establishing a framework for the cybersecurity of networks and information systems of general interest for public security”.
June 9th, 2024: A Royal Decree implementing the law has been published. This decree specifies the practical arrangements for the implementation of the law. The modalities for regular assessments of entities (mandatory for Essential Entities and voluntary for Important Entities) and the conditions for accrediting supervisory bodies.
October 18th, 2024: Entry into force of the law.
March 18th, 2025: Deadline for entity registration: 1,500 Essential Entities and 2,500 Important Entities have been registered.
October 1st, 2025: An updated version of the Cyfun® framework, called Cyfun®2025 has been published. This version incorporates NIST CSF 2.0. Governance-relates measures have been further developed. In total, 23 new obligations have been added and 24 have been removed compared to the previous version. As of April 18th, 2027, only the new version will be accepted for self-assessments and compliance evaluations.

National Specificities:

The CyFun® offers four assurance levels (Small, Basic, Important, Essential) and is accompanied by four tools:
- Self-Assessment Tool: a questionnaire based on the CyFun mapping to check whether an entity meets the targeted security level.
- CyFun® Selection Tool: helps assess of sector-specific risks and determine the compliance level required (risk analysis tool).
- Security Policy Templates: provide a starting point for entities with limited cybersecurity experience.
- CyberFundamentals Framework mapping: gives an overview of requirements and shows how they align with other industry frameworks.
The CyFun® framework has been recognized by several European countries, including Romania, Malta, and Ireland.
Entities opting fro the ISO/IEC 27001 standard must submit their scope and Statement of Applicability (SoA) to the CCB by April 2026 and obtain certification by April 2027. Direct inspections by the CCB remain possible.
In Belgium, 1,500 essential entities and 2,500 important entities have registered.

Competent Authority(ies):

CCB (Center for Cybersecurity Belgium )

France

Maturity Level: 2

The Resilience Bill, which includes the transposition of NIS 2, REC and DORA, was presented to the Council of Ministers on October 15th, 2024. The Senate adopted it on March 12th, 2025, and it is currently being examined by the National Assembly. The ANSSI shared a temporary cybersecurity measures framework with certain stakeholders and during consultations. A pre-registration platform was also launched in November 2025.

Key Stages:

ANSSI has opted for a participatory approach, involving key players in the sector, including industry federations such as UFE (Union Française de l’Electricité), cybersecurity associations (CLUSIF, CESIN) and qualified service providers (PASSI, PRIS, PDIS etc.).
The consultation phase covered 3 themes:
- The scope of entities covered by the law
- The methods of interaction between ANSSI and the entities subjects to the law
- Cybersecurity requirements
October 15th, 2024: A bill on the “Resilience of critical infrastructure and the strengthening of cybersecurity” is presented to the Council of Ministers. The bill is divided into three parts, each addressing one regulation (NIS 2, REC, DORA).
March 12th, 2025: The bill is adopted by the Senate after its examination during the public sessions held on March 11th and 12th.
April 2025: The National Assembly designated rapporteurs to examine the Resilience Bill, with one assigned to each part of the bill (NIS 2, REC, DORA).
May–July 2025: A special committee of the National Assembly held hearing with various stakeholders (ANSSI, SGDSN, CNIL, etc.) which ended on July 15th, 2025, with the hearing of ANSSI’s Director General, Vincent Strubel.
September 9th – 11th, 2025: The Special Committee in the National Assembly reviewed the bill and adopted 245 amendments.
November 24th, 2025: ANSSI has launched its pre-registration platform for NIS 2 entities, with the aim of simplifying the future mandatory registration process.

Next Stages:

This bill is scheduled to go before the National Assembly in a plenary session starting January 2026, although the exact timeline remains uncertain.

National Specificities:

ANSSI plans to set up several online help tools, some of which are available in beta version:
- A tool for assessing an organization’s eligibility for NIS2
- A support service for implanting a security approach
- A tool for managing security measures
- A pre-registration platform

Competent Authority(ies):

ANSSI (French National Agency for Information Systems Security)

United-Kingdom

Maturity Level: 2

Although the UK is not covered by the NIS 2 Directive post-Brexit, it plans to update its cybersecurity rules, currently based on the UK’s implementation of NIS 1. A new bill, the Cyber Security and Resilience Bill, is currently under development and was submitted for its first reading in Parliament in November 2025. The bill aims to modernize and broaden the regulatory framework to better address today’s cybersecurity challenges. Inspired by NIS 2 while maintaining a certain independence, the bill is expected to come into effect progressively in 2026.

Key Stages:

2018: While part of the EU, the UK implemented the NIS1 Directive into its national legislation. For each relevant sector, a competent authority (NIS Regulator) was designated, and sector-specific security guidelines were published.
2022: Following a public consultation on ways improving the UK’s cyber resilience, the Government has announced its intention to update NIS regulations to strengthen national cybersecurity.
July, 2024: The Government reaffirms its commitment to updating the UK’s existing cybersecurity regulations, inherited from the EU (including NIS 1), through a bill focused on cybersecurity and resilience.
April, 2025: The UK Government has announced that the Cyber Security and Resilience Bill will be introduced in Parliament in 2025.
November 12th, 2025: Parliament has held the first reading of the Cyber Security and Resilience Bill.
January 6th, 2025: The bill has passed its second reading and is now due for committee stage in Parliament.

Next Stages:

Following its second reading, the bill will proceed to the committee stage, with potential entry into force sometime in 2026.

National Specificities:

The Cyber Security and Resilience Bill introduces key changes, including:
- Expanding the scope to cover digital service providers (such as cloud providers, online marketplaces, and search engines), adding two essential services (data centers and load controllers), and granting authorities the ability to designate certain actors– including SMEs–as essential providers based on their potential impact within their sector.
- Strengthening regulator’s powers and providers greater regulatory flexibility to adapt to emerging threats and technological developments.
- Improving the reporting of cybersecurity incidents to the authorities.

Competent Authority(ies):

DSIT (Department for Science, Innovation and Technology)
1 regulator per business sector

Luxembourg

Maturity Level: 2

Bill 8364 for transposition was submitted to the Chamber of Deputies on March 13th, 2024. The Council of State issued its opinion along with several recommendations in October 2024. The Luxembourg Regulatory Institute (ILR) has organized several information sessions, and implementation is expected in early 2026.

Key Stages:

May 2024: A bill has been submitted to the Chamber of Deputies.
April 2024: The ILR organized a public information session, followed by a second session in September 2024.
July, 2024: The Chamber of Commerce has issued its opinion on the bill, recommending the exclusion of craft businesses and emphasizing entities’ financial assistance.
October, 2024: The Council of State delivered its opinion on the bill, making 25 recommendations. These include a call for coordination with the Directive on the Resilience of Critical Entities, a warning about potential divergences between ILR and CSSF (the financial sector supervisor) and emphasizes the importance of clarifying the entity procedures.
December, 2024: The Chamber of Trades has published its opinion on the bill.
March 13th, 2025: The Government released an amendment to the bill.
December, 2025: The Council of State issued a complementary opinion, partially validating the amendments to the NIS 2 bill (PL 8364), while requesting adjustments.

Next Stages:

The bill is awaiting adoption by the Chamber of Deputies. Once adopted, it will be promulgated and published in the Official Journal.

National Specificities:

During the 4th NISDUC Conference held on May 6th-7th, 2025 and organized by ILR, it was announced that transposition is expected by early 2026, with no major changes compared to the draft bill.

Competent Authority(ies):

ILR (Luxemburg Regulatory Institute)

Italy

Maturity Level: 4

The legislative decree transposing the NIS 2 Directive has entered into force on October 16th, 2024. Since April, 2025, Italy has entered the second phase in implementing NIS 2, marked by the publication of various administrative decisions and complementary guidelines. These documents clarify practical aspects of compliance for entities, including registration, cybersecurity frameworks, and procedures for reporting cybersecurity incidents.

Key Stages:

June 10th, 2024: The Council of Ministers has approved the draft legislative decree for the transposition of NIS 2.
August 7th, 2024: The Government has given its final approval to the bill and published in the Official Journal on October 1st, 2024.
October 16th, 2024: Entry into force of the bill.
November 26th, 2024: ACN has launched its portal for entities to register.
April, 2025: ACN has issued administrative decisions to clarify the modalities linked to the NIS 2 law:
- Decision No.164179, which defines the minimum security requirements for Essential and Important Entities, and specifies the criteria for characterizing a significant incident.
- Decision No.136117, which specifies the conditions for accessing the ACN portal, the designation of the point of contact, and the annual data update.
December, 2025, two additional administrative decisions have been adopted. These complement or update existing decisions.

Next Stages:

Between January 1st – February 28th, 2026, all entities must register via the ACN portal.
Starting January 1st, 2026, entities must report their major incidents to CSIT Italia.
Between April 15th – May 31st, an annual update of their information must be done.

National Specificities:

Beyond the essential (Annex 1) and important (Annex 2) sectors, the bill outlines two additional categories:
- Public administrations at central, regional, and local levels, along with other public entities (Annex 3).
- Other entities, including providers of local public transport services and educational institutions conducting research (Annex 4).

Competent Authority(ies):

ACN (National Cybersecurity Agency)

Want to ensure your organization is NIS2-ready?

Let’s map your next steps and assess your readiness

NIS 2: Where are European countries in transposing the directive? [updated January 2026]

Key Takeaways

NIS 2 transposition in Europe

Countries with a maturity level 4

Countries with a maturity level 3

Countries with a maturity level 2

Countries with a maturity level 1

Focus on selected European countries

Germany

Belgium

France

United-Kingdom

Luxembourg

Italy

Want to ensure your organization is NIS2-ready?

Contact us

Interested in connecting with us?

Insurance
Banking
Energy & Utilities
Automotive & Industry
Retail, Beauty & Luxury
Life Sciences
Government & International Institutions
Sustainability
Cybersecurity
Data & AI
SAP Consulting
IT Strategy & CTO Advisory
Compliance & Resilience
Corporate Finance & HR, Risk & Procurement
Core-Business Software Development
Supply Chain
Industry 4.0 & IoT
Customer Experience
Change Management
Operating Model Design & Agility
Sourcing & Services Optimization
Technology-driven Transformation
Regulation & Risk