NIS2 Implementation Timeline: Where Does Every EU Country Stand?
The NIS2 Directive should have been transposed into national law by 17 October 2024. In practice, many EU member states missed this deadline. As of early 2026, the landscape looks very different depending on where you operate.
This article gives you an up-to-date overview of the implementation status across the EU — so you know exactly where your country stands and what deadlines apply to you.
Why the timeline matters
NIS2 is an EU directive, not a regulation. That means each member state must transpose it into their own national law. Until that happens, the specific national requirements, registration portals, supervisory authorities, and penalty structures are not final.
However — and this is critical — the EU directive itself has been in force since January 2023. Even if your country is behind on transposition, the direction is clear. Many organisations, especially those with cross-border operations, are already facing NIS2-level requirements from customers and partners in countries that have implemented the law.
Current status overview
NIS2 Implementation Status by Country (2025–2026)
Fully in force
BelgiumCroatiaHungaryLithuaniaLatviaItaly6 countriesAdopted — late 2025
GermanyCzech RepublicFinland3 countriesIn progress — expected 2026
NetherlandsFranceSpainPolandAustriaSwedenIreland7 countries
Detailed status per country
Note: This overview is based on publicly available information as of early 2026. National timelines can change. Always verify with your national competent authority for the most current status.
🇧🇪 Belgium — Fully in force
Belgium was one of the first EU countries to transpose NIS2. The law has been fully active since October 2024. The Centre for Cybersecurity Belgium (CCB) is the competent authority. Registration via the Safeonweb@work portal is mandatory — the deadline for initial registration has already passed.
Key details:
- Law: Loi NIS2 / NIS2-wet
- Authority: Centre for Cybersecurity Belgium (CCB)
- Registration: Via Safeonweb@work portal
- Status: Fully operational, enforcement active
🇩🇪 Germany — Adopted, enforcement starting
Germany passed its national implementation act, the NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz), in November 2025 after significant delays. The BSI (Bundesamt für Sicherheit in der Informationstechnik) is the competent authority.
Key details:
- Law: NIS2UmsuCG
- Authority: BSI (Federal Office for Information Security)
- Registration: Required by April 2026 at the BSI
- Status: Law adopted, registration phase underway
🇳🇱 Netherlands — In the Tweede Kamer
The Netherlands is transposing NIS2 through the Cyberbeveiligingswet (Cybersecurity Act). The legislative proposal was submitted to the Tweede Kamer in June 2025. Entry into force is expected in Q2 2026.
Key details:
- Law: Cyberbeveiligingswet (Cbw)
- Authority: Expected to be the RDI (Rijksinspectie Digitale Infrastructuur)
- Registration: Portal and deadlines to be announced after law takes effect
- Status: Parliamentary review, expected Q2 2026
- Self-assessment: The RDI has published a self-assessment tool to help organisations determine if the law applies to them
🇫🇷 France — In progress
France is working on its transposition but has not yet finalised the national law. ANSSI (Agence nationale de la sécurité des systèmes d'information) will be the competent authority. The law is expected in 2026.
Key details:
- Law: In preparation
- Authority: ANSSI
- Status: Transposition in progress, expected 2026
🇮🇹 Italy — Adopted
Italy adopted its legislative decree transposing NIS2 in 2024. The ACN (Agenzia per la Cybersicurezza Nazionale) is the competent authority. Implementation and enforcement are being rolled out progressively.
Key details:
- Law: Decreto Legislativo NIS2
- Authority: ACN (National Cybersecurity Agency)
- Registration: Underway via ACN portal
- Status: Adopted, implementation in progress
🇪🇸 Spain — In progress
Spain is still in the process of transposing NIS2. The CCN-CERT (Centro Criptológico Nacional) and INCIBE are expected to share supervisory responsibilities.
Key details:
- Law: In preparation
- Authority: CCN-CERT / INCIBE
- Status: Transposition in progress
🇵🇱 Poland — Draft in parliament
Poland has a draft law in parliamentary review. The law is expected to enter into force in 2026. NASK (Research and Academic Computer Network) is anticipated to play a key role in supervision.
Key details:
- Law: Draft Ustawa o Krajowym Systemie Cyberbezpieczeństwa (amendment)
- Authority: Expected NASK / Ministry of Digital Affairs
- Status: Parliamentary review, expected 2026
Other EU member states
| Country | Status | Expected timeline |
|---|---|---|
| Austria | In progress | 2026 |
| Croatia | In force | Active since 2024 |
| Czech Republic | Adopted late 2025 | Enforcement starting |
| Denmark | In progress | 2026 |
| Estonia | In progress | 2026 |
| Finland | Adopted late 2025 | Enforcement starting |
| Greece | In progress | 2026 |
| Hungary | In force | Active since 2024 |
| Ireland | In progress | 2026 |
| Latvia | In force | Active since 2024 |
| Lithuania | In force | Active since 2024 |
| Luxembourg | In progress | 2026 |
| Portugal | In progress | 2026 |
| Romania | In progress | 2026 |
| Slovakia | In progress | 2026 |
| Slovenia | In progress | 2026 |
| Sweden | In progress | 2026 |
What if you operate in multiple countries?
If your organisation has operations in more than one EU member state, you face additional complexity:
- You may need to register in each country where you have a significant presence
- The national competent authority differs per country
- Deadlines and registration portals are country-specific
- The specific penalties may vary based on national implementation
The NIS2 Directive does include provisions for cross-border cooperation between national authorities, but in practice, you need to track compliance in each relevant jurisdiction.
What should you do now?
Regardless of your country's specific transposition status, the recommended approach is the same:
- Don't wait for your national law — the 10 Article 21 measures are defined at EU level and won't change significantly in national transposition
- Identify your national authority — know who your supervisor will be and monitor their communications
- Start implementing the 10 measures — risk analysis, incident handling, business continuity, supply chain security, and the other Article 21 requirements
- Prepare for incident reporting — build the process for 24h / 72h / 1-month reporting before you're legally required to use it
- Brief your board — personal liability applies regardless of transposition status
Check your readiness now
Our free NIS2 quickscan assesses your organisation against all 10 Article 21 measure categories in just a few minutes — regardless of which country you're in. The measures are EU-wide, so the scan applies everywhere.
Read also
- What is NIS2? — The complete overview of the directive behind these national laws
- Does NIS2 apply to my organisation? — Find out in 5 minutes
- The 10 Article 21 measures explained — Start implementing before your national law takes effect