Patroklos PatroklouEU member states were required to transpose the NIS2 Directive (EU) 2022/2555 into national law by 17 October 2024 and apply it from 18 October 2024. As of June 2026, roughly two-thirds of the 27 member states have completed transposition; several are still in active legislative process; a small number have technically transposed but the implementing legislation is delayed in entry-into-force. This tracker collates the current status, the national CSIRT or competent authority for reporting, the maximum fine ceilings (which member states are free to set above the directive’s minimums), and the operational deviations that matter when you operate across multiple EU jurisdictions.
For the directive itself see our NIS2 compliance guide. For the reporting cascade see NIS2 incident reporting.
Note: this is a point-in-time snapshot as of June 2026. National statuses change frequently as draft bills move through parliaments and as implementing acts are issued. The authoritative real-time source remains the European Commission’s transposition page and the national competent authorities. Always confirm with the national CSIRT before relying on any single figure.
Snapshot — status by member state (June 2026)
| Member state | Status | Entry into force | National competent / CSIRT (top-line) | Notes for multi-country operators |
|---|---|---|---|---|
| Austria | Transposed | 2025 | GovCERT.gv.at / BMI | Sector regulators in finance, energy, health |
| Belgium | Transposed | 2024 (early) | CCB / CERT.be | Among the early completers; clear scope guidance |
| Bulgaria | Transposed | 2025 | CERT Bulgaria | Public administration scope clarified late in process |
| Croatia | Transposed | 2024 (early) | CERT.hr / ZSIS | Among the early completers |
| Cyprus | Transposed | 2025 | CSIRT-CY (DEC) | Sectoral regulators retain parallel competence |
| Czechia | Transposed | 2025 | NÚKIB | Stricter scope than directive baseline in critical infrastructure |
| Denmark | Transposed | 2025 | CFCS | Strong public-administration coverage |
| Estonia | Transposed | 2024 | CERT-EE / RIA | Among the early completers |
| Finland | Transposed | 2025 | Traficom NCSC-FI | Sector regulators (FIN-FSA for finance) parallel |
| France | Transposition act adopted; implementing decrees finalising | 2025–2026 | ANSSI / CERT-FR | Sector-by-sector guidance via ANSSI; OIV/OSE register evolving to NIS2 |
| Germany | Transposed (NIS2UmsuCG) | 2025 (early) | BSI / CERT-Bund | Protracted parliamentary process; KRITIS overlap with NIS2 important entity scope |
| Greece | Transposed | 2025 | National Cybersecurity Authority (Greece) | Sectoral regulators parallel |
| Hungary | Transposed | 2024 (early) | NCSC-HU | Among the early completers; broad public administration inclusion |
| Ireland | Transposed | 2025 | NCSC Ireland | Maintains sectoral regulator routes (CBI for credit institutions) |
| Italy | Transposed | 2025 | ACN / CSIRT Italia | Strong supply chain emphasis; sector regulators (Banca d’Italia) parallel |
| Latvia | Transposed | 2025 | CERT.LV | — |
| Lithuania | Transposed | 2025 | NKSC | — |
| Luxembourg | Transposed | 2025 | CIRCL / GovCERT.lu | — |
| Malta | Transposed | 2025 | CSRTM | — |
| Netherlands | Cyberbeveiligingswet enacted | Expected ~1 July 2026 | NCSC-NL | Note the lag between enactment and entry into force; sector regulators parallel (DNB for credit institutions) |
| Poland | Transposed | 2025 | CSIRT NASK / CSIRT GOV | Multiple national CSIRTs depending on sector |
| Portugal | Transposed | 2025 | CNCS | — |
| Romania | Transposed | 2025 | DNSC | — |
| Slovakia | Transposed | 2025 | NBÚ / SK-CERT | — |
| Slovenia | Transposed | 2025 | SI-CERT | — |
| Spain | Transposition still in active legislative process | Late 2026 expected | INCIBE / CCN-CERT | Until transposition completes, Royal Decree 43/2021 (NIS1) regime continues; CSIRT routing differs by entity type (CCN-CERT for public, INCIBE for private, ESPDEF for defence) |
| Sweden | Transposed | 2025 | MSB / CERT-SE | — |
The European Commission has opened infringement proceedings against several member states that missed the 17 October 2024 deadline. These do not change in-scope entities’ obligations under the directly applicable parts of the directive but affect the practical certainty around reporting routes and fine ceilings in those jurisdictions.
Where the operational differences hit you
Transposition is technical compliance with the directive’s text. The differences that affect day-to-day NIS2 operations sit in five places.
1. Scope deviations
The directive lets member states extend scope to entities and sectors not in Annex I or II. Common extensions include:
- Local government (some member states; Germany has historically extended to municipal level for parts of KRITIS)
- Smaller energy or utility operators below the size threshold
- Specific subsectors (for example cloud-services brokers in some member states)
Multi-country operators should not assume that being out of scope in country A means out of scope in country B for the same activity.
2. Competent authority and CSIRT routing
Most member states use a single national CSIRT. Several use multiple (Poland: CSIRT NASK for non-government, CSIRT GOV for government, CSIRT MON for defence). A multi-country operator needs a routing map keyed on (member state, sector) to the appropriate CSIRT URL.
3. Fine ceilings (national overlays)
The directive sets minimum fine ceilings (EUR 10m / 2% for essential; EUR 7m / 1.4% for important). Member states are free to set higher national ceilings, and several have. For multi-jurisdiction operators, the worst-case exposure is the higher of (a) the directive minimum and (b) the national ceiling in any member state where the incident is reportable. Confirm the national ceiling per member state before scoping risk-acceptance levels.
4. Parallel sector reporting
Most member states preserve existing sector-specific cybersecurity reporting obligations alongside NIS2. The frequent overlaps:
- Credit institutions: NIS2 + DORA + ECB SSM + national central bank
- Insurance: NIS2 + DORA + national insurance regulator
- Energy: NIS2 + national energy regulator
- Healthcare: NIS2 + national health regulator + GDPR for personal data
- Trust services: NIS2 + eIDAS supervisory body
NIS2’s notification to the CSIRT does not relieve you of these parallel obligations.
5. Board liability nuances
Article 20 personal accountability applies in all member states but the mechanism of disqualification differs:
- Some member states implement temporary disqualification via the competent authority directly
- Others route disqualification through the national company-law process
- Some impose individual fines on board members; others rely on corporate fines only
For boards operating across multiple member states, this asymmetry matters for D&O coverage and corporate-governance documentation.
Practical multi-country compliance checklist
If you operate in three or more EU member states, work through this list every quarter:
- Maintain a country-by-country sheet: scope status, transposition entry-into-force date, CSIRT URL, secondary regulators, fine ceiling, registration deadline, board-liability mechanism
- Tag every reportable incident with the member states it impacts; route notification per the country table
- Reconcile your incident-response runbook with the country routing — different on-call playbooks per country where the CSIRT portal or template materially differs
- Track infringement and entry-into-force changes monthly; subscribe to the Commission’s transposition page and the relevant national CSIRT mailing lists
- Refresh vendor contracts to require notification within a defined window so you have time to file the 24-hour early warning across all in-scope member states
How Enactia keeps the country picture current
Enactia’s NIS2 module ships with a country-by-country routing layer that maps essential and important entity scope to the national competent authority and CSIRT, with the fine ceiling and registration status for each member state. The incident workflow routes the 24/72/one-month cascade to every member state in which the incident is reportable, with parallel filing to GDPR DPA and sector regulators where required. The country routing is updated monthly against the Commission’s transposition tracker and national CSIRT announcements. Book a demo now to walk through the multi-country NIS2 picture against your own footprint.
Frequently asked questions
Are all EU member states required to transpose NIS2?
Yes. The directive sets a 17 October 2024 transposition deadline. Member states that missed it face Commission infringement proceedings but the directive’s directly applicable parts still bind in-scope entities.
What if my member state has not transposed?
Some directive obligations still apply directly. National enforcement depends on national legislation, which may be delayed; check with the national CSIRT or competent authority. Most national authorities have issued interim guidance for the gap period.
Which member state should I report to in a multi-country incident?
Report to the CSIRT of every member state where the incident has a material impact, using each member state’s reporting channel. NIS2 explicitly contemplates cross-border incidents and the CSIRTs Network coordinates onward distribution.
Are fine ceilings the same across the EU?
No. The directive sets minimums (EUR 10m / 2% essential; EUR 7m / 1.4% important). Member states can set higher national ceilings, and several have. Treat the worst case as the highest ceiling in any in-scope member state.
Does ISO 27001:2022 satisfy national NIS2 transpositions?
Partially, as it does for the directive itself. ISO 27001:2022 covers about 70% of Article 21. Some member states’ transpositions add national-specific obligations (registration timing, scope deviations, sector reporting) that are not covered by ISO 27001 at all. See our NIS2 to ISO 27001 cross-mapping for the directive-level deltas; member-state deltas sit on top.
Where can I see the official transposition status?
The European Commission publishes a transposition status page at digital-strategy.ec.europa.eu. The European Cyber Security Organisation (ECSO) maintains a transposition tracker that is also widely referenced. National CSIRTs publish their own guidance.
Operating across multiple EU member states? Book a demo now and we will map your country footprint to the right CSIRT, fine ceiling, and registration deadline for each — in a single 30-minute walkthrough.
