NIS2 Transposition in 2026: Where Every EU Member State Stands (and What It Means for Cross-Border Business)

TL;DR

The NIS2 Directive (Directive (EU) 2022/2555) required every EU Member State to transpose the law into its national framework by 17 October 2024. That deadline came and went — and only Belgium, Croatia, Italy and Lithuania met it. As of May 2026, 22 of 27 Member States have now adopted transposing legislation, but five — France, Ireland, Luxembourg, the Netherlands, and Spain — remain in legislative procedure. The European Commission opened infringement proceedings against 23 Member States in November 2024 and escalated to reasoned opinions against 19 of them on 7 May 2025. For businesses operating across borders, this means different entry-into-force dates, different competent authorities, different incident-reporting routes, and different penalty structures — all for the same underlying directive. This article maps the verified status across all 27 Member States with primary sources, identifies the cross-border compliance traps, and offers a practical framework for operating under this patchwork.

Why the Transposition Gap Is a Business Problem, Not a Legal Trivia

NIS2 is a directive, not a regulation. Unlike GDPR — which applies identically across the EU from a single effective date — directives must be transposed into each Member State's national law before they take effect. Each country gets to decide which authority enforces it, how incidents are reported in practice, and which entities qualify as "essential" or "important" beyond the directive's minimums (Article 2(2) explicitly permits scope expansion).

This design makes sense in theory: Member States know their own administrative structures best. In practice, it creates operational complexity for any business operating in more than one country. An IT service provider with customers in Germany, Italy and Poland must now navigate three transposing acts that all derive from the same directive but differ in their procedural detail. A SaaS platform with users across the EU must understand which national authority to notify when an incident occurs — under Article 26 the answer turns on where its main establishment is located, with secondary establishments potentially triggering parallel obligations.

The October 2024 deadline was meant to force harmonisation. It did not. As of May 2026, five Member States still have draft legislation pending, and the European Commission has issued reasoned opinions to 19 Member States (the second stage of infringement proceedings, immediately preceding referral to the Court of Justice of the EU). Bulgaria has been referred to the CJEU per industry reporting. Businesses cannot assume the delay means leniency: once national law is adopted, several Member States have applied short or no transition periods.

The practical takeaway: knowing the directive text is not enough. You must know YOUR country's transposing act, and the transposing act of every country where you operate.

Verified Transposition Status by Member State (May 2026)

The following tracker captures, for each of the 27 Member States, the transposing act, the date of publication in the official gazette, the entry into force, and the designated competent authority. Each entry has been verified against the national gazette or the competent authority's official site (see Sources at the end). This is a moving picture — verify the specific position before making compliance decisions.

Transposed and In Force (19 Member States)

• Belgium — Loi/Wet of 26 April 2024 transposing NIS2, published Moniteur belge / Belgisch Staatsblad 17 May 2024; in force 18 October 2024. Competent authority: Centre for Cybersecurity Belgium (CCB). Belgium was first to begin reporting via portal and references the CyFun® framework as a route to compliance.
• Bulgaria — Закон за изменение и допълнение на Закона за киберсигурност, State Gazette No. 17 of 13 February 2026; in force 13 February 2026. Coordinator: National Cybersecurity Coordinator. Bulgaria was referred to the CJEU by the Commission in May 2025 per multiple industry sources before the law was adopted.
• Croatia — Zakon o kibernetičkoj sigurnosti, Narodne novine No. 14/2024 of 14 February 2024; in force 15 February 2024. First Member State to transpose, eight months ahead of deadline. Competent authority: Nacionalni centar za kibernetičku sigurnost (NCSC-HR), within SOA.
• Cyprus — Network and Information Systems Security (Amendment) Law L. 60(I)/2025, published 25 April 2025. Competent authority: Digital Security Authority (DSA). Subject of a Commission reasoned opinion on 7 May 2025 (issued before the publication notification was complete).
• Czech Republic — Zákon č. 264/2025 Sb. o kybernetické bezpečnosti, Sbírka zákonů 4 August 2025; in force 1 November 2025. New standalone act (not an amendment to the previous Act 181/2014). Competent authority: Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB). 24-hour incident reporting; registration deadline end of December 2025.
• Denmark — Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (LOV nr. 434 of 6 May 2025), Lovtidende 7 May 2025; in force 1 July 2025. Competent authority: Center for Cybersikkerhed (CFCS) under Forsvarets Efterretningstjeneste, with sectoral authorities for specific domains. Registration deadline 1 October 2025 via Virk with MitID.
• Estonia — Küberturvalisuse seaduse ja teiste seaduste muutmise seadus, Riigi Teataja December 2025; in force 1 January 2026. Competent authority: Riigi Infosüsteemi Amet (RIA). Scope expanded from approximately 3,500 to between 5,500 and 7,000 entities. Three-year transition period for full compliance.
• Finland — Kyberturvallisuuslaki (Säädöskokoelma 124/2025), adopted 13 March 2025; in force 8 April 2025. Decentralised model: sector-specific supervisory authorities, with Liikenne- ja viestintävirasto Traficom hosting the National Cyber Security Centre as single point of contact. Registration deadline 8 May 2025; risk management operating model deadline 8 July 2025.
• Germany — NIS-2-Umsetzungsgesetz (NIS2UmsuCG), BGBl. 2025 I Nr. 301, published 5 December 2025; in force 6 December 2025. Bundestag adoption 13 November 2025; Bundesrat 21 November 2025. Competent authority: Bundesamt für Sicherheit in der Informationstechnik (BSI). Approximately 29,500 entities in 18 sectors. The 14-month delay past deadline was driven by the late-2024 collapse of the Ampel coalition.
• Greece — Νόμος 5160/2024, ΦΕΚ A' 188 of 27 November 2024; in force 28 November 2024. Competent authority: Εθνική Αρχή Κυβερνοασφάλειας (National Cybersecurity Authority — NCSA), established by Law 5086/2024, supervised by the Minister of Digital Governance. Implementing ministerial decisions 1645/2025 and 1689/2025 issued during 2025.
• Hungary — 2024. évi LXIX. törvény Magyarország kiberbiztonságáról (Act LXIX of 2024 on Hungary's Cybersecurity), Magyar Közlöny No. 130 of 20 December 2024; in force 1 January 2025. Repealed Act XXIII of 2023. Competent authority: Szabályozott Tevékenységek Felügyeleti Hatósága (SZTFH). Implementing Government Decree 418/2024.
• Italy — Decreto Legislativo 4 settembre 2024, n. 138, Gazzetta Ufficiale Serie Generale n. 230 of 1 October 2024; in force 16 October 2024. Competent authority: Agenzia per la Cybersicurezza Nazionale (ACN), with sector-specific authorities. Italy added more sectors than the directive minimum and operates a rolling annual registration via the ACN platform from 1 December 2024.
• Latvia — Nacionālās kiberdrošības likums (NKDL), Latvijas Vēstnesis June 2024; in force 1 September 2024. Competent authority: Nacionālais kiberdrošības centrs (National Cyber Security Centre) at the Ministry of Defence; CERT.LV operates incident response. Self-identification register due 1 April 2025; cybersecurity manager appointment plus first self-assessment by 1 October 2025.
• Lithuania — Kibernetinio saugumo įstatymas (amended), Teisės aktų registras July 2024; in force 18 October 2024. Competent authority: Nacionalinis kibernetinio saugumo centras (NKSC) under the Ministry of National Defence. Implementing government regulation adopted 6 November 2024 defines technical and organisational requirements.
• Poland — Ustawa o zmianie ustawy o krajowym systemie cyberbezpieczeństwa, Dziennik Ustaw 2 March 2026; in force 2 April 2026. Sejm adoption 23 January 2026; Senat 28 January 2026; Presidential signature 19 February 2026. CSIRTs (CSIRT GOV, CSIRT MON, CSIRT NASK) operate under the Minister of Digital Affairs. 12-month adaptation period until 2 April 2027.
• Romania — Ordonanța de Urgență 155/2024, Monitorul Oficial 1334 of 30 December 2024; in force January 2025. Approved and amended by Law 124/2025, in force 10 July 2025. Competent authority: Directoratul Național de Securitate Cibernetică (DNSC). Romania transposed via emergency ordinance to meet deadline pressure; 30-day registration deadline triggered September 2025.
• Slovakia — Zákon č. 366/2024 Z. z., Zbierka zákonov 19 December 2024; in force 1 January 2025. Amends the existing Act 69/2018 on Cybersecurity rather than replacing it. Competent authority: Národný bezpečnostný úrad (NBÚ); SK-CERT operates incident response. Approximately 10,000 entities in scope; JISKB registration due by 1 March 2025; full compliance by 31 December 2026.
• Slovenia — Zakon o informacijski varnosti (ZInfV-1), Uradni list RS št. 40/25 of 4 June 2025; in force 19 June 2025. Single statute also transposes the Cyber Solidarity Act and Cybersecurity Act (Regulation 2025/38). Competent authority: Urad Vlade Republike Slovenije za informacijsko varnost (URSIV); SI-CERT operates incident response. Subject of Commission infringement procedure opened May 2025. First self-registration deadline 19 December 2025.
• Sweden — Cybersäkerhetslag (SFS 2025:1506), promulgated December 2025; in force 15 January 2026. Repeals the previous Information Security Act (2018:1174). Decentralised, sector-led model: sector-specific supervisory authorities (such as PTS for telecoms), with MSB (Myndigheten för samhällsskydd och beredskap) as coordinator. Companion cybersecurity ordinance designates the supervisory bodies.

Transposed but Entry Into Force Pending

• Austria — Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026), BGBl. I Nr. 94/2025 of 23 December 2025; entry into force 1 October 2026 (nine-month vacatio legis). Competent authority: Bundesministerium für Inneres (BMI). Important context: an earlier "NISG 2024" bill was REJECTED by the National Council on 3 July 2024; a new coalition government had to introduce the second-attempt bill, hence the long delay.
• Portugal — Decreto-Lei n.º 125/2025, Diário da República 4 December 2025; entry into force 3 April 2026 (120-day delay). Approves the new Regime Jurídico da Cibersegurança. Competent authority: Centro Nacional de Cibersegurança (CNCS). 12-month adaptation period: entities can request a temporary penalty waiver in the first year on demonstration of good-faith compliance effort.

Transposed (Instrument Published, Ministerial Commencement Pending)

• Malta — Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025 — Subsidiary Legislation 460.41 (Legal Notice 71 of 2025), published 8 April 2025. Competent authority: Critical Infrastructure Protection (CIP) Department under the Ministry for Home Affairs. Substantive provisions become enforceable on dates specified by the Minister via commencement notices.

In Legislative Procedure (Five Member States)

• France — Projet de loi relatif à la résilience des infrastructures critiques et au renforcement de la cybersécurité (the "Resilience Bill") which combines NIS2, the CER Directive on critical entity resilience, and DORA into a single transposing law. Senate first reading March 2025; National Assembly special commission vote 10 September 2025. Final adoption now expected during the extraordinary session in July 2026; ANSSI implementing decrees expected Q2 2026. Designated competent authority: Agence nationale de la sécurité des systèmes d'information (ANSSI). ANSSI published Référentiel Cyber France (ReCyF) on 17 March 2026 as the preparatory technical reference document.
• Ireland — National Cyber Security Bill 2024 (General Scheme published 30 August 2024). The 2024 Irish general election interrupted the legislative timetable; pre-legislative scrutiny is ongoing. Subject of a Commission reasoned opinion on 7 May 2025. Designated competent authority in the draft: National Cyber Security Centre (NCSC), with sectoral regulators including ComReg.
• Luxembourg — Projet de loi 8364, deposited at the Chambre des Députés on 13 March 2024; State Council supplementary opinion December 2025. Awaiting Chamber adoption as of May 2026. Subject of a Commission reasoned opinion on 7 May 2025. Designated competent authority in the bill: Institut Luxembourgeois de Régulation (ILR).
• Netherlands — Cyberbeveiligingswet (Cbw), Wetsvoorstel 36764. Tweede Kamer adopted on 15 April 2026; Eerste Kamer vote pending. Targeted entry into force 1 July 2026. Note: the law is named Cyberbeveiligingswet, NOT a "Wbni2" — it replaces the existing Wbni rather than continuing the name. Companion bill Wet weerbaarheid kritieke entiteiten (Wwke) transposes the CER Directive in parallel. Competent authority: Nationaal Cyber Security Centrum (NCSC), under the Ministry of Justice and Security, with sectoral regulators.
• Spain — Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad. Council of Ministers approved the draft on 14 January 2025; pending parliamentary debate in the Cortes Generales as of May 2026. Subject of a Commission reasoned opinion on 7 May 2025; infringement procedure opened November 2024. The draft establishes a new Centro Nacional de Ciberseguridad (CNC) under the General Secretariat of the Presidency, while existing CCN-CERT, INCIBE-CERT and ESPDEF-CERT continue their sectoral roles.

Penalty Ceilings Across Member States

Almost every transposing act applies the directive's minimum ceilings verbatim: essential entities — €10,000,000 or 2% of total worldwide annual turnover, whichever is higher; important entities — €7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher (NIS2 Article 34(4)–(5)). National variations are limited and procedural rather than ceiling-based: Hungary adds an HUF 50–350 million administrative ceiling structure, and Romania expresses ceilings in both euro and percentage form. Where Member States have allowed sector-specific historical maxima from pre-NIS2 legislation to remain (for example in energy or telecoms), those typically operate alongside the NIS2 ceilings rather than displacing them. Treat the directive minimums as your baseline modelling assumption and verify any country-specific overlays with national counsel.

EU Commission Infringement Activity

On 28 November 2024 the Commission sent letters of formal notice to 23 Member States for failure to fully notify NIS2 transposition (all except Belgium, Croatia, Italy and Lithuania). On 7 May 2025 the Commission escalated to reasoned opinions against 19 Member States: Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, the Netherlands, Austria, Poland, Portugal, Slovenia, Finland and Sweden. Bulgaria has been referred to the CJEU per industry reporting. As Member States have continued to adopt transposing legislation through 2025 and into 2026, several of those reasoned opinions have effectively been overtaken by events; others (notably for the five still-pending Member States) remain live.

The Cross-Border Compliance Minefield

If your organisation operates across multiple EU Member States, here are the specific traps the current patchwork creates.

Trap 1: Which Competent Authority Do You Notify?

Under NIS2 Article 23, significant incidents trigger an early-warning notification within 24 hours, an incident notification within 72 hours, and a final report within one month. Article 26 sets the jurisdictional rules: an entity is generally subject to the jurisdiction of the Member State where it is established; for entities operating in multiple Member States, the "main establishment" is the Member State where cybersecurity risk-management decisions are predominantly taken. Where that location cannot be determined or is outside the Union, jurisdiction falls to the Member State where cybersecurity operations are carried out, and as a final fallback, to the Member State with the largest number of employees. Non-EU entities providing in-scope services must designate a representative under Article 26(3).

Practical implication: if you are a German-headquartered SaaS with operations in France, Italy and Spain, a pan-EU cloud outage triggers reporting to BSI as primary competent authority. Whether secondary notifications are required to ANSSI, ACN, INCIBE or any sectoral regulator depends on the entity structure, the contact-point arrangements designated by each national law, and any sectoral overlay. The safest approach is to establish a matrix of notification obligations per country before an incident occurs.

Trap 2: Different Scope Thresholds

NIS2 sets minimum scope criteria (medium and large entities in listed sectors). Article 2(2) explicitly allows Member States to expand scope, and several have. Italy added more sectors than the directive minimum in D.Lgs. 138/2024. Germany's NIS2UmsuCG covers approximately 29,500 entities across 18 sectors. Hungary uses an additional layer of "security classes" (basic, significant, high) on top of the essential/important distinction. Estonia's scope expansion roughly doubles the population of regulated entities compared to NIS1.

An organisation might be out of scope in its home country but in scope for operations in a neighbouring Member State. Assuming "we are too small for NIS2" based on the directive text alone is a trap. Always check national law separately.

Trap 3: Penalty Ceilings Are Mostly Uniform — But Procedural Detail Differs

As noted above, almost every Member State applied the directive minimums verbatim. The substantive variation is procedural rather than absolute: differences in how fines are calculated against turnover, what factors authorities weigh in setting the level, whether daily penalty payments can compound non-compliance with binding orders, and how administrative penalty proceedings interact with criminal liability. When modelling compliance investment, use the directive ceilings as the floor and verify country-specific aggravating mechanisms with national counsel.

Trap 4: Board Liability Differs

NIS2 Article 20(1) requires that the management bodies of essential and important entities approve cybersecurity risk-management measures, oversee their implementation, and may be held liable for infringements. Member States implement this differently. Italy's D.Lgs. 138/2024 explicitly provides that ACN may impose, as an accessory administrative sanction, a temporary "incapacity to perform managerial functions" on board members of repeat-offender essential entities. Germany's NIS2UmsuCG provides for personal liability of Geschäftsführer and Vorstand including potential personal fines and temporary management-function bans. The Netherlands' Cyberbeveiligingswet (as adopted by the Tweede Kamer in April 2026) escalates from corrective orders to fines and disqualification of responsible directors for serious non-compliance.

Your CEO's or CISO's personal exposure therefore depends partly on where your registered office is and partly on the seriousness threshold the national authority applies. Get this mapped early; do not discover it during an enforcement action.

Trap 5: Notification Channels and Languages

Each national authority operates its own incident-reporting portal: BSI's Melde- und Informationsportal in Germany, ANSSI's MonEspaceNIS2 platform in France (when the bill is enacted), the ACN platform in Italy, the INCIBE-CERT system in Spain, NCSC.nl and english.ncsc.nl in the Netherlands. Most operate primarily in the national language of the Member State; the Netherlands NCSC explicitly provides a fully bilingual Dutch/English portal. For other Member States, national-language submission should be assumed unless the authority's guidance documents say otherwise. A pan-EU incident therefore typically requires multilingual notification within the same 24-hour window. Pre-translated incident notification templates and local-language playbooks save critical hours during a live event.

A Practical Framework for Operating Under the Patchwork

Given this complexity, what should a cross-border business actually do? Here is a seven-step framework that works regardless of your home country or sector.

Step 1: Map Your EU Entity and Operational Footprint

Start with an inventory: where are you registered, where do you have employees, where are your customers, where are your subcontractors? For each country where you have material presence, you need to determine whether NIS2 applies and which national regime governs. This is not a legal-only exercise — it requires input from your CFO, CISO and operations leadership. Many organisations are surprised to discover that a Luxembourg holding structure triggers Luxembourg NIS2 obligations even though the operational business sits elsewhere.

Step 2: Identify Your Main Establishment Per Article 26

Under NIS2 Article 26, for most entities the "main establishment" is the EU Member State where cybersecurity risk-management decisions are predominantly taken. This is often your HQ but can diverge — for example, if your SOC or information-security leadership sits in a different country. Get this determination in writing, signed off by legal. It drives your primary competent authority relationship and substantially simplifies incident reporting.

Step 3: Build a Per-Country Compliance Matrix

For each Member State where you operate, create a structured compliance matrix capturing:

• Legal status (transposed and in force / transposed pending entry / in legislative procedure)
• Competent authority name and contact channels
• Reporting timelines (24-hour early warning, 72-hour notification, one-month final report)
• Local scope expansions beyond directive minimums
• Applicable penalty ceilings and any procedural overlays
• Board liability mechanisms (corporate fines, personal fines, management-function bans)
• Sector-specific guidance documents published by the national authority

This matrix is your operational control room. When an incident occurs, your incident response team pulls it up and knows exactly who to notify, when, and how.

Step 4: Establish Cybersecurity Risk Management at Directive Baseline

NIS2 Article 21 requires "appropriate and proportionate technical, operational and organisational measures" across ten specific areas: risk analysis policies, incident handling, business continuity, supply chain security, security in network and information systems acquisition / development / maintenance, effectiveness measurement, training, cryptography, access control, and multi-factor authentication. Building your baseline programme to meet the directive text — not any single country's implementation — is the safest approach. National laws layer additional specifics on top, but the directive floor is uniform.

Step 5: Stress-Test Your Incident Reporting Capability

The 24-hour early warning obligation is the sharpest operational test of your NIS2 readiness. Most organisations underestimate how quickly this clock starts: it begins when you become aware of a significant incident, not when your incident response team is fully mobilised. You need preparation documents, pre-authorised decision paths, and a notification template per Member State where you operate.

Run a tabletop exercise. Simulate a significant incident in your most complex multi-country scenario and measure your time to first notification. If you exceed 20 hours, you have a problem.

Step 6: Integrate Supply Chain Security

One of the most demanding novelties in NIS2 compared to NIS1 is the formal extension to suppliers. Article 21(2)(d) requires "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." This means: mapping your critical suppliers, integrating security clauses into contracts, running regular reviews or accepting alternatives such as third-party certifications, and maintaining escalation procedures if a supplier suffers an incident. Member States and EU-level cybersecurity policy are increasingly steering organisations toward EU cybersecurity certification schemes rather than open-ended supplier questionnaires; design your supplier programme to absorb that direction of travel.

Step 7: Track Infringement Proceedings and Emerging Case Law

The European Commission's infringement proceedings against delayed Member States are not trivia — they telegraph where transposition is about to land and where enforcement is likely to intensify once it does. Countries under Commission pressure tend to transpose with shortened grace periods to demonstrate good faith. Tracking these proceedings via the Commission's press releases (and the EUR-Lex daily Official Journal feed for newly published transposing acts) lets you anticipate where compliance expectations are about to tighten. Watch the Court of Justice of the European Union (CJEU) for any preliminary rulings interpreting NIS2 provisions; the first such rulings, once they appear, will reshape how national courts interpret enforcement.

Frequently Asked Questions

My country has not transposed NIS2 yet. Do I have time to delay compliance?

No. Three reasons. First, the five remaining Member States are under Commission infringement pressure (reasoned opinions issued 7 May 2025) and several are expected to transpose with short transition periods. Second, if you operate in any country that has already transposed, those obligations bind you now for that jurisdiction. Third, NIS2 represents a baseline of cybersecurity hygiene that the market — customers, auditors, insurers — is already treating as expected practice. Delaying to match your home country's official deadline is a false economy.

I am a small company with fewer than 50 employees. Am I out of scope?

Probably, but verify. The directive uses the EU SME definition: medium entities have 50+ employees or €10M+ turnover. However, national laws can expand scope under Article 2(2) for specific sectors, and some explicitly include smaller entities for critical services (energy micro-grids, specific cloud and managed-service providers, certain digital infrastructure). Check your home country's transposition and any country where you have material operations.

What is the single most important thing we should do this quarter?

Designate your main establishment under Article 26 and document the rationale. This unlocks the rest of your compliance programme: it tells you which national authority is your primary contact, which national law is your governing text, and where your board-level liability sits. Organisations that skip this step end up with parallel, duplicative compliance programmes across multiple jurisdictions and still miss their primary reporting obligations. It takes two weeks to do properly and saves quarters of pain.

Do we need a separate DPO for NIS2 (like for GDPR)?

No, NIS2 does not require a Data Protection Officer. It does require management body responsibility under Article 20 and training of all personnel on cybersecurity. Most mature organisations have a CISO or Head of Information Security performing the equivalent operational role. What matters is that responsibility is formally allocated, documented and resourced — not the specific title.

What are the first NIS2 fines we have observed?

As of May 2026, no major NIS2 administrative fines against named entities have been publicly disclosed. Enforcement activity to date has been at the supervisory-notice stage. Germany's BSI began issuing formal notices (Anordnungen) in Q4 2025 to entities that had failed to register or designate a point of contact, prioritising the energy and digital infrastructure sectors. Italy's ACN identified a substantial population of entities that failed to complete annual registration by the 28 February 2026 deadline and is pursuing those through enforcement proceedings. The Commission has issued reasoned opinions against 19 Member States for failure to fully transpose, which is a separate (state-level) form of enforcement. The first material monetary fines are anticipated during 2026, and the early-case pattern emerging across these supervisory notices is consistent: authorities are not yet penalising imperfect cybersecurity, but they are penalising missing documentation and missed registration deadlines.

How do we stay current when the landscape moves this fast?

Three sources to follow with priority: European Commission press releases (for infringement proceedings and implementing acts), ENISA publications (sectoral technical guidance), and annual reports from your national authority (BSI, ANSSI, ACN, NCSC and equivalents). Avoid relying on consulting-firm summaries that age quickly — things move too fast. Subscribe directly to official RSS feeds. For regulatory updates, the EUR-Lex Official Journal daily feed is the authoritative source for newly published national transposing laws — you see them on the day they appear, not when a consultant writes about them weeks later.

How does NIS2 interact with GDPR when an incident involves personal data?

You must notify under both regimes, to different authorities, on different timelines. GDPR Article 33 requires notification to your Data Protection Authority within 72 hours. NIS2 Article 23 requires an early warning to the cybersecurity competent authority within 24 hours. These are separate obligations with separate authorities and separate fines. Build your incident runbook to trigger both workflows in parallel from the moment of awareness.

The Bottom Line

NIS2 was supposed to harmonise EU cybersecurity law. In 2026, it harmonised the baseline (Article 21 measures, Article 23 reporting timeline, Article 34 ceilings) but fragmented the procedural detail. For cross-border businesses, this means your compliance programme must be directive-native but locally-adapted — built to the NIS2 text and configured per Member State where you operate. The organisations navigating this best are the ones that invested early in a country-by-country matrix, designated their main establishment formally, and built incident response capabilities that can hit 24-hour reporting across multiple jurisdictions simultaneously.

The patchwork will eventually converge as the five remaining Member States adopt their transposing acts and the Commission issues implementing measures. Until then, treating NIS2 as a single, uniform obligation will cost you — in fines, in operational disruption, and in board-level exposure. Treating it as a mesh of interlocking national regimes anchored on a common directive is harder, but it is the only way to actually comply.

The Viktoria Compliance assessment covers this mesh country by country. Our adaptive questionnaire maps your entity structure against the verified transposition status of each Member State where you operate and flags the specific obligations that bind you today, not the directive text in abstract. If you have not run your footprint through it yet, now is the time — enforcement is not coming, it is here.

Sources

All Member State transposition data verified May 2026 against national official gazettes, designated competent-authority publications, and the European Commission's NIS2 transposition tracker. NIS2 Directive provisions cited from EUR-Lex Directive (EU) 2022/2555.

• NIS2 Directive (EU) 2022/2555 — https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng
• European Commission NIS transposition tracker — https://digital-strategy.ec.europa.eu/en/policies/nis-transposition
• Austria — BGBl. I Nr. 94/2025 (NISG 2026): https://ris.bka.gv.at/eli/bgbl/I/2025/94/20251223
• Belgium — CCB NIS2: https://ccb.belgium.be/regulation/nis2
• Bulgaria — Cybersecurity Act amendments analysis: https://cms.law/en/bgr/legal-updates/bulgaria-adopts-nis2-aligned-cybersecurity-law
• Croatia — Narodne novine 14/2024: https://narodne-novine.nn.hr/clanci/sluzbeni/2024_02_14_254.html
• Cyprus — Digital Security Authority: https://www.dsa.cy
• Czech Republic — NÚKIB: https://www.nukib.gov.cz
• Denmark — Lov nr. 434/2025: https://www.retsinformation.dk/eli/lta/2025/434
• Estonia — RIA NIS2 portal: https://nis2.ee/
• Finland — Traficom Cybersecurity Act announcement: https://traficom.fi/en/news/cybersecurity-act-passed-parliament-obligations-under-nis-2-directive-enter-force-8-april-2025
• France — ANSSI Directive NIS 2: https://cyber.gouv.fr/reglementation/cybersecurite-systemes-dinformation/directives-nis-nis2-et-dispositif-saiv/directive-nis-2/
• Germany — BGBl. 2025 I Nr. 301: https://www.recht.bund.de/bgbl/1/2025/301/VO.html
• Greece — National Cybersecurity Authority: https://www.ncsa.gov.gr
• Hungary — SZTFH: https://sztfh.hu
• Ireland — National Cyber Security Bill 2024 General Scheme: https://www.gov.ie/en/department-of-justice-home-affairs-and-migration/publications/general-scheme-of-the-national-cyber-security-bill-2024/
• Italy — ACN Normativa: https://www.acn.gov.it/portale/en/nis/la-normativa
• Latvia — National Cyber Security Centre: https://www.cyber.gov.lv/lv/nis2
• Lithuania — Cybersecurity Law: https://kam.lt/kibernetinio-saugumo-istatymas/
• Luxembourg — Chambre des Députés Bill 8364: https://www.chd.lu/en/directive-NIS2-cybersecurite
• Malta — Legal Notice 71 of 2025 analysis: https://gvzh.mt/insights/nis2-malta-cybersecurity-legal-notice-71-2025/
• Netherlands — Eerste Kamer Cyberbeveiligingswet 36764: https://www.eerstekamer.nl/wetsvoorstel/36764_cyberbeveiligingswet
• Poland — Sejm cybersecurity amendment: https://www.gov.pl/web/cyfryzacja/sejm-uchwalil-nowelizacje-ustawy-o-krajowym-systemie-cyberbezpieczenstwa
• Portugal — Decreto-Lei 125/2025: https://diariodarepublica.pt/dr/detalhe/decreto-lei/125-2025-962603401
• Romania — DNSC: https://www.dnsc.ro
• Slovakia — NBÚ: https://www.nbu.gov.sk
• Slovenia — Uradni list ZInfV-1: https://www.uradni-list.si/glasilo-uradni-list-rs/vsebina/2025-01-1571
• Spain — CCN NIS2: https://www.ccn.cni.es/es/normativa/directiva-nis2
• Sweden — SFS 2025:1506 Cybersäkerhetslag: https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/cybersakerhetslag-20251506_sfs-2025-1506/
• NCSC Netherlands incident reporting: https://www.ncsc.nl/cyberincidenten-melden-bij-het-ncsc
• BSI Germany incident reporting: https://www.bsi.bund.de/DE/Themen/Regulierte-Wirtschaft/NIS-2-regulierte-Unternehmen/NIS-2-Anleitung-Meldung/Anleitung-Meldung_node.html
• ANSSI France notifications réglementaires: https://cyber.gouv.fr/notifications-reglementaires
• INCIBE Spain NIS2 FAQ: https://www.incibe.es/incibe-cert/sectores-estrategicos/FAQNIS2