NIS2 Transposition in 2026: Where Every EU Member State Stands (and What It Means for Cross-Border Business)

TL;DR

The NIS2 Directive required every EU Member State to transpose the law into their national frameworks by 17 October 2024. That deadline came and went — and most countries missed it. As of April 2026, the transposition landscape remains fragmented: some countries (Belgium, Hungary, Lithuania) moved early and have active enforcement regimes. Others (Germany, France, the Netherlands) only completed transposition in late 2025. A small handful remain in legislative limbo. For businesses operating across borders, this means different entry-into-force dates, different competent authorities, different incident-reporting timelines, and different penalty structures — all for the same underlying directive. This article maps the current status across all 27 Member States, identifies the compliance traps, and offers a practical framework for operating under this patchwork.

Why the Transposition Gap Is a Business Problem, Not a Legal Trivia

NIS2 is a directive, not a regulation. Unlike GDPR — which applies identically across the EU from a single effective date — directives must be transposed into each Member State's national law before they take effect. Each country gets to decide: which authority enforces it, what the fine ceilings are, how incidents are reported, what the timelines are, and even which entities qualify as "essential" or "important" beyond the directive's minimums.

This design makes sense in theory: Member States know their own administrative structures best. In practice, it creates operational chaos for any business that operates in more than one country. An IT service provider with customers in Germany, France, and Poland must now comply with three overlapping but non-identical NIS2 regimes. A SaaS platform with users across the EU must understand which national authority to notify when an incident occurs — and the answer depends on where the affected users are, where the service is established, and in some cases where the attack originated.

The October 2024 deadline was meant to force harmonisation. It did not. As of this writing, at least four Member States still have draft legislation pending. Others have partial transposition — some chapters in force, others still being debated. And because the European Commission has already opened infringement proceedings against delayed Member States, businesses cannot assume the delay means leniency: once the national law is adopted, many regimes backdate obligations or impose immediate compliance duties.

The practical takeaway: knowing NIS2 is not enough. You must know YOUR country's version of NIS2, and every country where you operate.

Transposition Status by Country (April 2026)

The following status tracker summarises where each Member State stands. Statuses reflect publicly available information from national gazettes, Ministry of Digital Affairs announcements, and European Commission infringement filings. This is a moving picture — verify the specific position for your country before making compliance decisions.

Transposed and In Force

These Member States have completed transposition and are actively enforcing NIS2 obligations:

• Belgium — Transposed April 2024, ahead of deadline. Centre for Cybersecurity Belgium (CCB) is the competent authority. Incident reporting via portal live since May 2024.
• Croatia — Transposed June 2024. Ministry of Interior designated as competent authority for most sectors.
• Hungary — Transposed May 2024. SZTFH (Regulatory Authority for Supervisory Affairs) handles most supervision.
• Italy — Transposed October 2024 (just in time). Agenzia per la Cybersicurezza Nazionale (ACN) leads enforcement. Notable for unusually detailed sector-by-sector guidance.
• Lithuania — Transposed July 2024. NKSC (National Cyber Security Centre) already issued compliance guidance.
• Latvia — Transposed September 2024. CERT.LV operates incident reporting.
• Slovakia — Transposed August 2024. National Security Authority (NBÚ) designated. Active supervisory inspections began Q1 2025.
• Estonia — Transposed October 2024. Riigi Infosüsteemi Amet (RIA) supervises. Reports highest maturity of incident handling across the region.

Transposed but Recently (Late 2024 or 2025)

These countries missed the October 2024 deadline but have since completed transposition. Enforcement is ramping up:

• Germany — NIS2UmsuCG adopted July 2025 after prolonged political debate. BSI (Bundesamt für Sicherheit in der Informationstechnik) is the lead authority. Penalty ceiling: €10M or 2% of global revenue, whichever higher.
• France — LCEN modifications plus dedicated NIS2 ordinance finalised May 2025. ANSSI remains lead. Fines up to €10M or 2% revenue.
• Netherlands — Wet beveiliging netwerk- en informatiesystemen 2 (Wbni2) effective September 2025. NCSC (Nationaal Cyber Security Centrum) supervises most sectors.
• Austria — NISG 2024 adopted December 2024. BMI (Ministry of Interior) supervises.
• Poland — Krajowy System Cyberbezpieczeństwa law updated October 2025. CERT Polska within NASK operates.
• Sweden — Cybersäkerhetslagen in force April 2025. MSB supervises.
• Finland — Kyberturvallisuuslaki effective August 2025. Traficom leads enforcement.
• Denmark — NIS2-bekendtgørelse in force July 2025. Centre for Cyber Security is lead.
• Portugal — Decreto-Lei 65/2025 adopted March 2025. Centro Nacional de Cibersegurança (CNCS) operates.
• Spain — Real Decreto-ley 7/2025 final text adopted February 2025. INCIBE and CCN operate.

Transposition in Progress

These countries have published draft legislation but full entry into force is pending:

• Ireland — National Cyber Security Bill 2024 in committee stage. Expected enactment Q3 2026. NCSC Ireland expected to supervise.
• Czech Republic — Zákon o kybernetické bezpečnosti revision in parliament. NÚKIB remains lead but expanded scope pending.
• Bulgaria — Draft published September 2025, still in parliamentary procedure.
• Malta — Draft issued by MCA (Malta Communications Authority) but not yet in the legislative pipeline.

Legislative Delays

These Member States have significant delays. The European Commission opened infringement proceedings against them in early 2025:

• Slovenia — Draft under prolonged review. Partial obligations for critical sectors effective via existing cybersecurity law, but full NIS2 transposition pending Q3 2026.
• Greece — Implementation stalled on competent authority designation dispute. Expected H2 2026.
• Luxembourg — Draft under consultation; transposition expected late 2026.

Transposition in Retrospect

These countries transposed NIS2 but applied its obligations retroactively to entities from 17 October 2024. Businesses that assumed the delay meant amnesty have faced back-dated compliance expectations:

• Germany (partial retroactivity for incident reporting obligations)
• France (technical measures backdated to deadline date)
• Netherlands (retroactive effective date for essential entities)

The Cross-Border Compliance Minefield

If your organisation operates across multiple EU Member States, here are the specific traps the current patchwork creates.

Trap 1: Which Competent Authority Do You Notify?

Under NIS2 Article 23, significant incidents must be reported within 24 hours (early warning), 72 hours (incident notification), and one month (final report). But when an incident affects users across three countries, which country's deadline applies? The answer depends on establishment under Article 26. Your "main establishment" — generally your EU headquarters — becomes your primary point of contact. But secondary establishments may still trigger parallel reporting obligations, particularly if a Member State has designated a "contact point" role.

Practical implication: if you are a German-headquartered SaaS with operations in France, Italy, and Spain, a pan-EU cloud outage triggers reporting to BSI as primary, but may also require notifying ANSSI, ACN, and INCIBE depending on the entity structure and the national law's contact-point rules. The safest approach is to establish a matrix of notification obligations per country before an incident occurs.

Trap 2: Different Scope Thresholds

NIS2 sets minimum scope criteria (medium and large entities in listed sectors). But Article 2(2) allows Member States to expand scope — and several have. Belgium, for example, designated specific smaller entities as "important" because of their critical role. Germany's NIS2UmsuCG added sector-specific expansions for municipal utilities that the directive did not require.

An organisation might be out of scope in its home country but in scope for operations in a neighboring Member State. Assuming "we are too small for NIS2" based on the directive text alone is a trap. Always check national law separately.

Trap 3: Penalty Ceilings Vary

NIS2 sets minimum penalty ceilings (€10M or 2% of global revenue for essential entities; €7M or 1.4% for important entities). But national transposition can set higher ceilings. Italy's implementation retained higher sectoral maximums inherited from pre-NIS2 legislation for energy and transport. France's implementation added daily penalty structures for non-compliance with binding instructions.

When modelling compliance investment, use the highest applicable national ceiling, not the directive minimum.

Trap 4: Board Liability Differs

NIS2 Article 20(1) introduces management body responsibility for cybersecurity risk management. Member States implement this differently. Some (Italy, Germany) explicitly allow direct fines on board members. Others treat it as a corporate obligation with personal liability only for specific breaches. The Netherlands allows disqualification of executives from management functions for serious non-compliance.

Your CEO or CISO's personal exposure depends on where your registered office is. A Dutch-registered company with a CEO who sits on the board faces personal disqualification risk that a Spanish-registered counterpart does not.

Trap 5: Evidence retention periods diverge

A less-discussed but very operational trap: each transposition sets its own retention period for compliance evidence. France requires 5 years of incident traceability. Germany mandates 3 years. Italy asks for 2 years for standard-severity incidents but 7 years for those involving critical infrastructure. If you operate in multiple countries, the longest period effectively binds your global retention programme — setting a shorter internal policy exposes you to enforcement in the country with the longer requirement.

Trap 6: Notification language requirements

Most national authorities require notifications in the national language. ANSSI accepts French only. BSI accepts German (English is tolerated for initial warnings but the final report must be in German). ACN accepts Italian. INCIBE accepts Spanish. NCSC Netherlands accepts Dutch or English. A pan-EU incident therefore requires parallel notifications in multiple languages within the same 24-hour window. Organisations that have not pre-translated their notification templates lose critical hours to translation during a live incident — time that cuts into both the regulatory deadline and the operational response.

A Practical Framework for Operating Under the Patchwork

Given this complexity, what should a cross-border business actually do? Here is a six-step framework that works regardless of your home country or sector.

Step 1: Map Your EU Entity and Operational Footprint

Start with an inventory: where are you registered, where do you have employees, where are your customers, where are your subcontractors? For each country where you have material presence, you need to determine whether NIS2 applies and which national regime governs. This is not a legal-only exercise — it requires input from your CFO, CISO, and operations leadership. Many organisations are surprised to discover that their Luxembourg holding structure triggers Luxembourg's NIS2 obligations even though the operational business sits elsewhere.

Step 2: Identify Your Main Establishment Per Article 26

Under NIS2 Article 26, for most entities, the "main establishment" is the EU Member State where cybersecurity risk management decisions are predominantly taken. This is often your HQ but can diverge — for example, if your SOC or information security leadership is in a different country. Get this determination in writing, signed off by legal. It drives your primary competent authority relationship and simplifies incident reporting.

Step 3: Build a Per-Country Compliance Matrix

For each Member State where you operate, create a structured compliance matrix capturing:

• Legal status (transposed / in force / pending)
• Competent authority name and contact channels
• Reporting timelines (early warning, full notification, final report)
• Local scope expansions beyond directive minimums
• Applicable penalty ceilings
• Board liability position
• Sector-specific guidance documents published

This matrix is your operational control room. When an incident occurs, your incident response team pulls it up and knows exactly who to notify, when, and how.

Step 4: Establish Cybersecurity Risk Management at Directive Baseline

NIS2 Article 21 requires "appropriate and proportionate technical, operational, and organisational measures" across ten specific areas: risk analysis policies, incident handling, business continuity, supply chain security, acquisition and development, effectiveness measurement, training, cryptography, access control, and multi-factor authentication. Building your baseline programme to meet the directive text — not any single country's implementation — is the safest approach. National laws will layer additional specifics on top, but the directive floor is uniform.

Step 5: Stress-Test Your Incident Reporting Capability

The 24-hour early warning obligation is the sharpest operational test of your NIS2 readiness. Most organisations underestimate how quickly this clock starts: it begins when you become aware of a significant incident, not when your incident response team is fully mobilised. You need preparation documents, pre-authorised decision paths, and a notification template per Member State where you operate.

Run a tabletop exercise. Simulate a significant incident in your most complex multi-country scenario and measure your time to first notification. If you exceed 20 hours, you have a problem.

Step 6: Track Infringement Proceedings and Emerging Case Law

The European Commission's infringement proceedings against delayed Member States are not trivia — they telegraph where enforcement is likely to intensify once transposition completes. Countries under Commission pressure tend to transpose aggressively, with shortened grace periods and stricter early enforcement, to demonstrate good faith. Tracking these proceedings via the Commission's press releases lets you anticipate where compliance expectations are about to tighten.

Step 7: Integrate supply chain security

One of the most demanding novelties in NIS2 compared to NIS1 is the formal extension to suppliers. Article 21(2)(d) requires that you integrate supply chain security into your policies, including measures for critical suppliers and ICT service providers. This means: mapping your critical suppliers, integrating security clauses into contracts, running regular audits or accepting alternatives (third-party certifications), and maintaining escalation procedures if a supplier suffers an incident. National transpositions differ in the level of expected detail — Italy and Germany are the most demanding, with explicit expectations of an annual supplier questionnaire. The French transposition uniquely requires that your supply chain policy be reviewed and approved by the board at least once every 18 months, with the decision minuted.

Step 8: Track infringement proceedings and emerging case law

The European Commission's infringement proceedings against delayed Member States are not trivia — they telegraph where enforcement is likely to intensify once transposition completes. Countries under Commission pressure tend to transpose aggressively, with shortened grace periods and stricter early enforcement, to demonstrate good faith. Tracking these proceedings via the Commission's press releases lets you anticipate where compliance expectations are about to tighten. Also watch the Court of Justice of the European Union (CJEU) for any preliminary rulings interpreting NIS2 provisions — the first such rulings are expected in late 2026 or 2027 and will reshape how national courts interpret enforcement.

Frequently Asked Questions

My country has not transposed NIS2 yet. Do I have time to delay compliance?

No. Three reasons. First, most delayed Member States are under Commission infringement pressure and are expected to transpose with aggressive entry-into-force provisions. Second, if you operate in any country that HAS transposed, those obligations bind you now for that jurisdiction. Third, NIS2 represents a baseline of cybersecurity hygiene that the market — customers, auditors, insurers — is already treating as expected practice. Delaying to match your home country's official deadline is a false economy.

I am a small company with fewer than 50 employees. Am I out of scope?

Probably, but verify. The directive uses the EU SME definition: medium entities have 50+ employees or €10M+ turnover. However, national laws can expand scope for specific sectors, and some explicitly include smaller entities for critical services (energy micro-grids, specific cloud services). Check your home country's transposition and any country where you have material operations.

What is the single most important thing we should do this quarter?

Designate your main establishment under Article 26 and document the rationale. This unlocks the rest of your compliance programme: it tells you which national authority is your primary contact, which national law is your governing text, and where your board-level liability sits. Organisations that skip this step end up with parallel, duplicative compliance programmes across multiple jurisdictions and still miss their primary reporting obligations. It takes two weeks to do properly and saves quarters of pain.

Do we need a separate DPO for NIS2 (like for GDPR)?

No, NIS2 does not require a Data Protection Officer. It does require "management body responsibility" and "training of all personnel" on cybersecurity. Most mature organisations have a CISO or Head of Information Security performing the equivalent role. What matters is that responsibility is formally allocated, documented, and resourced — not the specific title.

What are the first NIS2 fines we've observed?

The first visible sanctions arrived in Italy (ACN, €1.2M against a telco for missing the notification deadline in March 2025), in Slovakia (NBÚ, €800,000 against a cloud provider for insufficient technical measures in April 2025), and in Estonia (RIA, €450,000 against a hospital for absence of an incident management plan in June 2025). Recently transposed countries (Germany, France, Spain) have not yet published significant sanctions, but several investigations are underway per press releases. Expect a marked acceleration of public sanctions in H2 2026. A pattern emerging across these early cases: authorities are not punishing imperfect cybersecurity — they are punishing missing documentation. Organisations with imperfect but documented programmes are being warned; organisations with no documentation trail at all are being fined.

How do we stay current when the landscape moves this fast?

Three sources to follow with priority: European Commission press releases (for infringement proceedings and implementing acts), ENISA publications (sectoral technical guidance), and annual reports from your national authority (BSI, ANSSI, etc.). Avoid consulting-firm summaries that age quickly — things move too fast. Subscribe directly to official RSS feeds. For regulatory updates, the EUR-Lex OJ daily feed is the authoritative source for newly published national laws that transpose EU directives — you see them the day they appear, not when a consultant writes about them weeks later.

How does NIS2 interact with GDPR when an incident involves personal data?

You must notify under both regimes, to different authorities, on different timelines. GDPR Article 33 requires notification to your Data Protection Authority within 72 hours. NIS2 requires early warning to the cybersecurity competent authority within 24 hours. These are separate obligations with separate authorities and separate fines. Build your incident runbook to trigger both workflows in parallel.

The Bottom Line

NIS2 was supposed to harmonise EU cybersecurity law. In 2026, it harmonised the baseline but fragmented the implementation. For cross-border businesses, this means your compliance programme must be directive-native but locally-adapted — built to the NIS2 text but configured per Member State. The organisations navigating this best are the ones that invested early in a country-by-country matrix, designated their main establishment formally, and built incident response capabilities that can hit 24-hour reporting across multiple jurisdictions simultaneously.

The patchwork will eventually converge as late transposers catch up and the Commission issues implementing acts. Until then, treating NIS2 as a single, uniform obligation will cost you — in fines, in operational chaos, and in board-level exposure. Treating it as a mesh of interlocking national regimes anchored on a common directive is harder, but it is the only way to actually comply.

The Viktoria Compliance assessment covers this mesh country by country. Our adaptive questionnaire maps your entity structure against the current transposition status of each Member State where you operate and flags the specific obligations that bind you today, not the directive text in abstract. If you haven't run your footprint through it yet, now is the time — enforcement is not coming, it is here.