NIS2 Implementation Across Europe
The transposition deadline was 17 October 2024. By early 2026, the majority of EU member states had missed it, triggering infringement proceedings and creating a fragmented compliance landscape across Europe.
Last updated: July 10, 2026
21
Operational
2
Pre-Registration
2
Planned
2
Not Yet Available
| Country | Competent Authority | Registration Portal | Registration Deadline | National Law |
|---|---|---|---|---|
| Germany | BSI (Bundesamt für Sicherheit in der Informationstechnik) | BSI-Portal | 2026-03-06 | NIS2UmsuCG / BSIG |
| Belgium | CCB (Centre for Cybersecurity Belgium) | Safeonweb@Work | 2025-03-18 | NIS2 Law (Loi NIS2) |
| Italy | ACN (Agenzia per la Cybersicurezza Nazionale) | ACN NIS Portal | 2026-02-28 | D.Lgs. 138/2024 |
| Czech Republic | NÚKIB (Národní úřad pro kybernetickou a informační bezpečnost) | Portál NUKIB | 2025-12-31 | Zákon č. 264/2025 Sb. o kybernetické bezpečnosti |
| Denmark | SAMSIK (Styrelsen for Samfundssikkerhed) | Virk | 2025-10-01 | LOV nr 434 af 06/05/2025 (NIS 2-loven) |
| Poland | Ministry of Digital Affairs / CSIRTs | System S46 | 2026-10-03 | Amended KSC Act (ustawa o KSC) |
| Sweden | NCSC (Nationellt cybersaekerhetscenter, bei der FRA) + CERT-SE | Not yet available | TBD | Cybersaekerhetslagen (SFS 2025:1506) |
| Croatia | NHCSC-HR (National Cybersecurity Center) | Not yet available | TBD | Zakon o kibernetičkoj sigurnosti |
| Lithuania | NKSC (National Cybersecurity Center) | Not yet available | TBD | Kibernetinio saugumo įstatymas |
| Latvia | CERT.LV / NCSC | Not yet available | 2025-04-01 | Kiberdrošības likums |
| Greece | NCSA (National Cyber Security Authority) | Not yet available | 2025-09-30 | Law No. 5160/2024 |
| Slovakia | NBÚ (Národný bezpečnostný úrad) | Not yet available | TBD | Zákon o kybernetickej bezpečnosti |
| Romania | DNSC (Directoratul Național de Securitate Cibernetică) | NIS2@RO Platform | 2025-09-19 | Emergency Ordinance No. 155/2024; Laws No. 52/2025 & No. 124/2025 |
| Finland | Traficom + sector authorities (NCSC-FI as national CSIRT) | Not yet available | 2025-05-08 | Kyberturvallisuuslaki (124/2025) |
| Estonia | RIA (Riigi Infosüsteemi Amet) | Not yet available | 2026-03-31 | Küberturvalisuse seadus |
| Portugal | CNCS (Centro Nacional de Cibersegurança) + CERT.PT | MyCiber | TBD | Decreto-Lei n.º 125/2025 |
| Hungary | SZTFH (Szabályozott Tevékenységek Felügyeleti Hatósága) | Not yet available | TBD | Act LXIX of 2024 (Hungarian Cybersecurity Act) |
| Cyprus | DSA (Digital Security Authority) | NIS2 Self-Assessment Tool | TBD | Law on Security of Networks and Information Systems (Amendment) 2025 |
| Luxembourg | ILR (Institut Luxembourgeois de Régulation) | ILR Guichet (NISS_EE231) | 2026-07-10 | Loi du 5 mai 2026 relative à des mesures visant à assurer un niveau élevé de cybersécurité |
| Malta | CIPD (Critical Infrastructure Protection Department) | Not yet available | TBD | Legal Notice 71/2025, amended by Legal Notice 89/2026 (S.L. 460.41) |
| Slovenia | URSIV (Information Security Agency) | Not yet available | 2025-12-19 | ZInfV-1 (Information Security Act) |
| Country | Competent Authority | Registration Portal | Registration Deadline | National Law |
|---|---|---|---|---|
| France | ANSSI (Agence nationale de la sécurité des systèmes d'information) | MonEspaceNIS2 | TBD | Loi Résilience (bundles NIS2 + DORA + CER) |
| Netherlands | NCSC-NL (since 1 Jan 2026 merged with DTC and CSIRT-DSP into "versterkt NCSC", SPOC + national CSIRT) + RDI (Rijksinspectie Digitale Infrastructuur, horizontal supervisor) | MijnNCSC / Entiteitenregister | TBD | Cyberbeveiligingswet (Cbw) |
| Country | Competent Authority | Registration Portal | Registration Deadline | National Law |
|---|---|---|---|---|
| Austria | Bundesamt für Cybersicherheit | Unternehmensserviceportal (USP) | 2026-12-31 | NISG 2026 |
| Bulgaria | State e-Governance Agency / Ministry of e-Government | Not yet available | TBD | Cybersecurity Act (amended) |
| Country | Competent Authority | Registration Portal | Registration Deadline | National Law |
|---|---|---|---|---|
| Spain | CCN-CERT / INCIBE | Not yet available | TBD | Not yet enacted |
| Ireland | NCSC (National Cyber Security Centre) | Not yet available | TBD | National Cyber Security Bill (draft) |
Selling in a country is not the same as operating in a country
Many companies sell their products or services across the EU through a single legal entity registered in one country. In that case, registration with your home country's authority is sufficient, you are not "established" in every country you sell into.
However, if your company is fully operational in a country, meaning you have a registered legal presence, employees on the ground, and pay corporate tax there, then that country's NIS2 law applies to you as an entity established in that jurisdiction.
NIS2 Article 26 creates an important exception for specific digital service types: cloud computing providers, managed service providers, managed security service providers, data centre providers, content delivery networks, DNS service providers, online marketplaces, online search engines, and social networking platforms. These entities register in a single EU member state, the one where cybersecurity risk-management decisions are predominantly taken. If you operate one of these services, you do not need to register in every country where you are established. All other types of entities (manufacturers, food companies, energy suppliers, transport operators, hospitals, etc.) fall under the standard rule and must register in each country where they have a legal establishment.
Frequently asked questions
I have a sales office in Germany but my headquarters are in France, do I register with the BSI?▾
It depends on how the German sales office is structured. If it is a registered GmbH or Zweigniederlassung (branch) that files its own tax return in Germany, you likely need to register with the BSI in addition to ANSSI in France. If it is simply a cost centre of the French parent with no separate legal status in Germany, French registration alone may suffice. Consult a lawyer familiar with NIS2 in both jurisdictions.
Do I need to comply with different security requirements in each country?▾
NIS2 sets a harmonized baseline, but each country's transposition can add stricter sector-specific requirements. In practice, implementing the NIS2 baseline, risk management, incident reporting, access control, supply chain security, will meet requirements in most EU countries. Check each country's national law for any additional obligations.
What if a country hasn't finished transposing NIS2 yet?▾
Some EU countries were late transposing the directive (the deadline was October 2024). Until national law is in force, registration may not yet be possible. Monitor the relevant national authority's website and register as soon as the process opens. Late transposition by the government does not reduce your eventual legal obligation.
Can I register once at EU level and cover all countries?▾
No. There is no single EU-level NIS2 registry. Each country operates its own registration system. This is one of the known complexities of the directive's decentralised implementation and creates significant compliance overhead for pan-European companies.
- Directive (EU) 2022/2555: NIS2 Directive, Official Journal of the European Union (27 December 2022)
- European Commission: NIS2 transposition tracker and infringement proceedings updates (2024-2025)
- Wavestone: NIS2 Transposition Radar, country-by-country implementation status (2025)
- NIS2UmsuCG: Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit (Germany)
- Loi NIS2: Belgian NIS2 transposition law (April 2024)
- D.Lgs. 138/2024: Italian NIS2 transposition decree
- ENISA: NIS2 implementation overview and cross-border coordination guidance (2025)
- BMI/BSI: Parliamentary documentation and guidance on NIS2UmsuCG implementation