NIS 2 EU implementation tracker
Where every EU Member State stands on the NIS 2 transposition. National act, competent authority, national CSIRT, status. Reviewed June 2026.
What this is
The 17 October 2024 transposition deadline set in Article 41 NIS 2 has come and gone. A few Member States moved fast (Italy, Belgium, Hungary, Croatia, Romania). Most are still in legislative process, including the four biggest economies (Germany, France, Spain, Netherlands). The European Commission opened infringement procedures in May 2025 against the late ones.
The table below summarises the canonical national act, the lead competent authority and the national CSIRT for each Member State. Where we have a per-country deep dive, the country name links to it. Status as of the review date; check the ENISA NIS 2 transposition tracker for the latest verifiable picture.
| Member State | National act | Competent authority | National CSIRT | Status |
|---|---|---|---|---|
ATAustria | NISG 2026 Original NISG (BGBl. I Nr. 111/2018) transposed NIS 1; replaced by NISG 2026 (BGBl. I Nr. 94/2025), in force 1 October 2026. | Bundesamt für Cybersicherheit | GovCERT.AT (interim national CSIRT), CERT.at (incident reporting platform nis2.cert.at) | Bill pending |
BEBelgium | NIS2 Law (Loi NIS2) One of the first Member States to transpose. Entered into force 18 October 2024. | CCB (Centre for Cybersecurity Belgium) | CERT.be (under CCB) | In force |
BGBulgaria | Cybersecurity Act (amended) | State e-Governance Agency / Ministry of e-Government | CERT Bulgaria | In force |
HRCroatia | Zakon o kibernetičkoj sigurnosti Adopted in 2024. Sectoral supervision model. | NHCSC-HR (National Cybersecurity Center) | CERT.hr (CARNet) | In force |
CYCyprus | Law on Security of Networks and Information Systems (Amendment) 2025 | DSA (Digital Security Authority) | CSIRT-CY | In force |
CZCzechia | Zákon č. 264/2025 Sb. o kybernetické bezpečnosti Existing Cybersecurity Act (Zákon Ä. 181/2014 Sb.) transposed NIS 1. NIS 2 rewrite in legislative process. | NÚKIB (Národní úřad pro kybernetickou a informační bezpečnost) | GovCERT.CZ (NÃKIB), CSIRT.CZ | In force |
DKDenmark | LOV nr 434 af 06/05/2025 (NIS 2-loven) Denmark uses a sectoral supervision model. CFCS sits within the Defence Intelligence Service. | SAMSIK (Styrelsen for Samfundssikkerhed) | CFCS (Centre for Cyber Security) | In force |
EEEstonia | Küberturvalisuse seadus Estonia transposed quickly via amendment to its existing 2018 Cybersecurity Act. | RIA (Riigi Infosüsteemi Amet) | CERT-EE (within RIA) | In force |
FIFinland | Kyberturvallisuuslaki (124/2025) Finland adopted the transposition act in 2024. Entered into force April 2025. | Traficom + sector authorities (NCSC-FI as national CSIRT) | NCSC-FI (Kyberturvallisuuskeskus, within Traficom) | In force |
FRFrance | Loi Résilience (bundles NIS2 + DORA + CER) Layered on top of existing OIV / OSE regime under the Code de la défense. Registration via MonEspaceNIS2. | ANSSI (Agence nationale de la sécurité des systèmes d'information) | CERT-FR (ANSSI) | Bill pending |
DEGermany | NIS2UmsuCG / BSIG Germany missed the 17 October 2024 EU deadline. Commission opened infringement proceedings May 2025. | BSI (Bundesamt für Sicherheit in der Informationstechnik) | CERT-Bund (BSI) | In force |
GRGreece | Law No. 5160/2024 | NCSA (National Cyber Security Authority) | GR-CERT (within NCA) | In force |
HUHungary | Act XXIII of 2024 Hungary transposed early via Act XXIII of 2023. Layered with SZTFH as cybersecurity supervisor. | SZTFH (Szabályozott Tevékenységek Felügyeleti Hatósága) | National Cyber Defence Institute (NBSZ) | In force |
IEIreland | National Cyber Security Bill (draft) Bill in legislative process at the Houses of the Oireachtas. | NCSC (National Cyber Security Centre) | NCSC-IE | Drafting |
ITItaly | D.Lgs. 138/2024 Entered into force 16 October 2024. One of the few Member States that met the EU deadline. | ACN (Agenzia per la Cybersicurezza Nazionale) | CSIRT Italia (within ACN) | In force |
LVLatvia | Kiberdrošības likums Latvia adopted the National Cyber Security Law in 2024, transposing NIS 2. | CERT.LV / NCSC | CERT.LV | In force |
Kibernetinio saugumo įstatymas Lithuania adopted the transposition act in late 2024. | NKSC (National Cybersecurity Center) | CERT-LT (within NKSC) | In force | |
Loi du 5 mai 2026 relative à des mesures visant à assurer un niveau élevé de cybersécurité | ILR (Institut Luxembourgeois de Régulation) | CIRCL (Computer Incident Response Center Luxembourg) | In force | |
MTMalta | Legal Notice 71/2025 (SL 460.41) | CIPD (Critical Infrastructure Protection Department) | CSIRTMalta | In force |
Cyberbeveiligingswet (Cbw, wetsvoorstel 36.764) Cbw bill before the Tweede Kamer. Replaces Wbni (NIS 1 transposition). | NCSC-NL (since 1 Jan 2026 merged with DTC and CSIRT-DSP into "versterkt NCSC", SPOC + national CSIRT) + RDI (Rijksinspectie Digitale Infrastructuur, horizontal supervisor) | NCSC-NL | Bill pending | |
PLPoland | Amended KSC Act (ustawa o KSC) Amendment to the Act on the National Cybersecurity System (Ustawa o KSC) in legislative process. | Ministry of Digital Affairs / CSIRTs | CSIRT NASK, CSIRT GOV, CSIRT MON | In force |
PTPortugal | Decreto-Lei n.º 125/2025 | CNCS (Centro Nacional de Cibersegurança) + CERT.PT | CERT.PT (within CNCS) | In force |
RORomania | Emergency Ordinance No. 155/2024; Laws No. 52/2025 & No. 124/2025 Romania transposed via OUG 155/2024 in December 2024. | DNSC (Directoratul Național de Securitate Cibernetică) | DNSC CSIRT | In force |
SKSlovakia | Zákon o kybernetickej bezpečnosti | NBÚ (Národný bezpečnostný úrad) | SK-CERT (within NBÃ) | In force |
SISlovenia | ZInfV-1 (Information Security Act) | URSIV (Information Security Agency) | SI-CERT | In force |
ESSpain | — Spain operates a two-CSIRT model. Sectoral supervisors via existing Royal Decree 43/2021 (NIS 1). | CCN-CERT / INCIBE | CCN-CERT (public sector), INCIBE-CERT (private sector) | Drafting |
SESweden | Cybersaekerhetslagen (SFS 2025:1506) | MCF (Myndigheten foer civilt foersvar, vormals MSB) + CERT-SE | CERT-SE (within MCF) | In force |
Bundesamt für Cybersicherheit
CCB (Centre for Cybersecurity Belgium)
State e-Governance Agency / Ministry of e-Government
NHCSC-HR (National Cybersecurity Center)
DSA (Digital Security Authority)
NÚKIB (Národní úřad pro kybernetickou a informační bezpečnost)
SAMSIK (Styrelsen for Samfundssikkerhed)
RIA (Riigi Infosüsteemi Amet)
Traficom + sector authorities (NCSC-FI as national CSIRT)
ANSSI (Agence nationale de la sécurité des systèmes d'information)
NCSA (National Cyber Security Authority)
SZTFH (Szabályozott Tevékenységek Felügyeleti Hatósága)
NCSC (National Cyber Security Centre)
ACN (Agenzia per la Cybersicurezza Nazionale)
CERT.LV / NCSC
NKSC (National Cybersecurity Center)
ILR (Institut Luxembourgeois de Régulation)
CIPD (Critical Infrastructure Protection Department)
NCSC-NL (since 1 Jan 2026 merged with DTC and CSIRT-DSP into "versterkt NCSC", SPOC + national CSIRT) + RDI (Rijksinspectie Digitale Infrastructuur, horizontal supervisor)
Ministry of Digital Affairs / CSIRTs
CNCS (Centro Nacional de Cibersegurança) + CERT.PT
DNSC (Directoratul Național de Securitate Cibernetică)
NBÚ (Národný bezpečnostný úrad)
URSIV (Information Security Agency)
CCN-CERT / INCIBE
MCF (Myndigheten foer civilt foersvar, vormals MSB) + CERT-SE
- Directive (EU) 2022/2555 (NIS 2), Article 41 — transposition deadline. EUR-Lex: eur-lex.europa.eu/eli/dir/2022/2555/oj
- ENISA NIS 2 transposition tracker — enisa.europa.eu/topics/nis-directive
- European Commission, infringement procedures opened against Member States that did not communicate full transposition of NIS 2 (November 2024, reasoned opinions May 2025).
- National official journals: BGBl (DE), Moniteur belge / Belgisch Staatsblad (BE), Gazzetta Ufficiale (IT), BOE (ES), JORF (FR), Sbírka zákonů (CZ), etc.
The applicability check works against the EU directive, so the answer holds regardless of which national transposition is in force in your country yet.