Calendario regulatorio de NIS2
Hitos clave y últimos avances en la Directiva NIS2, el BSIG, la CIR 2024/2690, IT-Grundschutz y ENISA, actualizados automáticamente.
2026
Hungary: first mandatory NIS 2 audit due 30 June 2026 (national deadline, not EU-wide)
Under Hungary's NIS 2 transposition (Act LXIX of 2024, supervised by the Regulated Activities Supervisory Authority SZTFH), in-scope entities had to contract a registered cybersecurity auditor by 31 August 2025 and complete a first mandatory audit by 30 June 2026, following a six-month extension. This is a Hungarian national obligation only: neither the NIS 2 Directive (EU) 2022/2555 nor CIR 2024/2690 sets an EU-wide first-audit deadline, contrary to vendor claims that generalise the date.
BSI letter to business associations sets de facto registration deadline of 31 July 2026
In a letter to German business associations reported by Tagesspiegel Background and publicly quoted by reuschlaw partner Stefan Hessel on 17 June 2026, the BSI communicates a de facto registration deadline of 31 July 2026 for entities that missed the statutory 6 March 2026 cut-off. Verbatim: 'Da die Registrierungen ueberfaellig sind, gehen wir davon aus, dass alle bis dahin nicht registrierten Einrichtungen die Registrierung bis zum 31. Juli 2026 erfolgreich abschliessen.' The BSI grants a narrow exception of six weeks running from the BSI's answer to bundled clarification questions. Legally this is neither a Schonfrist nor a deadline extension: the administrative-offence ground under sec. 65(2) No 6 in conjunction with sec. 65(5) No 5 BSIG (up to EUR 500,000 flat for the sec. 33 registration breach) has applied without interruption since 7 March 2026. The letter is an exercise of BSI's prosecution discretion under sec. 47 OWiG, now anchored to a written, public benchmark. As of 2 April 2026 only 15,477 of an estimated 29,500 in-scope entities had registered. The next BSI NIS-2 in Zahlen update is scheduled for 31 July 2026, the same day. By the end of May 2026 the figure had risen to roughly 18,500 registered entities, which the BSI described as broadly satisfactory.
AG KRITIS submits statement on the draft KRITIS-Verordnung
Civil-society working group AG KRITIS published its BMI-requested statement on the draft KRITIS-Verordnung (Stand 26.05.2026), calling retention of the 500,000-inhabitant regular threshold the most serious design flaw and criticising the absence of sectors such as chemicals, media and culture.
ENISA-organised Cyber Europe 2026 exercise tests EU response to rail and maritime cyberattacks
On 10 and 11 June 2026 ENISA ran the 8th edition of Cyber Europe with around 5,000 participants from EU Member States, industry and partner countries (UK, Norway, Switzerland, Ukraine). The scenario simulated coordinated cyberattacks on European rail and maritime transport networks escalating into a wider crisis. This was the first EU-wide test of the 2025 EU Cyber Blueprint (Council Recommendation on coordinated response to large-scale cyber incidents) and the first activation drill of the new EU Cybersecurity Reserve under the Cyber Solidarity Act. ENISA notes that rail and maritime subsectors score below average on the NIS360 maturity index relative to their criticality. The exercise stress-tests the cross-border incident response chain that NIS2 Article 23 and the CSIRT network depend on.
BSI publishes BSI-Magazin 2026/01 with cover feature on NIS-2 and BSI-Gesetz
On 11 June 2026 the BSI published the first 2026 issue of its biannual BSI-Magazin under the cover feature 'Mehr Cybersicherheit fuer Unternehmen mit NIS-2 und BSIG'. The issue marks six months of NIS2UmsuCG being in force (since 6 December 2025) and restates the BSI line that NIS-2 transposition is 'ein Meilenstein auf dem Weg zu einer resilienten Cybernation' (a milestone toward a resilient cyber nation). Other content covers AI in cybersecurity, modernised BSI certification procedures for IT security service providers, biometrics, and ePayment. The magazine is the BSI's main communication channel into government, business and society and signals a narrative shift toward the enforcement phase after the 6 March 2026 registration deadline.
TTE Telecommunications Council reviews progress report on cybersecurity package (CSA2 + NIS2 amendments)
At the Transport, Telecommunications and Energy Council on 9 June 2026 in Luxembourg the Cyprus presidency presented progress reports on the Digital Networks Act and on the cybersecurity package. The cybersecurity package combines the proposed Cybersecurity Act 2 regulation, the targeted amendments to the NIS2 Directive (Commission proposal 20 January 2026) and the new EU-level trusted ICT supply chain security framework. Ministers exchanged views without taking a binding decision; the file remains under examination at COREPER ahead of the Polish presidency from July 2026. First time the cybersecurity package is formally on a Council ministerial agenda since the January Commission proposal.
ENISA publishes SBOM Adoption State of Play 2026
ENISA published survey results on Software Bill of Materials adoption, finding the Cyber Resilience Act is the primary driver of SBOM generation and automation across the software development lifecycle. The supply-chain transparency it documents intersects with the supplier-security obligations under Article 21(2)(d) of the NIS 2 Directive.
European Commission welcomes G7 Cybersecurity Working Group Declaration
On 8 June 2026 DG CONNECT published a Digibyte welcoming the G7 Cybersecurity Working Group Declaration adopted under the French G7 presidency. The declaration commits the G7 to coordinated action on post-quantum cryptography, AI-related cybersecurity risks, telecoms resilience, and SME protection. The Commission explicitly anchors the telecoms-resilience pillar in the NIS2 Directive ('already sets high standards for telecoms resilience') and links the supply-chain pillar to the proposed revised Cybersecurity Act (CSA2) and the new ICT supply chain security framework. Next G7 working group meeting in autumn 2026 before the US takes over the presidency in 2027.
ENISA publishes Technical Competence Requirements for CRA Notified Bodies
ENISA published a report setting out the competences, experience and training requirements for the personnel of conformity assessment bodies seeking notification as Cyber Resilience Act notified bodies. It supports the build-out of conformity-assessment capacity ahead of the 11 December 2026 target for a sufficient number of notified bodies under the CRA.
Netherlands: Dutch Senate committees publish report on Cyberbeveiligingswet, await government response
On 2 June 2026 the Eerste Kamer joint committees for Digitalisation (DIGI) and Justice & Security (J&V) issued the verslag on the Cyberbeveiligingswet (bill 36.764) and parallel Wet weerbaarheid kritieke entiteiten (36.765), formally closing the written input phase opened on 19 May 2026. The committees now await the government's nota naar aanleiding van het verslag before a plenary debate and final Senate vote can be scheduled. Entry into force is still targeted for 1 July 2026 by koninklijk besluit; that timeline now depends on how fast the cabinet responds.
BSI publishes #nis2know infopaket on ISO/IEC 27001 mapping to NIS-2 / sec. 30 BSIG
On 2 June 2026 the BSI added an ISO/IEC 27001 infopaket to the #nis2know series, providing a structured mapping of sec. 30 BSIG requirements against ISO/IEC 27001:2022 controls across ten domains (risk analysis, incident response, business continuity, supply chain, vulnerability management, effectiveness measurement, training/awareness, cryptography, personnel/access, MFA/secure communications). The BSI states explicitly: 'Eine Zertifizierung nach ISO/IEC 27001 bedeutet nicht automatisch, dass ein Unternehmen NIS-2-konform ist.' Authoritative BSI position on the ISO-vs-NIS-2 question that dominates the consulting and audit market.
ENISA opens public review of Agreed Cryptographic Mechanisms version 3 for EUCC
The ECCG cryptography subgroup, supported by ENISA, published a draft version 3 of the Agreed Cryptographic Mechanisms for public review running until the end of July 2026. The document recommends the cryptographic mechanisms preferred for ICT products submitted to EUCC certification and builds on version 2.0 adopted in mid-2025.
ENISA publishes NIS360 2026 — third annual maturity-and-criticality assessment of NIS2 sectors
ENISA releases the third edition of NIS360, assessing cybersecurity maturity and criticality of all Annex I high-criticality sectors. Trust services, aviation and financial market infrastructures reach high maturity. Eight sectors sit in the risk zone (maturity lags criticality): health, railway, maritime, ICT service management, space, public administrations, drinking water and waste water. Space and railway show increased criticality. Annual reference document for national authorities and operators planning NIS2 supervisory priorities.
BMI publishes draft of new KRITIS-Verordnung — thresholds and sector list under KRITIS-Dachgesetz
The Federal Interior Ministry releases the referral draft of the new Verordnung zur Bestimmung kritischer Anlagen, replacing the previous BSI-KritisV under the KRITIS-Dachgesetz. The draft adds a new Space sector, keeps IT and telecoms within KRITIS, and adjusts thresholds particularly in energy and transport. Consultation deadline is 16 June 2026. Defines which operators are simultaneously NIS2-essential entities and KRITIS-Dachgesetz operators.
NIS Cooperation Group agrees common incident reporting templates
At its 39th Plenary in Cyprus, the NIS Cooperation Group (Member States, the European Commission and ENISA) agreed common templates for incident reporting under Article 23 of the NIS 2 Directive, giving cross-border entities one uniform format instead of divergent national forms. The Commission intends to make the templates binding through an implementing act.
Dutch Senate committees open written input phase on Cyberbeveiligingswet (NIS2 transposition)
The Eerste Kamer committees for Digitalisering (DIGI) and Justitie en Veiligheid (J&V) opened the written input phase ('inbreng voor het verslag') on the Cyberbeveiligingswet (bill 36.764) and the parallel Wet weerbaarheid kritieke entiteiten (36.765) on 19 May 2026. Senators submit positions before the committees draft short preliminary notes on 21 May. The Tweede Kamer adopted the bill on 15 April 2026; Senate approval is the last step before entry into force, expected 1 July 2026. The Netherlands is one of the remaining laggard member states still completing NIS2 transposition.
European Commission publishes draft Guidelines on classification of high-risk AI systems (Art 6 AI Act)
The European Commission published on 19 May 2026 its draft Guidelines on the classification of high-risk AI systems under Article 6 of the AI Act (Regulation (EU) 2024/1689), together with a targeted stakeholder consultation open until 23 June 2026 (22:00 CET). The 148-page draft sets out the Commission's interpretation of Article 6(1) (Annex I embedded safety components) and Article 6(2) (Annex III standalone high-risk systems), and includes practical use-case examples per Art 6(5). Notable signals for NIS 2-regulated entities: critical-infrastructure high-risk classification under Art 6(2) + Annex III(2) is triggered by CER (Directive 2022/2557) designation, not by NIS 2 'essential entity' status; cybersecurity-purpose AI is explicitly excluded from high-risk (Recital 55); service-quality/operations AI is also excluded. Four Article 6(3) exemption paths preserved despite earlier Commission proposal to delete. Final guidelines expected after consultation close.
BSI signs cybersecurity cooperation agreement with Mecklenburg-Vorpommern (12th federal state)
BSI President Claudia Plattner and Mecklenburg-Vorpommern's Minister for Finance and Digitalization Dr. Heiko Geue sign a formal cooperation agreement in Hamburg, bringing the BSI's federal-state cooperation network to twelve states. Covers operational cybersecurity, mutual information and knowledge exchange, and joint awareness measures. Continues the Bund-Länder coordination push that began with Brandenburg on 29 April 2026 and supports NIS-2 implementation across affected public administration entities.
BSI publishes G7 guideline on Software Bill of Materials for AI
BSI and Italy's ACN co-led the G7 cybersecurity authorities and the EU Commission in producing the 'Software Bill of Materials (SBOM) for Artificial Intelligence' minimum-elements guideline. The document sets minimum requirements across seven information categories including AI models, training data sources, and potential biases. BSI President Claudia Plattner: transparency across the AI supply chain is the foundation for robust AI cybersecurity. Directly relevant to NIS 2 supply-chain risk management under Art 21(2)(d) and to the AI Act compliance pathway.
BMI/BKA Bundeslagebild Cybercrime 2025: ~335,000 cases, EUR 202.4bn damage to German economy
Federal Interior Minister Alexander Dobrindt and BKA Vice President Martina Link present the Bundeslagebild Cybercrime 2025 on 12 May 2026. About 335,000 cybercrime cases in the narrow sense were registered in 2025; two-thirds (207,888) committed from abroad or from unknown locations. Estimated damage to the German economy: EUR 202.4 billion, roughly 4.5 percent of GDP. AI-based tools are increasingly used by attackers; companies, public authorities and critical infrastructure are the principal targets. Dobrindt frames the response in NIS-2 enforcement terms: 'The state must not be a spectator in the digital space.' Provides political backdrop for the BSI's transition into the active NIS-2 audit phase started in May 2026.
BSI Cybersecurity Monitor 2026: one in ten Germans hit by cybercrime in the past year
Joint BSI and ProPK survey finds 27% of Germans have been victims of cybercrime, including 11% in the past 12 months. Most common offences: online shopping and banking fraud, account compromise, and phishing. Only 14% regularly inform themselves about cybersecurity; 33% of affected individuals report financial losses. The report underscores the broad awareness gap that NIS 2 supervision and BSI education programmes aim to close on the consumer side.
Luxembourg transposes NIS 2: Act of 5 May 2026 enters into force
Luxembourg's Act of 5 May 2026 on measures to ensure a high level of cybersecurity entered into force on 10 May 2026, transposing the NIS 2 Directive and repealing the previous NIS 1 Act. The Institut Luxembourgeois de Regulation (ILR) is the competent authority; a self-registration portal for in-scope entities is live. Notable because Luxembourg was one of the laggard member states and had been referred to the CJEU under the parallel CER infringement procedure days earlier on 29 April 2026. NIS 2-scope entities must self-register with the ILR.
AI Act Digital Omnibus: provisional political agreement reached
Council and European Parliament reached provisional political agreement on the AI Act Digital Omnibus in the early hours of 7 May 2026. Delays Annex III high-risk obligations to 2 December 2027 and Annex I embedded high-risk to 2 August 2028. Watermarking under Art 50(2) deferred to 2 December 2026. Adds new Art 5 prohibition on AI generating non-consensual intimate imagery and child sexual abuse material. Extends SME relief to small mid-cap enterprises. Formal Council and Parliament adoption required before 2 August 2026.
BSI publishes first IT security report on public EV charging infrastructure
BSI and the Federal Ministry for Transport release the first joint report analysing IT security of Germany's public EV charging infrastructure. The report examines protocol-level deficiencies in ISO 15118 and OCPP as well as software weaknesses across charging point operators, and proposes concrete security measures. BSI positions charging infrastructure at the intersection of NIS 2 transport and energy sectors: failures cascade from mobility disruption to grid-level effects.
BSI launches CyberGovSecure programme — coordinated NIS-2 implementation across German federal administration
BSI, CISO Bund and the Federal Ministry for Digital Affairs and State Modernization launched CyberGovSecure on 4 May 2026, a structured cross-departmental programme to roll out cybersecurity measures across all German federal authorities. BSI President Claudia Plattner described it as a central building block for NIS-2 implementation in the federal administration. Implementation responsibility rests with each authority; BSI provides technical and organisational support.
BSI signs cybersecurity cooperation agreement with state of Brandenburg
BSI President Claudia Plattner and Brandenburg State Secretary Ernst Buerger sign a formal cooperation agreement covering ten action areas: operational cybersecurity (information management, security tests and exercises), joint awareness and training programmes, and mutual exchanges to build technical expertise. Strengthens federal-state coordination in support of NIS2 implementation across public administration entities now in scope.
Commission refers 7 member states to CJEU for failing to transpose CER Directive
European Commission decided on 29 April 2026 to refer Bulgaria, France, Luxembourg, the Netherlands, Poland, Spain and Sweden to the Court of Justice of the EU for failing to transpose the CER Directive (EU 2022/2557), requesting financial sanctions in each case. CER and NIS 2 share the same 17 October 2024 transposition deadline; this is the first major CJEU enforcement action under the package. Procedural sequence: formal notice November 2024, reasoned opinion July 2025, CJEU referral April 2026. Strong enforcement signal for the parallel NIS 2 infringement track.
BSI publishes C3A criteria framework for cloud sovereignty
BSI releases the Criteria enabling Cloud Computing Autonomy (C3A) framework establishing transparent sovereignty standards for cloud services. C3A complements the existing C5 catalogue by addressing 'Cyber Dominance' — the ability of cloud manufacturers to maintain permanent access to customer systems and data. Cloud providers must meet C5 prerequisites; the framework offers flexibility on data localisation (Germany or EU). Aligned with the European Cloud Sovereignty Framework (EU CSF). Not regulatory; supplements rather than replaces NIS2 cloud certification pathways.
Public feedback period closes for proposed NIS2 Directive amendments
The public feedback period for the European Commission's proposed NIS2 amendments (published January 20, 2026) closes today. Proposals include submarine infrastructure in scope, small mid-cap entity category, ransomware reporting details, strengthened ENISA cross-border supervision role, and certification-based compliance pathways. Ordinary legislative procedure in Parliament and Council follows.
ENISA publishes National Capabilities Assessment Framework 2.0
ENISA released NCAF 2.0, an updated methodology for assessing national cybersecurity capabilities and strategy maturity. Aligned with NIS2 Article 19 peer review process. Supports Member States in identifying strengths, gaps, and priority areas in cybersecurity at strategic and operational levels.
Belgium enforces first NIS2 compliance deadline — essential entities must prove cybersecurity posture
Belgium becomes the first EU country to enforce ex-ante NIS2 supervision. By April 18, essential entities must submit verified cybersecurity documentation via one of three pathways: CyberFundamentals (CyFun) verification, ISO/IEC 27001 certification, or direct CCB inspection request. Non-compliance triggers administrative measures and fines up to 10M EUR or 2% of turnover. Full certification for essential entities due April 18, 2027.
BSI publishes v1.0 of management training guidance for §38(3) BSIG
The BSI released version 1.0 of its 24-page Handreichung 'Schulung fuer Geschaeftsleitungen' on 17 April 2026, updating the preliminary v0.9 from September 2025 after consultation with Bitkom, DIHK, GI, VDMA, Zentralverband Handwerk and ZVEI. The document defines the regulator's expectations for the §38(3) BSIG management training obligation across three blocks: training organisation (audience, intervals, formats, providers, evidence), recommended content (SOLL/KANN structure covering risk analysis, risk management practices and impact assessment), and a guided self-check (10 sections of Leitfragen with helpful vs red-flag answers). Eight training formats are explicitly endorsed including quarterly risk-management sessions with the CISO, tabletop exercises, audit simulations and management red/blue teaming. Documentation must record provider, participants with role, date/time/duration and contents with statutory references.
21st German IT Security Congress concludes — 8,000 participants, NIS2 and AI security in focus
BSI hosts the 21st IT-Sicherheitskongress in Bonn on April 15-16 under the theme 'Cybernation Deutschland'. Eight sessions cover NIS-2 implementation, AI security, post-quantum cryptography, zero trust, secure supply chains, and digital identity. Hybrid workshops address Grundschutz++ 'state of the art' and EUDI-Wallet topics. Congress content remains accessible through May 15.
Netherlands passes Cyberbeveiligingswet (NIS2 transposition) in lower house
The Dutch Tweede Kamer approved the Cyberbeveiligingswet and the Wet weerbaarheid kritieke entiteiten (CER implementation) on April 15, 2026. The Cyberbeveiligingswet replaces the existing Wbni and implements NIS2 obligations including care duties, reporting requirements, and registration. Entry into force expected July 1, 2026 pending Senate approval.
BSI Congress reveals NIS-2 implementation far behind expectations — companies deliberately avoiding registration
At the 21st IT Security Congress, BSI official Manuel Bach disclosed that NIS-2 registration remains far below expectations. Nearly 50% of German companies had never heard the term 'NIS-2' as of late 2025. Some companies are deliberately choosing not to register after consulting leadership and legal counsel. Bach compared non-compliance to tax liability: 'one cannot decide for oneself whether it applies.'
DENIC launches Phase 2 automated domain risk assessment for .de domains under NIS2
DENIC activates Phase 2 of its NIS2 implementation for .de domain registrations. An automated risk assessment system using a traffic light principle (Low/Suspicious/High Risk) now classifies all contact and domain orders. Anomalies in registration data trigger verification requests to the responsible DENIC member. Unverified domains face DNS quarantine and potential deletion. Phase 1 (December 6, 2025) had already made corporate domain owner data publicly visible in WHOIS. Affects all ~17 million .de domains.
BSI publishes C5:2026 cloud computing criteria catalogue
BSI released C5:2026, the updated Cloud Computing Compliance Criteria Catalogue replacing the 2020 version. The new edition covers container management, post-quantum cryptography, and confidential computing, aligns with the European EUCS certification scheme, and explicitly considered the NIS2 Directive in its design alongside ISO/IEC 27001:2022 and the CSA Cloud Controls Matrix v4. Will be released in machine-readable format for the first time.
Poland's amended KSC Act enters force — 42,000 entities now in scope
Poland's amended National Cybersecurity System (KSC) Act enters force on April 3, 2026, expanding NIS2 scope from ~400 to ~42,000 organizations including ~28,000 public sector bodies. New sectors added: food production, waste management, chemicals, postal services, manufacturing. Entity registry launched April 13 via the S46 platform. Self-registration deadline: October 3, 2026. Full compliance required by April 3, 2027.
Portugal: Decreto-Lei n.º 125/2025 enters into force
Portugal's NIS 2 transposition enters into force on 3 April 2026, 120 days after publication. Cybersecurity officer notification due within 20 working days of entry into force. CNCS operates the electronic registration platform.
Poland: UKSC amendment of 23 January 2026 enters into force
The Polish UKSC amendment enters into force on 3 April 2026. Ministerstwo Cyfryzacji is the lead competent authority; three national CSIRTs operate in parallel (CSIRT NASK for private sector, CSIRT GOV inside ABW, CSIRT MON for military). Twelve-month grace period to implement Chapter 3 security measures (3 April 2027).
BSI publishes Grundschutz++ methodology guide — PDCA-based ISMS framework
BSI releases the first methodology guide for Grundschutz++, establishing a forward-looking framework for systematically building an ISMS based on the PDCA cycle. The guide integrates strategic planning, requirements analysis, implementation, monitoring, and continuous improvement. Currently designated for pilot projects only — Edition 2023 remains the valid audit reference through 2028.
EDPB and EDPS adopt Joint Opinion 4/2026 on NIS2 amendments and Cybersecurity Act 2
EU data protection authorities formally endorse strengthening cybersecurity while raising data protection guardrails: welcome Digital Identity Wallet providers as essential entities, call for ENISA-EDPB consultation before adopting certification schemes touching personal data, recommend single-entry point for breach notifications to reduce administrative burden, and urge clarity on GDPR-cybersecurity certification overlap.
BSI and Govdigital announce 'Cyberdome' — automated cyber defense for 10 federal states
BSI and public IT providers association Govdigital announce Cyberdome: sensor-based automated cyber defense infrastructure across 10 federal states and municipalities with real-time BSI-linked monitoring.
KRITIS-Dachgesetz enters into force — physical security on top of NIS2 cyber requirements
Germany's CER Directive transposition (KRITIS-Dachgesetz) enters into force, adding physical security and resilience requirements on top of NIS2 cybersecurity. Requires BCMS alongside ISMS, physical security controls, and triennial audits. Penalties up to €1M.
Cyber Security Report 2026: 92% of small German firms misunderstand NIS2 scope
Schwarz Digits' Cyber Security Report 2026 surveys 1,001 German companies and finds 48% mistakenly believe they are not affected by NIS2. Among small companies (10-49 employees, >€10M revenue) the misconception rate reaches 92%, even though they meet the regulatory threshold.
BSI launches NIS2 FAQ specifically for public administration
BSI publishes a dedicated FAQ addressing NIS2 applicability and compliance requirements for federal, state, and municipal government entities.
BSI publishes NIS-2 implementation checklist for affected entities
BSI released a downloadable NIS-2-Checkliste on 13 March 2026 as a practical step-by-step tool for affected entities to verify implementation of NIS-2 / BSIG duties. The checklist sits in the #nis2know-Downloads package alongside the affected-entities decision tree and the public-administration FAQ that landed the same day. Currently at version 9, indicating ongoing iteration on the basis of operator feedback. Addresses registration, governance, risk management, supply-chain, incident reporting and training obligations.
ENISA publishes Technical Advisory for Secure Use of Package Managers
New guidance on secure software development lifecycle focusing on package manager security — directly relevant for NIS2 supply chain security requirements (Art. 21(2)(d)).
22 of 27 EU member states have completed NIS2 transposition
Cullen International reports 22 EU states have transposed NIS2. Five remain: France, Ireland, Luxembourg, Netherlands (legislation in parliament) and Spain (no draft submitted). Spain is the furthest behind.
BSI registration deadline passes — fines now possible for non-registration
Three months after BSIG entry into force, the mandatory registration deadline at the BSI portal expires. Late registration is still accepted but penalties of up to €10M or 2% of annual revenue are now legally enforceable.
Only ~11,500 of ~29,500 affected entities registered by the deadline
By the March 6 deadline, approximately 11,500 authorities, companies, and other critical facilities registered with the BSI under NIS2 — leaving around 18,000 of the 29,500 obligated entities still missing. The BSI spokesperson said it remains unclear whether the original estimate was too high or whether large numbers of affected parties simply failed to comply.
BOS digital radio operator receives ISO 27001/IT-Grundschutz certification
Germany's public safety digital radio (BOS) network operator achieves ISO 27001 certification on IT-Grundschutz basis, demonstrating critical infrastructure security compliance.
Poland publishes UKSC amendment in Dziennik Ustaw (Dz.U. 2026 poz. 252)
Adopted by the Sejm on 23 January 2026, signed by the President on 19 February 2026, the amendment to the Polish National Cybersecurity Act (UKSC) is published in the Journal of Laws on 2 March 2026 as Dz.U. 2026 poz. 252. Amends 21 statutes including the 2018 UKSC. Enters into force 3 April 2026.
Public comment period opens for CRA compliance technical guideline
BSI opens public comment period for the Cyber Resilience Act (CRA) compliance technical guideline, connecting product security requirements with NIS2 supply chain obligations.
BMI publishes draft Active Cyber Defense Act — new obligations for NIS2-regulated entities
Federal Interior Ministry presents the Gesetz zur Stärkung der Cybersicherheit, granting BKA, Federal Police, and BSI active cyber defense powers including disrupting attacker infrastructure. Adds obligations for NIS2-regulated entities: mandatory cooperation during state-led cyber operations, attack detection systems connected to BSI, and DNS-based protection for customers. Fines up to €20M or 2% of global turnover. Requires ~375 new government positions by 2030.
Poland signs NIS2 transposition into law — enters force April 2, 2026
President Nawrocki signs the amendment to Poland's National Cybersecurity System Act (UKSC), transposing NIS2 into Polish law. Enters force April 2 after one-month vacatio legis. Entity registration deadline: October 3, 2026. Full compliance deadline: April 3, 2027. President simultaneously refers provisions on high-risk providers and penalties to Constitutional Tribunal.
ENISA releases Cybersecurity Exercise Methodology framework
New methodology for planning, running, and evaluating cybersecurity exercises — relevant for NIS2 entities required to test incident response capabilities under Art. 21.
NIS Cooperation Group adopts ICT Supply Chain Security Toolbox
The NIS Cooperation Group publishes a common framework for identifying, assessing, and mitigating cybersecurity risks across ICT supply chains. The toolbox includes risk scenarios, mitigation measures, and guidance on reducing dependencies on high-risk suppliers. Accompanied by sector-specific risk assessments for connected vehicles and detection equipment.
ENISA publishes International Strategy for cybersecurity cooperation
ENISA releases its international cooperation strategy outlining how the agency works with non-EU partners on cybersecurity standards and threat intelligence sharing.
Südwestfalen-IT receives ISO 27001 certification on IT-Grundschutz basis
Following the devastating 2023 ransomware attack, the municipal IT provider Südwestfalen-IT achieves ISO 27001 certification based on IT-Grundschutz, demonstrating recovery and security maturity.
EU proposes NIS2 amendments — new entity types, harmonization ceiling, PQC migration
European Commission unveils cybersecurity package with targeted NIS2 amendments: submarine infrastructure and digital wallet providers added, new 'small mid-cap' category (~22,500 companies), mandatory ransomware reporting details, and post-quantum cryptography migration deadlines (2030/2035).
Sweden: Cybersäkerhetslagen (SFS 2025:1506) enters into force
Sweden's NIS 2 transposition enters into force on 15 January 2026. The old 2018 NIS 1 act is repealed but continues to apply to events occurring before this date.
First EUCC cybersecurity certificate issued under EU framework
The first European Cybersecurity Certification (EUCC) certificate is issued, establishing a common EU-wide certification scheme that NIS2 entities can use to demonstrate compliance.
BSI NIS2 registration portal launches
BSI launches portal.bsi.bund.de for NIS2 entity registration and incident reporting. Registration requires an ELSTER organizational certificate (5-10 business days processing).
Grundschutz++ transition phase begins — parallel operation through 2029
BSI officially launches the Grundschutz++ modernization transition. Machine-readable OSCAL/JSON format replaces PDF/Excel. Edition 2023 remains valid for audits during the transition through 2029.
Denmark: CFCS becomes part of SAMSIK
On 1 January 2026 the Centre for Cybersecurity (CFCS) becomes part of the newly established Agency for Societal Security (SAMSIK), under the Ministry for Societal Security and Emergency Preparedness. CFCS continues to operate the national CSIRT under Forsvarets Efterretningstjeneste; the cfcs.dk site now redirects to samsik.dk.
Sweden: MSB renamed to MCF (Myndigheten för civilt försvar)
On 1 January 2026 the Swedish Civil Contingencies Agency (MSB) is renamed Myndigheten för civilt försvar (MCF). MCF continues to host CERT-SE as the national CSIRT and is the EU Single Point of Contact for NIS 2.
2025
Sweden: Cybersäkerhetslagen (SFS 2025:1506) issued
Cybersäkerhetslagen (SFS 2025:1506) — Sweden's NIS 2 transposition — is issued on 11 December 2025 on the basis of Proposition 2025/26:28 'Ett starkt skydd för nätverks- och informationssystem'. Enters into force 15 January 2026. Decentralised supervision via sector regulators; MCF (Myndigheten för civilt försvar) is national SPOC and hosts CERT-SE.
BSIG enters into force — NIS2 is law in Germany
The amended BSIG enters into force on St. Nicholas Day, over a year after the EU transposition deadline. No transition period — all obligations are immediately effective for ~29,500 affected entities.
NIS2UmsuCG published in Federal Law Gazette (BGBl. 2025 I Nr. 301)
The NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz is published in the Federal Law Gazette, entering into force the following day.
Portugal publishes Decreto-Lei n.º 125/2025 in Diário da República
Portugal's NIS 2 transposition appears in the Diário da República on 4 December 2025. Decreto-Lei n.º 125/2025 establishes the Regime Jurídico da Cibersegurança with CNCS (Centro Nacional de Cibersegurança) as the lead authority and CERT.PT as the national CSIRT (integrated into CNCS). Enters into force 3 April 2026 (120 days after publication).
Bundestag passes NIS2UmsuCG — Germany's NIS2 implementation law
German parliament passes the NIS2UmsuCG in 2nd and 3rd readings. Votes: CDU/CSU + SPD + AfD in favor, Greens against, Die Linke abstained. Approximately 29,500 entities now fall under BSI supervision.
Coalition agrees on NIS2UmsuCG compromises — ex-post model for critical components
CDU/CSU-SPD coalition reaches agreement: critical component regulation shifts from ex-ante approval to ex-post notification model. Federal CISO role transferred to BSI in Bonn.
Czech Republic: Act 264/2025 Sb. on Cybersecurity enters into force
Zákon č. 264/2025 Sb. enters into force on 1 November 2025. Initial wave (entities already in scope at entry into force) must self-identify and register through portal.nukib.gov.cz by 31 December 2025. Entities entering scope later have 60 days.
BSI publishes Grundschutz++ preview on GitHub (OSCAL/JSON)
BSI releases the Stand-der-Technik-Bibliothek on GitHub with preview of abstract requirements in OSCAL/JSON format. Not production-ready — initial draft only, concrete measures still being added.
Czech Republic publishes Cybersecurity Act 264/2025 Sb. in Sbírka zákonů
Adopted 11 June 2025, published in the Czech Collection of Laws on 4 August 2025, the new Zákon č. 264/2025 Sb. o kybernetické bezpečnosti replaces the 2014 cybersecurity act and transposes NIS 2. NÚKIB is the lead supervisor; GovCERT.CZ is operated inside NÚKIB; CSIRT.CZ is run by CZ.NIC. Two-tier regime (higher / lower significance). Penalty cap CZK 250 million for the higher regime.
German cabinet approves NIS2UmsuCG draft law
The German federal cabinet approves the draft NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, forwarding it to parliament. The bill was fast-tracked due to the missed EU deadline.
Denmark: NIS 2-loven (LOV nr 434) enters into force
Adopted by the Folketing on 29 April 2025, signed 6 May 2025, the Danish NIS 2 law (Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau) enters into force on 1 July 2025. Self-registration via virk.dk with MitID by 1 October 2025. Energy sector follows the parallel LOV nr 258 of 6 March 2025.
ENISA publishes NIS2 Technical Implementation Guidance v1.0
170-page document translating CIR 2024/2690 into practical measures across 13 thematic areas with evidence examples and standards mappings. Primary reference for NIS2 compliance implementation.
EC sends reasoned opinions to 19 member states for late NIS2 transposition
The European Commission escalates infringement proceedings against 19 member states that failed to transpose the NIS2 Directive by the October 2024 deadline.
Commission sends reasoned opinion to 19 Member States for NIS 2 transposition failure
Step 2 of the infringement procedure: 19 Member States that had not notified full transposition of NIS 2 by the 17 October 2024 deadline receive a reasoned opinion from the Commission. The list includes Germany, France, Spain, Netherlands, Sweden, Finland, Denmark, Portugal, Ireland, Poland and others. Next step: referral to the CJEU.
Finland: Cybersecurity Act 124/2025 enters into force
The Finnish Parliament approved Kyberturvallisuuslaki on 13 March 2025; it enters into force as Act 124/2025 on 8 April 2025. Initial registration deadline 8 May 2025. Traficom coordinates; NCSC-FI is the national CSIRT and EU Single Point of Contact. Decentralised supervision via sector regulators (Energiavirasto, Finanssivalvonta, Tukes).
2024
CIR 2024/2690 enters into force
The Commission Implementing Regulation becomes binding across all EU member states 20 days after publication, establishing the technical baseline for NIS2 compliance.
CIR 2024/2690 published — NIS2 technical requirements regulation
Commission Implementing Regulation (EU) 2024/2690 published, specifying technical and methodological requirements for NIS2 cybersecurity risk management measures for digital infrastructure and service providers.
Belgium: Law of 26 April 2024 (NIS 2) enters into force
Belgium meets the EU deadline. The Loi du 26 avril 2024 (published Moniteur belge 17 May 2024) enters into force on 18 October 2024. CCB runs Safeonweb@Work as the national registration portal; CERT.be sits inside CCB.
NIS2 transposition deadline expires — most member states miss it
Member states were required to transpose NIS2 into national law by this date. Most, including Germany, miss the deadline. Only Belgium has fully transposed and begun enforcement.
Italy publishes Decreto Legislativo n. 138/2024 (NIS 2 transposition)
Italy becomes one of the first Member States to formally transpose NIS 2. D.Lgs. 138/2024 of 4 September 2024 establishes ACN (Agenzia per la Cybersicurezza Nazionale) as the sole competent authority and hosts CSIRT Italia. Enters into force 16 October 2024.
2023
IT-Grundschutz Kompendium Edition 2023 released
BSI publishes the IT-Grundschutz Kompendium Edition 2023 — the current production standard for information security management in Germany. Remains the valid audit reference through the Grundschutz++ transition.
NIS2 Directive enters into force
The NIS2 Directive enters into force 20 days after publication. Member states have until October 17, 2024 to transpose it into national law.
2022
NIS2 Directive published in Official Journal
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union published in the Official Journal of the European Union.
Sources
This page is regularly updated from the following official and journalistic sources.