.svg)
Directive (EU) 2022/2555 (Network and Information Security Directive 2 – NIS2) was published in the Official Journal of the European Union on December 27, 2022. It lays down measures aiming to achieve a high common level of cybersecurity across the union.
The directive sets out cybersecurity risk-management measures and reporting obligations for entities referred to in Annexes I or II, including banks and financial market infrastructures. In particular, affected entities will be required to take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which are used for operators and the provision of services.
NIS2 was first discussed in the European Commission’s communication on shaping Europe’s digital future on February 19, 2020. It was then subsequently proposed by the European Commission on December 16, 2020. Replacing Directive (EU) 2016/1148 (Network and Information Security Directive 1 – NIS1), NIS2 intends to correct the limitations found within the previous framework. In particular, NIS2 expanded the scope of applicable entities by introducing a clear size cap – meaning that all medium and large companies in selected sectors will be included in the scope. Medium and large companies are defined in Annex 1, Article 2 of Recommendation 2003/361/EC as follows:
- Medium-sized enterprise:
- Employs 50 to 249 persons
- Annual turnover: between €10m and €50m.
- Annual balance sheet total: between €10m and €43m.
- Large enterprise:
- Exceeds any of the thresholds set for medium-sized enterprises.
With the publication of NIS2 in the Official Journal of the European Union, the directive entered into force on January 16, 2023, and then applied from October 18, 2024.
This Mapping EU Legislation: NIS2 page will be updated in line with any NIS2 update. This includes any delegated regulation, implementing regulation or guideline issued and published.
Key Dates
Step | Date |
NIS2 effective date | January 16, 2023 |
NIS2 application date | October 18, 2024 |
Member states to adopt and publish necessary provisions | October 17, 2024 |
Member State Implementation
Country | Implementation Stage | Transposition date |
Fully transposed via the Cybersecurity Act and the Cybersecurity Regulation. | February 7, 2024 | |
Fully transposed via Law establishing a framework for the cybersecurity of networks and information systems of general interest for public safety. | April 26, 2024 | |
Latvia * ** | Fully transposed via the National Cybersecurity Act. However, although Latvia’s primary law has entered into force, there is a delay in adopting Cabinet of Ministers Regulations defining specific technical and organisational cybersecurity requirements. | June 20, 2024 |
Fully transposed via Legislative Decree No.138 of September 4, 2024. | September 9, 2024 | |
Fully transposed via a Resolution Amending Resolution No.818. | November 6, 2024 | |
Greece * | Fully transposed via this Act. | November 27, 2024 |
Slovakia * | Fully transposed via the Law amending and supplementing Act No.69/2018. | November 28, 2024 |
Romania * | Fully transposed via Emergency Ordinance on the establishment of a framework for the cybersecurity of networks and information systems in the national civil cyberspace. | December 12, 2024 |
Czechia * ** | Fully transposed via Act No. 264/2025 Coll. | April 4, 2025 |
Finland * ** | Fully transposed via the Cybersecurity Act. | April 4, 2025 |
Malta * | Fully transposed via Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025. | April 8, 2025 |
Cyprus * ** | Fully transposed via the Security of Networks and Information Systems (Amendment) Law of 2025, (Law 60(I)/2025). | April 25, 2025 |
Denmark * ** | Fully transposed via the Act on measures to ensure a high level of cybersecurity. | May 6, 2025 |
Slovenia * ** | Fully transposed via the Information Security Act. | May 31, 2025 |
Hungary * ** | Fully transposed via Decree No.189/2025. However, although Hungary’s primary law has been put into force, there has been a delay in adopting implementing decrees defining requirements and compliance processes. | July 3, 2025 |
Portugal * ** | Fully transposed via Decree-Law Transposing Directive (EU) 2022/2555. | December 4, 2025 |
Germany * ** | Fully transposed via the Act on the Implementation of NIS2. | December 5, 2025 |
Austria * ** | Fully transposed via the Network and Information Systems Security Act 2026. | December 12, 2025 |
Poland * ** | In progress. There is currently a draft law transposing NIS2. | N/A |
Netherlands * ** | In progress. There is currently a draft law transposing NIS2. | N/A |
Sweden * ** | In progress. There is currently a draft law transposing NIS2. | N/A |
Ireland * ** | In progress. There is currently a draft law transposing NIS2. | N/A |
Spain * ** | In progress. There is currently a draft law transposing NIS2. | N/A |
Bulgaria * ** | In progress. There is currently a draft law transposing NIS2. | N/A |
Estonia * ** | In progress. There is currently a draft law transposing NIS2. | N/A |
France * ** | In progress. There is currently a draft law transposing NIS2. | N/A |
Luxembourg * ** | In progress. There is currently a draft law transposing NIS2. | N/A |
* Countries marked were, on November 28, 2024, subject to the European Commission's infringement procedures for failing to fully transpose NIS2 within the prescribed deadline.
** Countries marked were, on May 7, 2025, subject to the European Commission’s reasoned opinion on failing to fully transpose NIS2.
The infringement procedure is as follows:
- The commission sends a letter of formal notice requesting further information to the country concerned, which then must send a detailed reply within a specified period, usually two months.
- If the commission concludes that the country is failing to fulfil its obligations under EU law, it may send a reasoned opinion, which is a formal request to comply with EU law. It explains why the commission considers that the country is breaching EU law. It also requests that the country inform the commission of the measures taken, within a specified period, usually two months.
- If the country still does not comply, the commission may decide to refer the matter to the Court of Justice of the European Union. Most cases are settled before being referred to the court.
- If an EU country fails to communicate measures that implement the provisions of a directive in time, the commission may ask the court to impose penalties.
- If the court finds that a country has breached EU law, the national authorities must take action to comply with the court judgment.
With the opening of infringement procedures by sending a letter of formal notice, member states had two months to respond and to complete their transposition, as well as to notify the commission. Where a member state failed to issue a satisfactory response, the commission could issue a reasoned opinion.
Following on from the European Commission’s reasoned opinion of May 7, 2025, five more member states have completed the NIS2 transposition. However, as of January 13, 2026, nine countries have yet to complete this step, nearly two years on from the directive’s effective date. Several possible reasons exist for this delay, from de-prioritisation to legislative complexity. Notwithstanding these challenges, the directive’s requirements will ultimately apply across the Union. Institutions should, therefore, continue to advance their NIS2 readiness, rather than waiting during a period of transitional uncertainty or delayed national implementation.
NIS2 Secondary Regulations
NIS2 contains empowerments for the European Commission to develop draft delegated and implementing acts.
A draft act, once finalised by the regulators, is submitted to the European Commission for endorsement. If endorsed, it will be published in the Official Journal of the European Union as either a Commission Delegated Regulation (for a delegated act) or a Commission Implementing Regulation (for an implementing act). The procedure for the adoption of delegated acts is known as comitology (Article 290, Treaty on the Functioning of the European Union).
To date, the European Commission has only published one implementing regulation in relation to NIS2.
Regulation | Notes |
Commission Implementing Regulation (EU) 2024/2690 (Vixio update) | Provides implementing technical standards (ITS) regarding the technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers. |
NIS2 Guidelines
Guideline | Notes |
Commission Guidelines on the application of Article 4(1) and (2) of Directive (EU) 2022/2555 (Vixio update) | The guidelines clarify the relationship between NIS2 and other European legislation which provide obligations on entities to adopt cybersecurity risk-management measures or to notify significant incidents. |
Commission Guidelines on the application of Article 3(4) of Directive (EU) 2022/2555 (Vixio update) | The document provides guidelines and templates for member states’ creation of a list of essential and important entities. |
ENISA Guidelines on cybersecurity roles and skills for NIS2 Essential and Important Entities (Vixio update) | The guidelines provide explanations on the skills and roles for the cybersecurity professionals needed to meet these legal requirements effectively. It also provides a mapping between the obligations outlined in NIS2 and the European Cybersecurity Skills Framework role profiles. |
The guidance, published as an Excel file, provides technical guidance to support the implementation of NIS2 for affected entities. The specific cybersecurity requirements are defined by Commission Implementing Regulation (EU) 2024/2690. | |
Directed at national competent authorities, the handbook provides step-by-step guidance on how such institutions may conduct a stress test on entities in critical sectors. |
