NIS2 Implementation by Country: Where Are We in 2026?
NIS2 transposition status across EU member states in March 2026. Which countries have implemented, who is lagging, and what it means for you.
The NIS2 Directive required all EU member states to transpose its provisions into national law by 17 October 2024. That deadline has now passed by nearly eighteen months, and the picture across Europe is what you would expect from any major EU directive: a mix of countries that met the deadline, countries that transposed late, and a small number still working through the process.
For compliance teams, the uneven transposition timeline has created a persistent headache. The directive itself is clear. The obligations are defined. But the practical question — "what exactly do I need to do, in which country, right now?" — has required constant monitoring as national laws have come into force at different times and with different implementing details.
This article provides a practical overview of where NIS2 implementation stands as of March 2026, what the national variations mean for organisations operating across borders, and how to approach compliance when your obligations differ by jurisdiction.
The Transposition Landscape in March 2026
By March 2026, the majority of EU member states have completed transposition. The European Commission's infringement proceedings against lagging states — launched in late 2024 and early 2025 — accelerated the process considerably, and most countries that missed the October 2024 deadline completed their national legislation during 2025.
Countries that met or nearly met the October 2024 deadline: Belgium, Croatia, Hungary, and Lithuania were among the first to transpose NIS2 into national law, having begun their legislative processes well before the deadline. Germany's NIS2 implementing legislation (the NIS2UmsuCG) had a protracted parliamentary process but was ultimately enacted in early 2025 after significant debate about the scope of its application to federal and state institutions. The Netherlands completed transposition in late 2024 through amendments to its existing Network and Information Systems Security Act.
Countries that transposed during 2025: The largest group. France, Italy, Spain, Poland, Sweden, Denmark, Finland, Austria, Ireland, and the Czech Republic all completed their national legislation during 2025, most within the first half of the year. The European Commission's infringement letters served as an effective catalyst — once proceedings were opened, legislative processes that had stalled in national parliaments moved with greater urgency.
Countries still finalising implementation: A small number of member states were still completing technical implementing measures or secondary legislation as of early 2026, even where the primary legislation was in place. In some cases, the main law was enacted but the designation of competent authorities, the establishment of registries for in-scope entities, or the publication of sector-specific guidance was still ongoing. For organisations operating in these jurisdictions, the obligations exist in law but the enforcement infrastructure is not yet fully operational.
The pattern is broadly consistent with previous major EU directives. GDPR, which had a similar transposition timeline, saw a comparable spread of early adopters, mid-range transposers, and late movers. The difference with NIS2 is that the Commission moved more quickly with infringement proceedings, which compressed the tail of late transposition.
Notable National Approaches
While NIS2 sets the framework, member states have discretion in several areas. The national transpositions differ in ways that matter for compliance planning.
Germany has taken a characteristically thorough approach. The NIS2UmsuCG expanded the scope of entities covered beyond the directive's minimum requirements, bringing additional sectors and smaller organisations into scope. The Federal Office for Information Security (BSI) serves as the central competent authority and has published detailed sector-specific guidance. Germany's approach to the management body training obligation under Article 20 is notably prescriptive, with implementing provisions that specify the types of training that satisfy the requirement.
France has integrated NIS2 into its existing national cybersecurity framework under ANSSI (Agence nationale de la securite des systemes d'information). The transposition maintains ANSSI's existing supervisory approach, which emphasises sector-specific guidance and cooperative engagement with regulated entities before moving to enforcement. France has also adopted higher penalty thresholds than the directive's minimum for certain categories of infringement.
The Netherlands has built on its existing NCSC-based framework, with a relatively streamlined transposition that closely follows the directive's text. The Dutch approach to enforcement has historically been pragmatic, with supervisory authorities prioritising risk-based oversight of the most critical entities rather than broad horizontal enforcement.
Italy has designated the National Cybersecurity Agency (ACN) as the primary competent authority and adopted a phased approach to enforcement, with initial focus on registration and identification of in-scope entities before moving to compliance auditing. Italy's transposition includes specific provisions for SMEs that meet the directive's size thresholds, recognising the proportionality challenges for smaller in-scope organisations.
Spain has transposed NIS2 through its national cybersecurity framework, with INCIBE and the CCN sharing supervisory responsibilities across different sectors. The Spanish transposition includes detailed provisions on incident reporting that go beyond the directive's minimum requirements in terms of the information that must be included in notifications.
Poland has adopted one of the more expansive national transpositions, with a broad interpretation of which entities fall within scope and detailed requirements for cybersecurity risk assessments. The Polish approach to Article 20 management training is among the most specific in the EU, with requirements that training be documented, assessed, and repeated at defined intervals.
For a detailed comparison of how NIS2 penalties vary across these jurisdictions, see our NIS2 penalties guide.
What National Variation Means for Multi-Country Organisations
If your organisation operates in a single EU member state, the compliance path is relatively straightforward: implement the requirements of your national transposition. But many NIS2 in-scope organisations operate across multiple jurisdictions, and the national variations create practical challenges.
Scope determination varies. An entity that falls within NIS2's scope in one member state may be classified differently in another, depending on how that state has interpreted the directive's sector definitions and size thresholds. If your subsidiaries operate in different countries, each subsidiary's classification must be assessed against the relevant national law.
Competent authority differs. Your primary supervisory authority is determined by where the entity is established (or, for certain digital service providers, where its main establishment is located). An organisation with entities in multiple member states may report to different competent authorities for different parts of its operations. Understanding which authority supervises which entity is essential for incident reporting and audit preparation.
Reporting requirements vary in detail. While all member states implement the same basic Article 23 timeline — 24 hours for early warning, 72 hours for incident notification, one month for final report — the specific information required in each notification, the format of the report, and the mechanism for submission differ by jurisdiction. A significant incident affecting operations in three countries may require three separate notification processes with three different content requirements.
Training expectations differ in specificity. Some member states have transposed the Article 20 training obligation with detailed implementing provisions — specifying frequency, content standards, and documentation requirements. Others have adopted the directive's language more closely, leaving more discretion to the organisation. If you are designing a group-wide training programme, it must meet the most demanding national requirement applicable across your footprint.
Enforcement timelines differ. Countries that transposed early are further into their enforcement cycles. Some have already completed first rounds of compliance audits and issued corrective orders. Countries that transposed late are still in the entity registration and identification phase. This creates an uneven enforcement landscape where the same organisation may face active audit in one jurisdiction and be largely unexamined in another.
Practical Guidance for Multi-Country Compliance
Given the variation across member states, here is a practical approach to building a NIS2 compliance programme that works across borders.
Build to the highest standard. Rather than designing minimum compliance programmes for each jurisdiction, identify the most demanding requirements across your operational footprint and build your baseline programme to meet those. This is more efficient than maintaining separate programmes for each country, and it provides a margin of safety when national requirements evolve or enforcement expectations increase.
Centralise your risk-management framework. Article 21's ten risk-management measures provide a common structure that applies in every member state. Build your cybersecurity risk-management framework at group level, with local adaptations where national law requires additional measures. This gives you a consistent governance structure while accommodating jurisdictional differences.
Localise incident reporting. Unlike the risk-management framework, incident reporting must be localised. Each entity must report to its own competent authority, in the format and within the timelines that authority requires. Maintain a clear mapping of which authority supervises each entity, what their reporting requirements are, and how to submit notifications. Test this process before you need it.
Standardise training, then adapt. A group-wide training programme is the most efficient approach, but it must be flexible enough to accommodate national differences. Some jurisdictions require specific training content or frequency. Others require particular documentation standards. Design the core programme to cover the directive's requirements comprehensively, then layer in jurisdiction-specific modules where needed.
Our NIS2 course is designed for organisations operating across the EU. It covers the directive's requirements at a level that satisfies the most demanding national transpositions, and it can be deployed to different audiences — board members, technical staff, and general workforce — with role-appropriate depth.
Maintain a compliance register. Document which member states you operate in, which national laws apply, which competent authorities supervise each entity, and what specific obligations apply in each jurisdiction. This register becomes your single source of truth for compliance planning and audit preparation.
The Enforcement Trajectory
As of March 2026, enforcement is accelerating. Countries that completed transposition in 2024 and early 2025 are now well into their supervisory cycles. Entity registration is largely complete in these jurisdictions, and competent authorities are conducting systematic compliance assessments.
The pattern from GDPR enforcement offers a useful reference point. In the first year after GDPR became enforceable, enforcement was relatively light, with supervisory authorities focused on guidance, registration, and complaints handling. By year two, significant fines began to appear. By year three, enforcement was routine and substantial. NIS2 appears to be following a similar trajectory, with the additional factor that the Commission has been more aggressive with infringement proceedings, which has compressed the timeline.
For organisations that have not yet begun their NIS2 compliance programme, the window for low-risk catch-up is closing. In jurisdictions where transposition occurred in 2024 or early 2025, supervisory authorities have had over a year to establish their enforcement processes. Being among the last to comply in a jurisdiction where audits are already underway is an avoidable risk.
For organisations that have a programme in place, the focus should now be on documentation, testing, and continuous improvement. Ensure that your risk-management measures are not just implemented but documented. Ensure that your training programme produces auditable evidence. Ensure that your incident reporting process has been tested, not just designed.
For a broader perspective on how NIS2 interacts with other EU frameworks — particularly for financial services organisations — see our DORA vs. NIS2 comparison.
What To Do Now
Regardless of which member states you operate in, the core obligations are the same. Article 21's risk-management measures, Article 20's management training requirement, and Article 23's incident reporting obligations apply everywhere. The national variations affect the details, not the fundamentals.
If you have not yet assessed your organisation's NIS2 compliance posture, our free diagnostic takes two minutes and gives you a clear picture of where you stand — across training, risk management, and incident reporting readiness.
If you are ready to address the training component, our NIS2 course covers board-level governance, technical staff requirements, and general workforce cyber hygiene in a single programme that produces the evidence auditors look for.
The directive is in force. The national laws are in place. The enforcement machinery is operational. The question is no longer whether NIS2 applies to your organisation, but whether your compliance programme can withstand scrutiny.