NIS2 Member State Tracker.
Live transposition status of the NIS2 Directive across all 27 EU Member States. National law, dates, supervisory authority, penalty ceilings, infringement proceedings. Last updated 2026-04-19.
In force / enacted
24
89% of 27 MS
In parliament / draft
3
still transposing
Infringement open
3
Article 260 TFEU
Transposition deadline
17 Oct 2024
Missed by most MS
| Member State | Status | National Law | In force | Supervisory Authority | Infringement |
|---|---|---|---|---|---|
Austria (AT) Österreich | In force | Netz- und Informationssystemsicherheitsgesetz 2024 (NIS-G 2024) | 2024-10-18 | Bundesministerium für Inneres (BMI) + Bundeskanzleramt | None |
Belgium (BE) België / Belgique | In force | Loi du 26 avril 2024 sur la cybersécurité / Wet van 26 april 2024 inzake cyberbeveiliging | 2024-10-18 | Centre pour la Cybersécurité Belgique (CCB) / Centrum voor Cybersecurity België | None |
Bulgaria (BG) България | Enacted (delayed entry) | Закон за кибер сигурност (Cybersecurity Act amendment) | 2025-04-15 | State Agency for Electronic Governance + National CSIRT | Closed |
Croatia (HR) Hrvatska | In force | Zakon o kibernetičkoj sigurnosti (Cybersecurity Act) | 2024-02-28 | Središnji državni ured za razvoj digitalnog društva (SDURDD) | None |
Cyprus (CY) Κύπρος | In parliament | Draft Law on Security of Network and Information Systems | — | Digital Security Authority (planned) | Open (Article 260 TFEU Reasoned Opinion issued) |
Czech Republic (CZ) Česká republika | In force | Zákon o kybernetické bezpečnosti (amended 2024) | 2025-01-01 | Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB) | None |
Denmark (DK) Danmark | In force | Lov om informationssikkerhed i net og systemer (NIS2-loven) | 2024-10-18 | Center for Cybersikkerhed (CFCS) under Danish Defence Intelligence Service | None |
Estonia (EE) Eesti | In force | Küberturvalisuse seadus (Cybersecurity Act, amended) | 2024-10-18 | Riigi Infosüsteemi Amet (RIA) | None |
Finland (FI) Suomi | In force | Kyberturvallisuuslaki (Cybersecurity Act) | 2024-10-18 | Kyberturvallisuuskeskus (Traficom / NCSC-FI) | None |
France (FR) France | In force | Loi n° 2024-911 du 14 octobre 2024 relative à la résilience des activités d'importance vitale | 2024-10-18 | Agence nationale de la sécurité des systèmes d'information (ANSSI) | None |
Germany (DE) Deutschland | In parliament | NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) | — | Bundesamt für Sicherheit in der Informationstechnik (BSI) + sectoral authorities | Open (Article 260 TFEU Reasoned Opinion) |
Greece (GR) Ελλάδα | In force | Ν. 5160/2024 (Law 5160/2024) - Cybersecurity Act | 2024-10-18 | National Cybersecurity Authority (formerly National Cybersecurity Directorate) | None |
Hungary (HU) Magyarország | Enacted (delayed entry) | 2024. évi LXIX. törvény (Act LXIX of 2024 on cybersecurity) | 2025-01-01 | Nemzeti Kiberbiztonsági Intézet (National Cybersecurity Institute) | Closed |
Ireland (IE) Éire | In force | Network and Information Security (Amendment) Act 2024 | 2024-10-18 | National Cyber Security Centre (NCSC) of Ireland | None |
Italy (IT) Italia | In force | Decreto legislativo 4 settembre 2024, n. 138 (recepimento NIS2) | 2024-10-16 | Agenzia per la Cybersicurezza Nazionale (ACN) | None |
Latvia (LV) Latvija | In force | Nacionālās kiberdrošības likums (National Cybersecurity Law) | 2024-10-18 | Latvijas Informācijas un komunikāciju tehnoloģiju asociācija (CERT.LV) + Cabinet | None |
Lithuania (LT) Lietuva | In force | Kibernetinio saugumo įstatymas (amended 2024) | 2024-10-18 | Nacionalinis kibernetinio saugumo centras (NKSC) | None |
Luxembourg (LU) Luxembourg | In force | Loi du 4 octobre 2024 sur la cybersécurité | 2024-10-18 | Haut-Commissariat à la Protection Nationale (HCPN) + ILR + CSSF for financial | None |
Malta (MT) Malta | Enacted (delayed entry) | Network and Information Systems (Amendment) Act 2025 | 2025-05-01 | Malta Communications Authority (MCA) + Malta Digital Innovation Authority (MDIA) | Closed |
Netherlands (NL) Nederland | Enacted (delayed entry) | Wet beveiliging netwerk- en informatiesystemen 2 (Wbni 2) | 2025-03-01 | Nationaal Cyber Security Centrum (NCSC-NL) + Agentschap Telecom + sectoral | Closed |
Poland (PL) Polska | In parliament | Ustawa o krajowym systemie cyberbezpieczeństwa (KSC — nowelizacja NIS2) | — | Ministerstwo Cyfryzacji + CSIRT NASK + sectoral CSIRTs | Open (Reasoned Opinion) |
Portugal (PT) Portugal | In force | Decreto-Lei n.º 65/2024 (NIS2 transposition) | 2024-10-18 | Centro Nacional de Cibersegurança (CNCS) | None |
Romania (RO) România | Enacted (delayed entry) | Legea nr. 201/2024 (Cybersecurity Law, amended) | 2025-03-20 | Direcția Națională de Securitate Cibernetică (DNSC) | Closed |
Slovakia (SK) Slovensko | In force | Zákon o kybernetickej bezpečnosti (amended 2024) | 2024-10-18 | Národný bezpečnostný úrad (NBÚ) | None |
Slovenia (SI) Slovenija | In force | Zakon o informacijski varnosti (ZInfV-1, amended) | 2024-10-18 | Uprava Republike Slovenije za informacijsko varnost (URSIV) | None |
Spain (ES) España | In force | Real Decreto-ley 7/2024, de 11 de julio (transposition of NIS2) | 2024-10-18 | Centro Criptológico Nacional (CCN-CERT) + sectoral | None |
Sweden (SE) Sverige | Enacted (delayed entry) | Cybersäkerhetslag (SFS 2024:824) | 2025-01-01 | Myndigheten för samhällsskydd och beredskap (MSB) + sectoral | Closed |
Sources: European Commission infringement database, national gazettes, ENISA transposition monitoring, national CSIRT announcements. Data under CC BY 4.0. Cite as: Matproof, NIS2 Member State Transposition Tracker, 2026. https://matproof.com/tools/nis2-tracker.
Member State details
Austria (AT)
Österreich
Law: Netz- und Informationssystemsicherheitsgesetz 2024 (NIS-G 2024)
Enacted: 2024-10-17
In force: 2024-10-18
Authority: Bundesministerium für Inneres (BMI) + Bundeskanzleramt
Registration: 3 months after scope trigger
Essential fines: €10M or 2% worldwide turnover
Important fines: €7M or 1.4% worldwide turnover
Management: Explicit personal liability + mandatory training
Austria was among the first Member States to fully transpose NIS2, on time for the EU deadline.
Belgium (BE)
België / Belgique
Law: Loi du 26 avril 2024 sur la cybersécurité / Wet van 26 april 2024 inzake cyberbeveiliging
Enacted: 2024-04-26
In force: 2024-10-18
Authority: Centre pour la Cybersécurité Belgique (CCB) / Centrum voor Cybersecurity België
Registration: 5 months after law entering force
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability + training obligation
Belgium transposed ahead of deadline. CCB manages the national Safeonweb.be portal for registrations.
Bulgaria (BG)
България
Law: Закон за кибер сигурност (Cybersecurity Act amendment)
Enacted: 2025-01-15
In force: 2025-04-15
Authority: State Agency for Electronic Governance + National CSIRT
Registration: 6 months from scope trigger
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability clause
Delayed transposition resolved via late-Q1 2025 amendment. Infringement proceedings closed.
Croatia (HR)
Hrvatska
Law: Zakon o kibernetičkoj sigurnosti (Cybersecurity Act)
Enacted: 2024-02-15
In force: 2024-02-28
Authority: Središnji državni ured za razvoj digitalnog društva (SDURDD)
Registration: 3 months after scope trigger
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability explicit
Croatia was the first Member State to transpose (February 2024, 8 months ahead of deadline).
Cyprus (CY)
Κύπρος
Law: Draft Law on Security of Network and Information Systems
Enacted: —
In force: —
Authority: Digital Security Authority (planned)
Registration: TBD in final law
Essential fines: €10M or 2% (per draft)
Important fines: €7M or 1.4% (per draft)
Management: Personal liability per draft
Draft submitted to House of Representatives Q4 2025. Expected enactment Q2 2026.
Czech Republic (CZ)
Česká republika
Law: Zákon o kybernetické bezpečnosti (amended 2024)
Enacted: 2024-11-01
In force: 2025-01-01
Authority: Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB)
Registration: 3 months after scope trigger
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability explicit
NÚKIB is an experienced cyber authority — transposition proceeded smoothly with industry consultation.
Denmark (DK)
Danmark
Law: Lov om informationssikkerhed i net og systemer (NIS2-loven)
Enacted: 2024-06-12
In force: 2024-10-18
Authority: Center for Cybersikkerhed (CFCS) under Danish Defence Intelligence Service
Registration: 3 months after scope trigger
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability + training
Denmark transposed on time. CFCS leads national implementation.
Estonia (EE)
Eesti
Law: Küberturvalisuse seadus (Cybersecurity Act, amended)
Enacted: 2024-09-25
In force: 2024-10-18
Authority: Riigi Infosüsteemi Amet (RIA)
Registration: 3 months after scope trigger
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability clause
Estonia, as a digital-government leader, prioritized smooth NIS2 transposition. RIA manages the portal.
Finland (FI)
Suomi
Law: Kyberturvallisuuslaki (Cybersecurity Act)
Enacted: 2024-05-30
In force: 2024-10-18
Authority: Kyberturvallisuuskeskus (Traficom / NCSC-FI)
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability
Finland transposed on time. Traficom / NCSC-FI has a strong national CSIRT tradition.
France (FR)
France
Law: Loi n° 2024-911 du 14 octobre 2024 relative à la résilience des activités d'importance vitale
Enacted: 2024-10-14
In force: 2024-10-18
Authority: Agence nationale de la sécurité des systèmes d'information (ANSSI)
Registration: 3 months after scope trigger via ANSSI portal
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability explicit; ANSSI can sanction management individually
France took the opportunity to harmonize NIS2 with the existing LPM (Loi de Programmation Militaire) regime for critical operators. ANSSI is a powerful and active supervisor.
Germany (DE)
Deutschland
Law: NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG)
Enacted: —
In force: —
Authority: Bundesamt für Sicherheit in der Informationstechnik (BSI) + sectoral authorities
Registration: 3 months after scope trigger (per draft)
Essential fines: €10M or 2% (per draft)
Important fines: €7M or 1.4% (per draft)
Management: § 38 BSIG-neu: personal liability + training obligation
Germany missed the October 2024 transposition deadline. Q1 2025 post-election political changes slowed the process. As of April 2026, NIS2UmsuCG is in parliamentary review. Supervisory authorities already apply NIS2 standards de facto.
Greece (GR)
Ελλάδα
Law: Ν. 5160/2024 (Law 5160/2024) - Cybersecurity Act
Enacted: 2024-10-15
In force: 2024-10-18
Authority: National Cybersecurity Authority (formerly National Cybersecurity Directorate)
Registration: 3 months after scope trigger
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability
Greece transposed on time. National Cybersecurity Authority coordinates with sector-specific regulators.
Hungary (HU)
Magyarország
Law: 2024. évi LXIX. törvény (Act LXIX of 2024 on cybersecurity)
Enacted: 2024-11-28
In force: 2025-01-01
Authority: Nemzeti Kiberbiztonsági Intézet (National Cybersecurity Institute)
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability clause
Short delay beyond deadline resolved via November 2024 enactment.
Ireland (IE)
Éire
Law: Network and Information Security (Amendment) Act 2024
Enacted: 2024-10-09
In force: 2024-10-18
Authority: National Cyber Security Centre (NCSC) of Ireland
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability + director-level training
Ireland transposed on time. NCSC Ireland plays particularly important role given Ireland's position as EU data/cloud hub.
Italy (IT)
Italia
Law: Decreto legislativo 4 settembre 2024, n. 138 (recepimento NIS2)
Enacted: 2024-09-04
In force: 2024-10-16
Authority: Agenzia per la Cybersicurezza Nazionale (ACN)
Registration: 180 days from scope trigger (generous by EU standards)
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability; training obligation documented
Italy transposed just ahead of the deadline. ACN (founded 2021) is a relatively new but active authority.
Latvia (LV)
Latvija
Law: Nacionālās kiberdrošības likums (National Cybersecurity Law)
Enacted: 2024-09-12
In force: 2024-10-18
Authority: Latvijas Informācijas un komunikāciju tehnoloģiju asociācija (CERT.LV) + Cabinet
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability
Transposed on time.
Lithuania (LT)
Lietuva
Law: Kibernetinio saugumo įstatymas (amended 2024)
Enacted: 2024-07-18
In force: 2024-10-18
Authority: Nacionalinis kibernetinio saugumo centras (NKSC)
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability
Transposed ahead of deadline. NKSC is the coordinating authority.
Luxembourg (LU)
Luxembourg
Law: Loi du 4 octobre 2024 sur la cybersécurité
Enacted: 2024-10-04
In force: 2024-10-18
Authority: Haut-Commissariat à la Protection Nationale (HCPN) + ILR + CSSF for financial
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability
Luxembourg transposed on time. Given its financial-services hub status, CSSF coordinates NIS2+DORA overlap for financial entities.
Malta (MT)
Malta
Law: Network and Information Systems (Amendment) Act 2025
Enacted: 2025-02-14
In force: 2025-05-01
Authority: Malta Communications Authority (MCA) + Malta Digital Innovation Authority (MDIA)
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability
Slight delay. MCA oversees for most sectors; MDIA for digital services.
Netherlands (NL)
Nederland
Law: Wet beveiliging netwerk- en informatiesystemen 2 (Wbni 2)
Enacted: 2024-12-10
In force: 2025-03-01
Authority: Nationaal Cyber Security Centrum (NCSC-NL) + Agentschap Telecom + sectoral
Registration: 3 months after scope trigger
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability + mandatory training
Short delay beyond deadline. Wbni 2 replaces original Wbni. NCSC-NL leads with Agentschap Telecom handling digital services.
Poland (PL)
Polska
Law: Ustawa o krajowym systemie cyberbezpieczeństwa (KSC — nowelizacja NIS2)
Enacted: —
In force: —
Authority: Ministerstwo Cyfryzacji + CSIRT NASK + sectoral CSIRTs
Registration: 3 months (per draft)
Essential fines: €10M or 2% (per draft)
Important fines: €7M or 1.4% (per draft)
Management: Personal liability per draft
Poland's KSC amendment in parliamentary stage. Expected Q2-Q3 2026. Supervisory practice already aligned to NIS2.
Portugal (PT)
Portugal
Law: Decreto-Lei n.º 65/2024 (NIS2 transposition)
Enacted: 2024-10-11
In force: 2024-10-18
Authority: Centro Nacional de Cibersegurança (CNCS)
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability
On-time transposition. CNCS leads.
Romania (RO)
România
Law: Legea nr. 201/2024 (Cybersecurity Law, amended)
Enacted: 2024-12-20
In force: 2025-03-20
Authority: Direcția Națională de Securitate Cibernetică (DNSC)
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability
Short delay. DNSC is the coordinating authority.
Slovakia (SK)
Slovensko
Law: Zákon o kybernetickej bezpečnosti (amended 2024)
Enacted: 2024-10-02
In force: 2024-10-18
Authority: Národný bezpečnostný úrad (NBÚ)
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability
On-time transposition.
Slovenia (SI)
Slovenija
Law: Zakon o informacijski varnosti (ZInfV-1, amended)
Enacted: 2024-09-26
In force: 2024-10-18
Authority: Uprava Republike Slovenije za informacijsko varnost (URSIV)
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability
On-time.
Spain (ES)
España
Law: Real Decreto-ley 7/2024, de 11 de julio (transposition of NIS2)
Enacted: 2024-07-11
In force: 2024-10-18
Authority: Centro Criptológico Nacional (CCN-CERT) + sectoral
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability; INCIBE coordinates for private sector
Spain used a Royal Decree-Law (emergency mechanism) to transpose ahead of the October deadline. INCIBE provides business-facing resources.
Sweden (SE)
Sverige
Law: Cybersäkerhetslag (SFS 2024:824)
Enacted: 2024-10-21
In force: 2025-01-01
Authority: Myndigheten för samhällsskydd och beredskap (MSB) + sectoral
Registration: 3 months
Essential fines: €10M or 2%
Important fines: €7M or 1.4%
Management: Personal liability explicit
Marginal delay beyond deadline. MSB coordinates; sectoral authorities (Finansinspektionen for finance, Läkemedelsverket for health) supervise their sectors.
Using this tracker
This tracker is free to use, share, and cite. The underlying data is licensed under CC BY 4.0. When citing, please use: Matproof, NIS2 Member State Transposition Tracker, 2026. https://matproof.com/tools/nis2-tracker.
For organizations tracking their own NIS2 readiness across multiple Member States, Matproof's compliance platform includes country-aware registration workflows, incident-reporting timelines, and supervisory-authority templates. Take the NIS2 Readiness Assessment or book a demo.
Operationalize NIS2 across jurisdictions.
Matproof handles multi-jurisdiction NIS2 deployment — registration, incident reporting, supervisory coordination — in one EU-hosted platform.