Live Tracker · CC BY 4.0
NIS2 Member State Tracker.
Live transposition status of the NIS2 Directive across all 27 EU Member States. National law, dates, supervisory authority, penalty ceilings, infringement proceedings.
Last updated 2026-04-24.
Transposition table
All 27 Member States at a glance.
| Member State | Status | National Law | In force | Supervisory Authority | Infringement |
|---|---|---|---|---|---|
Austria (AT) Österreich | In force | Netz- und Informationssystemsicherheitsgesetz 2024 (NIS-G 2024) | 2024-10-18 | Bundesministerium für Inneres (BMI) + Bundeskanzleramt | None |
Belgium (BE) België / Belgique | In force | Loi du 26 avril 2024 sur la cybersécurité / Wet van 26 april 2024 inzake cyberbeveiliging | 2024-10-18 | Centre pour la Cybersécurité Belgique (CCB) / Centrum voor Cybersecurity België | None |
Bulgaria (BG) България | Enacted (delayed entry) | Закон за кибер сигурност (Cybersecurity Act amendment) | 2025-04-15 | State Agency for Electronic Governance + National CSIRT | Closed |
Croatia (HR) Hrvatska | In force | Zakon o kibernetičkoj sigurnosti (Cybersecurity Act) | 2024-02-28 | Središnji državni ured za razvoj digitalnog društva (SDURDD) | None |
Cyprus (CY) Κύπρος | In force | Network and Information Systems Security (Amendment) Law of 2025 | 2025-04-25 | Digital Security Authority (DSA) + Commissioner of Communications | Open (Article 258 TFEU Reasoned Opinion issued 7 May 2025; Cyprus transposition notification under Commission review) |
Czech Republic (CZ) Česká republika | In force | Zákon o kybernetické bezpečnosti (amended 2024) | 2025-01-01 | Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB) | None |
Denmark (DK) Danmark | In force | Lov om informationssikkerhed i net og systemer (NIS2-loven) | 2024-10-18 | Center for Cybersikkerhed (CFCS) under Danish Defence Intelligence Service | None |
Estonia (EE) Eesti | In force | Küberturvalisuse seadus (Cybersecurity Act, amended) | 2024-10-18 | Riigi Infosüsteemi Amet (RIA) | None |
Finland (FI) Suomi | In force | Kyberturvallisuuslaki (Cybersecurity Act) | 2024-10-18 | Kyberturvallisuuskeskus (Traficom / NCSC-FI) | None |
France (FR) France | In force | Loi n° 2024-911 du 14 octobre 2024 relative à la résilience des activités d'importance vitale | 2024-10-18 | Agence nationale de la sécurité des systèmes d'information (ANSSI) | None |
Germany (DE) Deutschland | In force | NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) | 2025-12-06 | Bundesamt für Sicherheit in der Informationstechnik (BSI) + sectoral authorities | Closed (cured by transposition; formal closure pending) |
Greece (GR) Ελλάδα | In force | Ν. 5160/2024 (Law 5160/2024) - Cybersecurity Act | 2024-10-18 | National Cybersecurity Authority (formerly National Cybersecurity Directorate) | None |
Hungary (HU) Magyarország | Enacted (delayed entry) | 2024. évi LXIX. törvény (Act LXIX of 2024 on cybersecurity) | 2025-01-01 | Nemzeti Kiberbiztonsági Intézet (National Cybersecurity Institute) | Closed |
Ireland (IE) Éire | In force | Network and Information Security (Amendment) Act 2024 | 2024-10-18 | National Cyber Security Centre (NCSC) of Ireland | None |
Italy (IT) Italia | In force | Decreto legislativo 4 settembre 2024, n. 138 (recepimento NIS2) | 2024-10-16 | Agenzia per la Cybersicurezza Nazionale (ACN) | None |
Latvia (LV) Latvija | In force | Nacionālās kiberdrošības likums (National Cybersecurity Law) | 2024-10-18 | Latvijas Informācijas un komunikāciju tehnoloģiju asociācija (CERT.LV) + Cabinet | None |
Lithuania (LT) Lietuva | In force | Kibernetinio saugumo įstatymas (amended 2024) | 2024-10-18 | Nacionalinis kibernetinio saugumo centras (NKSC) | None |
Luxembourg (LU) Luxembourg | In force | Loi du 4 octobre 2024 sur la cybersécurité | 2024-10-18 | Haut-Commissariat à la Protection Nationale (HCPN) + ILR + CSSF for financial | None |
Malta (MT) Malta | Enacted (delayed entry) | Network and Information Systems (Amendment) Act 2025 | 2025-05-01 | Malta Communications Authority (MCA) + Malta Digital Innovation Authority (MDIA) | Closed |
Netherlands (NL) Nederland | Enacted (delayed entry) | Wet beveiliging netwerk- en informatiesystemen 2 (Wbni 2) | 2025-03-01 | Nationaal Cyber Security Centrum (NCSC-NL) + Agentschap Telecom + sectoral | Closed |
Poland (PL) Polska | Enacted (delayed entry) | Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczeństwa (UKSC2) | — | Ministerstwo Cyfryzacji + CSIRT NASK + sectoral CSIRTs | Closed (cured by transposition; formal closure pending) |
Portugal (PT) Portugal | In force | Decreto-Lei n.º 65/2024 (NIS2 transposition) | 2024-10-18 | Centro Nacional de Cibersegurança (CNCS) | None |
Romania (RO) România | Enacted (delayed entry) | Legea nr. 201/2024 (Cybersecurity Law, amended) | 2025-03-20 | Direcția Națională de Securitate Cibernetică (DNSC) | Closed |
Slovakia (SK) Slovensko | In force | Zákon o kybernetickej bezpečnosti (amended 2024) | 2024-10-18 | Národný bezpečnostný úrad (NBÚ) | None |
Slovenia (SI) Slovenija | In force | Zakon o informacijski varnosti (ZInfV-1, amended) | 2024-10-18 | Uprava Republike Slovenije za informacijsko varnost (URSIV) | None |
Spain (ES) España | In force | Real Decreto-ley 7/2024, de 11 de julio (transposition of NIS2) | 2024-10-18 | Centro Criptológico Nacional (CCN-CERT) + sectoral | None |
Sweden (SE) Sverige | Enacted (delayed entry) | Cybersäkerhetslag (SFS 2024:824) | 2025-01-01 | Myndigheten för samhällsskydd och beredskap (MSB) + sectoral | Closed |
Sources: European Commission infringement database, national gazettes, ENISA transposition monitoring, national CSIRT announcements. Data under CC BY 4.0. Cite as: Matproof, NIS2 Member State Transposition Tracker, 2026. https://matproof.com/tools/nis2-tracker.
Per-country detail
Member State details.
Austria (AT)
- Law:
- Netz- und Informationssystemsicherheitsgesetz 2024 (NIS-G 2024)
- Enacted:
- 2024-10-17
- In force:
- 2024-10-18
- Authority:
- Bundesministerium für Inneres (BMI) + Bundeskanzleramt
- Registration:
- 3 months after scope trigger
- Essential fines:
- €10M or 2% worldwide turnover
- Important fines:
- €7M or 1.4% worldwide turnover
- Management:
- Explicit personal liability + mandatory training
Austria was among the first Member States to fully transpose NIS2, on time for the EU deadline.
Belgium (BE)
- Law:
- Loi du 26 avril 2024 sur la cybersécurité / Wet van 26 april 2024 inzake cyberbeveiliging
- Enacted:
- 2024-04-26
- In force:
- 2024-10-18
- Authority:
- Centre pour la Cybersécurité Belgique (CCB) / Centrum voor Cybersecurity België
- Registration:
- 5 months after law entering force
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability + training obligation
Belgium transposed ahead of deadline. CCB manages the national Safeonweb.be portal for registrations.
Bulgaria (BG)
- Law:
- Закон за кибер сигурност (Cybersecurity Act amendment)
- Enacted:
- 2025-01-15
- In force:
- 2025-04-15
- Authority:
- State Agency for Electronic Governance + National CSIRT
- Registration:
- 6 months from scope trigger
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability clause
Delayed transposition resolved via late-Q1 2025 amendment. Infringement proceedings closed.
Croatia (HR)
- Law:
- Zakon o kibernetičkoj sigurnosti (Cybersecurity Act)
- Enacted:
- 2024-02-15
- In force:
- 2024-02-28
- Authority:
- Središnji državni ured za razvoj digitalnog društva (SDURDD)
- Registration:
- 3 months after scope trigger
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability explicit
Croatia was the first Member State to transpose (February 2024, 8 months ahead of deadline).
Cyprus (CY)
- Law:
- Network and Information Systems Security (Amendment) Law of 2025
- Enacted:
- 2025-04-25
- In force:
- 2025-04-25
- Authority:
- Digital Security Authority (DSA) + Commissioner of Communications
- Registration:
- 3 months after scope trigger
- Essential fines:
- €10M or 2% worldwide turnover
- Important fines:
- €7M or 1.4% worldwide turnover
- Management:
- Personal liability + training obligation
Amendment Law published 25 April 2025, transposing NIS2 in full. Secondary implementing framework (sectoral guidance, operational capacity of the DSA) is still maturing — ECSO classifies Cyprus at maturity level 3. Early-warning notification set at 6 hours, stricter than NIS2 baseline.
Czech Republic (CZ)
- Law:
- Zákon o kybernetické bezpečnosti (amended 2024)
- Enacted:
- 2024-11-01
- In force:
- 2025-01-01
- Authority:
- Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB)
- Registration:
- 3 months after scope trigger
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability explicit
NÚKIB is an experienced cyber authority — transposition proceeded smoothly with industry consultation.
Denmark (DK)
- Law:
- Lov om informationssikkerhed i net og systemer (NIS2-loven)
- Enacted:
- 2024-06-12
- In force:
- 2024-10-18
- Authority:
- Center for Cybersikkerhed (CFCS) under Danish Defence Intelligence Service
- Registration:
- 3 months after scope trigger
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability + training
Denmark transposed on time. CFCS leads national implementation.
Estonia (EE)
- Law:
- Küberturvalisuse seadus (Cybersecurity Act, amended)
- Enacted:
- 2024-09-25
- In force:
- 2024-10-18
- Authority:
- Riigi Infosüsteemi Amet (RIA)
- Registration:
- 3 months after scope trigger
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability clause
Estonia, as a digital-government leader, prioritized smooth NIS2 transposition. RIA manages the portal.
Finland (FI)
- Law:
- Kyberturvallisuuslaki (Cybersecurity Act)
- Enacted:
- 2024-05-30
- In force:
- 2024-10-18
- Authority:
- Kyberturvallisuuskeskus (Traficom / NCSC-FI)
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability
Finland transposed on time. Traficom / NCSC-FI has a strong national CSIRT tradition.
France (FR)
- Law:
- Loi n° 2024-911 du 14 octobre 2024 relative à la résilience des activités d'importance vitale
- Enacted:
- 2024-10-14
- In force:
- 2024-10-18
- Authority:
- Agence nationale de la sécurité des systèmes d'information (ANSSI)
- Registration:
- 3 months after scope trigger via ANSSI portal
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability explicit; ANSSI can sanction management individually
France took the opportunity to harmonize NIS2 with the existing LPM (Loi de Programmation Militaire) regime for critical operators. ANSSI is a powerful and active supervisor.
Germany (DE)
- Law:
- NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG)
- Enacted:
- 2025-11-20
- In force:
- 2025-12-06
- Authority:
- Bundesamt für Sicherheit in der Informationstechnik (BSI) + sectoral authorities
- Registration:
- 3 months after scope trigger; BSI registration window closed 2026-03-06
- Essential fines:
- €10M or 2% worldwide turnover
- Important fines:
- €7M or 1.4% worldwide turnover
- Management:
- § 38 BSIG-neu: personal liability + training obligation
Germany missed the October 2024 transposition deadline. After the Ampel coalition collapse the draft fell to parliamentary discontinuity; the successor coalition re-introduced it and the Bundestag passed NIS2UmsuCG on 13 November 2025, the Bundesrat on 20 November 2025, and it was promulgated in the BGBl on 6 December 2025. In force since 6 December 2025; no transition period. BSI registration deadline 6 March 2026.
Greece (GR)
- Law:
- Ν. 5160/2024 (Law 5160/2024) - Cybersecurity Act
- Enacted:
- 2024-10-15
- In force:
- 2024-10-18
- Authority:
- National Cybersecurity Authority (formerly National Cybersecurity Directorate)
- Registration:
- 3 months after scope trigger
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability
Greece transposed on time. National Cybersecurity Authority coordinates with sector-specific regulators.
Hungary (HU)
- Law:
- 2024. évi LXIX. törvény (Act LXIX of 2024 on cybersecurity)
- Enacted:
- 2024-11-28
- In force:
- 2025-01-01
- Authority:
- Nemzeti Kiberbiztonsági Intézet (National Cybersecurity Institute)
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability clause
Short delay beyond deadline resolved via November 2024 enactment.
Ireland (IE)
- Law:
- Network and Information Security (Amendment) Act 2024
- Enacted:
- 2024-10-09
- In force:
- 2024-10-18
- Authority:
- National Cyber Security Centre (NCSC) of Ireland
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability + director-level training
Ireland transposed on time. NCSC Ireland plays particularly important role given Ireland's position as EU data/cloud hub.
Italy (IT)
- Law:
- Decreto legislativo 4 settembre 2024, n. 138 (recepimento NIS2)
- Enacted:
- 2024-09-04
- In force:
- 2024-10-16
- Authority:
- Agenzia per la Cybersicurezza Nazionale (ACN)
- Registration:
- 180 days from scope trigger (generous by EU standards)
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability; training obligation documented
Italy transposed just ahead of the deadline. ACN (founded 2021) is a relatively new but active authority.
Latvia (LV)
- Law:
- Nacionālās kiberdrošības likums (National Cybersecurity Law)
- Enacted:
- 2024-09-12
- In force:
- 2024-10-18
- Authority:
- Latvijas Informācijas un komunikāciju tehnoloģiju asociācija (CERT.LV) + Cabinet
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability
Transposed on time.
Lithuania (LT)
- Law:
- Kibernetinio saugumo įstatymas (amended 2024)
- Enacted:
- 2024-07-18
- In force:
- 2024-10-18
- Authority:
- Nacionalinis kibernetinio saugumo centras (NKSC)
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability
Transposed ahead of deadline. NKSC is the coordinating authority.
Luxembourg (LU)
- Law:
- Loi du 4 octobre 2024 sur la cybersécurité
- Enacted:
- 2024-10-04
- In force:
- 2024-10-18
- Authority:
- Haut-Commissariat à la Protection Nationale (HCPN) + ILR + CSSF for financial
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability
Luxembourg transposed on time. Given its financial-services hub status, CSSF coordinates NIS2+DORA overlap for financial entities.
Malta (MT)
- Law:
- Network and Information Systems (Amendment) Act 2025
- Enacted:
- 2025-02-14
- In force:
- 2025-05-01
- Authority:
- Malta Communications Authority (MCA) + Malta Digital Innovation Authority (MDIA)
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability
Slight delay. MCA oversees for most sectors; MDIA for digital services.
Netherlands (NL)
- Law:
- Wet beveiliging netwerk- en informatiesystemen 2 (Wbni 2)
- Enacted:
- 2024-12-10
- In force:
- 2025-03-01
- Authority:
- Nationaal Cyber Security Centrum (NCSC-NL) + Agentschap Telecom + sectoral
- Registration:
- 3 months after scope trigger
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability + mandatory training
Short delay beyond deadline. Wbni 2 replaces original Wbni. NCSC-NL leads with Agentschap Telecom handling digital services.
Poland (PL)
- Law:
- Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczeństwa (UKSC2)
- Enacted:
- 2026-02-19
- In force:
- —
- Authority:
- Ministerstwo Cyfryzacji + CSIRT NASK + sectoral CSIRTs
- Registration:
- 12 months after meeting threshold criteria; first audit at 24 months for key entities
- Essential fines:
- €10M or 2% worldwide turnover
- Important fines:
- €7M or 1.4% worldwide turnover
- Management:
- Personal liability; mandatory training
Draft submitted to the Sejm on 7 November 2025 after Council adoption in October 2025. Parliament adopted the amendment as law of 23 January 2026; signed by the President on 19 February 2026 (UKSC2). Entry-into-force date per vacatio legis; supervisory practice had already aligned to NIS2 de facto.
Portugal (PT)
- Law:
- Decreto-Lei n.º 65/2024 (NIS2 transposition)
- Enacted:
- 2024-10-11
- In force:
- 2024-10-18
- Authority:
- Centro Nacional de Cibersegurança (CNCS)
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability
On-time transposition. CNCS leads.
Romania (RO)
- Law:
- Legea nr. 201/2024 (Cybersecurity Law, amended)
- Enacted:
- 2024-12-20
- In force:
- 2025-03-20
- Authority:
- Direcția Națională de Securitate Cibernetică (DNSC)
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability
Short delay. DNSC is the coordinating authority.
Slovakia (SK)
- Law:
- Zákon o kybernetickej bezpečnosti (amended 2024)
- Enacted:
- 2024-10-02
- In force:
- 2024-10-18
- Authority:
- Národný bezpečnostný úrad (NBÚ)
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability
On-time transposition.
Slovenia (SI)
- Law:
- Zakon o informacijski varnosti (ZInfV-1, amended)
- Enacted:
- 2024-09-26
- In force:
- 2024-10-18
- Authority:
- Uprava Republike Slovenije za informacijsko varnost (URSIV)
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability
On-time.
Spain (ES)
- Law:
- Real Decreto-ley 7/2024, de 11 de julio (transposition of NIS2)
- Enacted:
- 2024-07-11
- In force:
- 2024-10-18
- Authority:
- Centro Criptológico Nacional (CCN-CERT) + sectoral
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability; INCIBE coordinates for private sector
Spain used a Royal Decree-Law (emergency mechanism) to transpose ahead of the October deadline. INCIBE provides business-facing resources.
Sweden (SE)
- Law:
- Cybersäkerhetslag (SFS 2024:824)
- Enacted:
- 2024-10-21
- In force:
- 2025-01-01
- Authority:
- Myndigheten för samhällsskydd och beredskap (MSB) + sectoral
- Registration:
- 3 months
- Essential fines:
- €10M or 2%
- Important fines:
- €7M or 1.4%
- Management:
- Personal liability explicit
Marginal delay beyond deadline. MSB coordinates; sectoral authorities (Finansinspektionen for finance, Läkemedelsverket for health) supervise their sectors.
Usage & citation
Using this tracker.
This tracker is free to use, share, and cite. The underlying data is licensed under CC BY 4.0. When citing, please use: Matproof, NIS2 Member State Transposition Tracker, 2026. https://matproof.com/tools/nis2-tracker.
For organizations tracking their own NIS2 readiness, Matproof's compliance platform maps the NIS2 Directive to actionable controls with evidence tracking and a free readiness assessment. Use this tracker alongside it to see how each Member State's transposition affects your obligations.
Go further
Map your NIS2 controls in one place.
Matproof maps the NIS2 Directive to actionable controls with evidence tracking and a free readiness assessment — 100% EU-hosted. Use this tracker to plan for the national transposition that applies to you.