SEE MATPROOF ON YOUR STACK — BOOK A 30-MINUTE DEMO
Tools/NIS2 Member State Tracker

Live Tracker · CC BY 4.0

NIS2 Member State Tracker.

Live transposition status of the NIS2 Directive across all 27 EU Member States. National law, dates, supervisory authority, penalty ceilings, infringement proceedings.

Last updated 2026-04-24.

In force / enacted
27
100% of 27 MS
In parliament / draft
0
Still transposing
Infringement open
1
Article 258 TFEU
Transposition deadline
17 Oct 2024
Missed by most MS

Transposition table

All 27 Member States at a glance.

Member StateStatusNational LawIn forceSupervisory AuthorityInfringement
Austria (AT)
Österreich
In forceNetz- und Informationssystemsicherheitsgesetz 2024 (NIS-G 2024)2024-10-18Bundesministerium für Inneres (BMI) + BundeskanzleramtNone
Belgium (BE)
België / Belgique
In forceLoi du 26 avril 2024 sur la cybersécurité / Wet van 26 april 2024 inzake cyberbeveiliging2024-10-18Centre pour la Cybersécurité Belgique (CCB) / Centrum voor Cybersecurity BelgiëNone
Bulgaria (BG)
България
Enacted (delayed entry)Закон за кибер сигурност (Cybersecurity Act amendment)2025-04-15State Agency for Electronic Governance + National CSIRTClosed
Croatia (HR)
Hrvatska
In forceZakon o kibernetičkoj sigurnosti (Cybersecurity Act)2024-02-28Središnji državni ured za razvoj digitalnog društva (SDURDD)None
Cyprus (CY)
Κύπρος
In forceNetwork and Information Systems Security (Amendment) Law of 20252025-04-25Digital Security Authority (DSA) + Commissioner of CommunicationsOpen (Article 258 TFEU Reasoned Opinion issued 7 May 2025; Cyprus transposition notification under Commission review)
Czech Republic (CZ)
Česká republika
In forceZákon o kybernetické bezpečnosti (amended 2024)2025-01-01Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB)None
Denmark (DK)
Danmark
In forceLov om informationssikkerhed i net og systemer (NIS2-loven)2024-10-18Center for Cybersikkerhed (CFCS) under Danish Defence Intelligence ServiceNone
Estonia (EE)
Eesti
In forceKüberturvalisuse seadus (Cybersecurity Act, amended)2024-10-18Riigi Infosüsteemi Amet (RIA)None
Finland (FI)
Suomi
In forceKyberturvallisuuslaki (Cybersecurity Act)2024-10-18Kyberturvallisuuskeskus (Traficom / NCSC-FI)None
France (FR)
France
In forceLoi n° 2024-911 du 14 octobre 2024 relative à la résilience des activités d'importance vitale2024-10-18Agence nationale de la sécurité des systèmes d'information (ANSSI)None
Germany (DE)
Deutschland
In forceNIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG)2025-12-06Bundesamt für Sicherheit in der Informationstechnik (BSI) + sectoral authoritiesClosed (cured by transposition; formal closure pending)
Greece (GR)
Ελλάδα
In forceΝ. 5160/2024 (Law 5160/2024) - Cybersecurity Act2024-10-18National Cybersecurity Authority (formerly National Cybersecurity Directorate)None
Hungary (HU)
Magyarország
Enacted (delayed entry)2024. évi LXIX. törvény (Act LXIX of 2024 on cybersecurity)2025-01-01Nemzeti Kiberbiztonsági Intézet (National Cybersecurity Institute)Closed
Ireland (IE)
Éire
In forceNetwork and Information Security (Amendment) Act 20242024-10-18National Cyber Security Centre (NCSC) of IrelandNone
Italy (IT)
Italia
In forceDecreto legislativo 4 settembre 2024, n. 138 (recepimento NIS2)2024-10-16Agenzia per la Cybersicurezza Nazionale (ACN)None
Latvia (LV)
Latvija
In forceNacionālās kiberdrošības likums (National Cybersecurity Law)2024-10-18Latvijas Informācijas un komunikāciju tehnoloģiju asociācija (CERT.LV) + CabinetNone
Lithuania (LT)
Lietuva
In forceKibernetinio saugumo įstatymas (amended 2024)2024-10-18Nacionalinis kibernetinio saugumo centras (NKSC)None
Luxembourg (LU)
Luxembourg
In forceLoi du 4 octobre 2024 sur la cybersécurité2024-10-18Haut-Commissariat à la Protection Nationale (HCPN) + ILR + CSSF for financialNone
Malta (MT)
Malta
Enacted (delayed entry)Network and Information Systems (Amendment) Act 20252025-05-01Malta Communications Authority (MCA) + Malta Digital Innovation Authority (MDIA)Closed
Netherlands (NL)
Nederland
Enacted (delayed entry)Wet beveiliging netwerk- en informatiesystemen 2 (Wbni 2)2025-03-01Nationaal Cyber Security Centrum (NCSC-NL) + Agentschap Telecom + sectoralClosed
Poland (PL)
Polska
Enacted (delayed entry)Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczeństwa (UKSC2)Ministerstwo Cyfryzacji + CSIRT NASK + sectoral CSIRTsClosed (cured by transposition; formal closure pending)
Portugal (PT)
Portugal
In forceDecreto-Lei n.º 65/2024 (NIS2 transposition)2024-10-18Centro Nacional de Cibersegurança (CNCS)None
Romania (RO)
România
Enacted (delayed entry)Legea nr. 201/2024 (Cybersecurity Law, amended)2025-03-20Direcția Națională de Securitate Cibernetică (DNSC)Closed
Slovakia (SK)
Slovensko
In forceZákon o kybernetickej bezpečnosti (amended 2024)2024-10-18Národný bezpečnostný úrad (NBÚ)None
Slovenia (SI)
Slovenija
In forceZakon o informacijski varnosti (ZInfV-1, amended)2024-10-18Uprava Republike Slovenije za informacijsko varnost (URSIV)None
Spain (ES)
España
In forceReal Decreto-ley 7/2024, de 11 de julio (transposition of NIS2)2024-10-18Centro Criptológico Nacional (CCN-CERT) + sectoralNone
Sweden (SE)
Sverige
Enacted (delayed entry)Cybersäkerhetslag (SFS 2024:824)2025-01-01Myndigheten för samhällsskydd och beredskap (MSB) + sectoralClosed

Sources: European Commission infringement database, national gazettes, ENISA transposition monitoring, national CSIRT announcements. Data under CC BY 4.0. Cite as: Matproof, NIS2 Member State Transposition Tracker, 2026. https://matproof.com/tools/nis2-tracker.

Per-country detail

Member State details.

Austria (AT)

Österreich
In force
Law:
Netz- und Informationssystemsicherheitsgesetz 2024 (NIS-G 2024)
Enacted:
2024-10-17
In force:
2024-10-18
Authority:
Bundesministerium für Inneres (BMI) + Bundeskanzleramt
Registration:
3 months after scope trigger
Essential fines:
€10M or 2% worldwide turnover
Important fines:
€7M or 1.4% worldwide turnover
Management:
Explicit personal liability + mandatory training

Austria was among the first Member States to fully transpose NIS2, on time for the EU deadline.

Belgium (BE)

België / Belgique
In force
Law:
Loi du 26 avril 2024 sur la cybersécurité / Wet van 26 april 2024 inzake cyberbeveiliging
Enacted:
2024-04-26
In force:
2024-10-18
Authority:
Centre pour la Cybersécurité Belgique (CCB) / Centrum voor Cybersecurity België
Registration:
5 months after law entering force
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability + training obligation

Belgium transposed ahead of deadline. CCB manages the national Safeonweb.be portal for registrations.

Bulgaria (BG)

България
Enacted (delayed entry)
Law:
Закон за кибер сигурност (Cybersecurity Act amendment)
Enacted:
2025-01-15
In force:
2025-04-15
Authority:
State Agency for Electronic Governance + National CSIRT
Registration:
6 months from scope trigger
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability clause

Delayed transposition resolved via late-Q1 2025 amendment. Infringement proceedings closed.

Croatia (HR)

Hrvatska
In force
Law:
Zakon o kibernetičkoj sigurnosti (Cybersecurity Act)
Enacted:
2024-02-15
In force:
2024-02-28
Authority:
Središnji državni ured za razvoj digitalnog društva (SDURDD)
Registration:
3 months after scope trigger
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability explicit

Croatia was the first Member State to transpose (February 2024, 8 months ahead of deadline).

Cyprus (CY)

Κύπρος
In force
Law:
Network and Information Systems Security (Amendment) Law of 2025
Enacted:
2025-04-25
In force:
2025-04-25
Authority:
Digital Security Authority (DSA) + Commissioner of Communications
Registration:
3 months after scope trigger
Essential fines:
€10M or 2% worldwide turnover
Important fines:
€7M or 1.4% worldwide turnover
Management:
Personal liability + training obligation

Amendment Law published 25 April 2025, transposing NIS2 in full. Secondary implementing framework (sectoral guidance, operational capacity of the DSA) is still maturing — ECSO classifies Cyprus at maturity level 3. Early-warning notification set at 6 hours, stricter than NIS2 baseline.

Czech Republic (CZ)

Česká republika
In force
Law:
Zákon o kybernetické bezpečnosti (amended 2024)
Enacted:
2024-11-01
In force:
2025-01-01
Authority:
Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB)
Registration:
3 months after scope trigger
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability explicit

NÚKIB is an experienced cyber authority — transposition proceeded smoothly with industry consultation.

Denmark (DK)

Danmark
In force
Law:
Lov om informationssikkerhed i net og systemer (NIS2-loven)
Enacted:
2024-06-12
In force:
2024-10-18
Authority:
Center for Cybersikkerhed (CFCS) under Danish Defence Intelligence Service
Registration:
3 months after scope trigger
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability + training

Denmark transposed on time. CFCS leads national implementation.

Estonia (EE)

Eesti
In force
Law:
Küberturvalisuse seadus (Cybersecurity Act, amended)
Enacted:
2024-09-25
In force:
2024-10-18
Authority:
Riigi Infosüsteemi Amet (RIA)
Registration:
3 months after scope trigger
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability clause

Estonia, as a digital-government leader, prioritized smooth NIS2 transposition. RIA manages the portal.

Finland (FI)

Suomi
In force
Law:
Kyberturvallisuuslaki (Cybersecurity Act)
Enacted:
2024-05-30
In force:
2024-10-18
Authority:
Kyberturvallisuuskeskus (Traficom / NCSC-FI)
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability

Finland transposed on time. Traficom / NCSC-FI has a strong national CSIRT tradition.

France (FR)

France
In force
Law:
Loi n° 2024-911 du 14 octobre 2024 relative à la résilience des activités d'importance vitale
Enacted:
2024-10-14
In force:
2024-10-18
Authority:
Agence nationale de la sécurité des systèmes d'information (ANSSI)
Registration:
3 months after scope trigger via ANSSI portal
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability explicit; ANSSI can sanction management individually

France took the opportunity to harmonize NIS2 with the existing LPM (Loi de Programmation Militaire) regime for critical operators. ANSSI is a powerful and active supervisor.

Germany (DE)

Deutschland
In force
Law:
NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG)
Enacted:
2025-11-20
In force:
2025-12-06
Authority:
Bundesamt für Sicherheit in der Informationstechnik (BSI) + sectoral authorities
Registration:
3 months after scope trigger; BSI registration window closed 2026-03-06
Essential fines:
€10M or 2% worldwide turnover
Important fines:
€7M or 1.4% worldwide turnover
Management:
§ 38 BSIG-neu: personal liability + training obligation

Germany missed the October 2024 transposition deadline. After the Ampel coalition collapse the draft fell to parliamentary discontinuity; the successor coalition re-introduced it and the Bundestag passed NIS2UmsuCG on 13 November 2025, the Bundesrat on 20 November 2025, and it was promulgated in the BGBl on 6 December 2025. In force since 6 December 2025; no transition period. BSI registration deadline 6 March 2026.

Greece (GR)

Ελλάδα
In force
Law:
Ν. 5160/2024 (Law 5160/2024) - Cybersecurity Act
Enacted:
2024-10-15
In force:
2024-10-18
Authority:
National Cybersecurity Authority (formerly National Cybersecurity Directorate)
Registration:
3 months after scope trigger
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability

Greece transposed on time. National Cybersecurity Authority coordinates with sector-specific regulators.

Hungary (HU)

Magyarország
Enacted (delayed entry)
Law:
2024. évi LXIX. törvény (Act LXIX of 2024 on cybersecurity)
Enacted:
2024-11-28
In force:
2025-01-01
Authority:
Nemzeti Kiberbiztonsági Intézet (National Cybersecurity Institute)
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability clause

Short delay beyond deadline resolved via November 2024 enactment.

Ireland (IE)

Éire
In force
Law:
Network and Information Security (Amendment) Act 2024
Enacted:
2024-10-09
In force:
2024-10-18
Authority:
National Cyber Security Centre (NCSC) of Ireland
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability + director-level training

Ireland transposed on time. NCSC Ireland plays particularly important role given Ireland's position as EU data/cloud hub.

Italy (IT)

Italia
In force
Law:
Decreto legislativo 4 settembre 2024, n. 138 (recepimento NIS2)
Enacted:
2024-09-04
In force:
2024-10-16
Authority:
Agenzia per la Cybersicurezza Nazionale (ACN)
Registration:
180 days from scope trigger (generous by EU standards)
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability; training obligation documented

Italy transposed just ahead of the deadline. ACN (founded 2021) is a relatively new but active authority.

Latvia (LV)

Latvija
In force
Law:
Nacionālās kiberdrošības likums (National Cybersecurity Law)
Enacted:
2024-09-12
In force:
2024-10-18
Authority:
Latvijas Informācijas un komunikāciju tehnoloģiju asociācija (CERT.LV) + Cabinet
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability

Transposed on time.

Lithuania (LT)

Lietuva
In force
Law:
Kibernetinio saugumo įstatymas (amended 2024)
Enacted:
2024-07-18
In force:
2024-10-18
Authority:
Nacionalinis kibernetinio saugumo centras (NKSC)
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability

Transposed ahead of deadline. NKSC is the coordinating authority.

Luxembourg (LU)

Luxembourg
In force
Law:
Loi du 4 octobre 2024 sur la cybersécurité
Enacted:
2024-10-04
In force:
2024-10-18
Authority:
Haut-Commissariat à la Protection Nationale (HCPN) + ILR + CSSF for financial
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability

Luxembourg transposed on time. Given its financial-services hub status, CSSF coordinates NIS2+DORA overlap for financial entities.

Malta (MT)

Malta
Enacted (delayed entry)
Law:
Network and Information Systems (Amendment) Act 2025
Enacted:
2025-02-14
In force:
2025-05-01
Authority:
Malta Communications Authority (MCA) + Malta Digital Innovation Authority (MDIA)
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability

Slight delay. MCA oversees for most sectors; MDIA for digital services.

Netherlands (NL)

Nederland
Enacted (delayed entry)
Law:
Wet beveiliging netwerk- en informatiesystemen 2 (Wbni 2)
Enacted:
2024-12-10
In force:
2025-03-01
Authority:
Nationaal Cyber Security Centrum (NCSC-NL) + Agentschap Telecom + sectoral
Registration:
3 months after scope trigger
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability + mandatory training

Short delay beyond deadline. Wbni 2 replaces original Wbni. NCSC-NL leads with Agentschap Telecom handling digital services.

Poland (PL)

Polska
Enacted (delayed entry)
Law:
Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczeństwa (UKSC2)
Enacted:
2026-02-19
In force:
Authority:
Ministerstwo Cyfryzacji + CSIRT NASK + sectoral CSIRTs
Registration:
12 months after meeting threshold criteria; first audit at 24 months for key entities
Essential fines:
€10M or 2% worldwide turnover
Important fines:
€7M or 1.4% worldwide turnover
Management:
Personal liability; mandatory training

Draft submitted to the Sejm on 7 November 2025 after Council adoption in October 2025. Parliament adopted the amendment as law of 23 January 2026; signed by the President on 19 February 2026 (UKSC2). Entry-into-force date per vacatio legis; supervisory practice had already aligned to NIS2 de facto.

Portugal (PT)

Portugal
In force
Law:
Decreto-Lei n.º 65/2024 (NIS2 transposition)
Enacted:
2024-10-11
In force:
2024-10-18
Authority:
Centro Nacional de Cibersegurança (CNCS)
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability

On-time transposition. CNCS leads.

Romania (RO)

România
Enacted (delayed entry)
Law:
Legea nr. 201/2024 (Cybersecurity Law, amended)
Enacted:
2024-12-20
In force:
2025-03-20
Authority:
Direcția Națională de Securitate Cibernetică (DNSC)
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability

Short delay. DNSC is the coordinating authority.

Slovakia (SK)

Slovensko
In force
Law:
Zákon o kybernetickej bezpečnosti (amended 2024)
Enacted:
2024-10-02
In force:
2024-10-18
Authority:
Národný bezpečnostný úrad (NBÚ)
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability

On-time transposition.

Slovenia (SI)

Slovenija
In force
Law:
Zakon o informacijski varnosti (ZInfV-1, amended)
Enacted:
2024-09-26
In force:
2024-10-18
Authority:
Uprava Republike Slovenije za informacijsko varnost (URSIV)
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability

On-time.

Spain (ES)

España
In force
Law:
Real Decreto-ley 7/2024, de 11 de julio (transposition of NIS2)
Enacted:
2024-07-11
In force:
2024-10-18
Authority:
Centro Criptológico Nacional (CCN-CERT) + sectoral
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability; INCIBE coordinates for private sector

Spain used a Royal Decree-Law (emergency mechanism) to transpose ahead of the October deadline. INCIBE provides business-facing resources.

Sweden (SE)

Sverige
Enacted (delayed entry)
Law:
Cybersäkerhetslag (SFS 2024:824)
Enacted:
2024-10-21
In force:
2025-01-01
Authority:
Myndigheten för samhällsskydd och beredskap (MSB) + sectoral
Registration:
3 months
Essential fines:
€10M or 2%
Important fines:
€7M or 1.4%
Management:
Personal liability explicit

Marginal delay beyond deadline. MSB coordinates; sectoral authorities (Finansinspektionen for finance, Läkemedelsverket for health) supervise their sectors.

Usage & citation

Using this tracker.

This tracker is free to use, share, and cite. The underlying data is licensed under CC BY 4.0. When citing, please use: Matproof, NIS2 Member State Transposition Tracker, 2026. https://matproof.com/tools/nis2-tracker.

For organizations tracking their own NIS2 readiness, Matproof's compliance platform maps the NIS2 Directive to actionable controls with evidence tracking and a free readiness assessment. Use this tracker alongside it to see how each Member State's transposition affects your obligations.

Go further

Map your NIS2 controls in one place.

Matproof maps the NIS2 Directive to actionable controls with evidence tracking and a free readiness assessment — 100% EU-hosted. Use this tracker to plan for the national transposition that applies to you.