NIS2 Transposition by Country: What Varies and What Stays Consistent

The NIS2 Directive (Directive (EU) 2022/2555) establishes a common baseline for cybersecurity risk management and incident reporting across the European Union. However, as a Directive rather than a Regulation, NIS2 does not apply directly in Member States. Each of the 27 EU countries must transpose the Directive into national law — adopting their own legislation that implements NIS2's requirements within their domestic legal framework. This transposition process introduces meaningful variation in how NIS2 is applied on the ground.

For organisations operating in a single Member State, the practical question is straightforward: what does your country's national NIS2 law require? For organisations operating across multiple EU countries — and there are tens of thousands in this position — the picture is considerably more complex. Penalties differ. Competent authorities differ. Registration processes differ. Some countries have added sectors beyond the NIS2 minimum. Others have introduced stricter requirements or different procedural frameworks.

This article provides a comprehensive tracker of NIS2 transposition across EU Member States, explains what stays consistent and what varies, examines the approaches of key countries in detail, and offers practical guidance for multi-country compliance planning.

How EU Directive Transposition Works

Understanding why national NIS2 implementations differ requires a brief explanation of how EU Directives work. Unlike EU Regulations — which apply directly and uniformly in all Member States from the date of application (the GDPR being the most well-known example) — EU Directives set minimum requirements and objectives that Member States must achieve, but leave the precise form and methods of implementation to each country's national legislative process.

This mechanism has several important consequences for NIS2:

Minimum Harmonisation, Not Maximum

The NIS2 Directive sets a floor, not a ceiling. Article 5 explicitly states that Member States may adopt or maintain provisions ensuring a higher level of cybersecurity. This means that any Member State is free to go beyond the Directive's requirements — imposing higher penalties, extending the scope to additional sectors, requiring more frequent reporting, or establishing stricter governance obligations. No Member State may fall below the NIS2 baseline, but any may exceed it.

National Legal Framework Applies

Each Member State transposes NIS2 through its own legislative and regulatory instruments. In Germany, this takes the form of a federal law (the NIS2UmsuCG). In Belgium, it is a dedicated NIS2 law enacted by the federal parliament. In France, transposition may involve a combination of legislative acts and regulatory decrees issued by the government. The procedural rules governing investigations, hearings, appeals, and judicial review follow each country's administrative law framework — creating significant procedural variation even where the substantive requirements are identical.

Institutional Choices Vary

Each Member State designates its own competent authorities, single points of contact, and Computer Security Incident Response Teams (CSIRTs). Some countries centralise these functions within a single agency (such as the BSI in Germany or the CCB in Belgium). Others distribute responsibilities across multiple sector-specific regulators — with telecommunications authorities handling digital infrastructure, financial supervisors handling banking and financial market infrastructure, and health authorities handling the healthcare sector. These institutional choices affect who an organisation interacts with, how supervision is conducted, and the intensity of regulatory engagement.

Transposition Deadline and Current Status

Article 41 of the NIS2 Directive required Member States to adopt and publish the laws, regulations, and administrative provisions necessary to comply with the Directive by 17 October 2024, with those measures applying from 18 October 2024. In practice, a significant number of Member States missed this deadline — a pattern that is common with EU Directive transpositions but creates genuine compliance uncertainty for affected organisations.

Completed Transpositions

As of early 2026, a number of Member States have completed their national transpositions. Belgium was among the first to enact its NIS2 law, with the legislation passing through parliament and entering into force in 2024. Hungary, Croatia, and several other smaller Member States also completed transposition close to the deadline. Italy enacted its NIS2 transposition through Legislative Decree 138/2024, which entered into force in October 2024. These early movers provide useful benchmarks for how other countries may approach their own implementations.

Late Transpositions

Several major EU economies missed the October 2024 deadline by a significant margin. Germany's NIS2 implementation act (NIS2UmsuCG) experienced delays in the parliamentary process, passing through the Bundestag and entering into force in early 2025. France, Spain, and the Netherlands were also late in completing their transpositions, with draft legislation undergoing extended consultation and amendment periods. Poland, Portugal, and several others remain in various stages of legislative progress.

European Commission Infringement Proceedings

In November 2024, the European Commission initiated infringement proceedings against Member States that had not notified their transposition measures by the deadline. The Commission sent letters of formal notice — the first step in the EU's infringement procedure — to those that had not adopted, published, or communicated the full transposition measures. These proceedings can ultimately lead to referral to the Court of Justice of the European Union and financial penalties, although the practical effect is typically to accelerate the legislative process in the affected Member States.

What Stays Consistent Across All Member States

Despite the variation introduced by national transposition, the core substance of NIS2 remains consistent across the EU. The Directive's minimum harmonisation approach means that the following elements are present — at a minimum — in every national implementation.

Ten Article 21 Risk-Management Measures

All Member States must require in-scope entities to implement the ten cybersecurity risk-management measures enumerated in Article 21(2). These include policies on risk analysis and information system security, incident handling, business continuity and crisis management, supply chain security, security in network and information systems acquisition, development, and maintenance, policies and procedures to assess the effectiveness of measures, basic cyber hygiene practices and cybersecurity training, policies and procedures regarding the use of cryptography and encryption, human resources security, and the use of multi-factor authentication or continuous authentication solutions.

Multi-Stage Incident Reporting Timelines

Article 23's incident reporting requirements are precisely defined and leave no room for Member State variation on the core timelines. All national transpositions must require: an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours, intermediate reports upon request, and a final report within one month. These timelines are mandatory minimums — no Member State may allow longer reporting windows, though some may require shorter ones.

Essential vs Important Entity Classification

The logic for classifying entities as Essential or Important is set by the Directive and based on the sector of operation (Annex I or Annex II) and the size of the entity (medium or large enterprise). Whilst Member States may designate additional entities as Essential or Important regardless of size (for example, sole providers of a critical service), the baseline classification criteria are uniform across the EU.

Minimum Penalty Thresholds

All Member States must provide for administrative fines of at least EUR 10 million or 2% of total annual worldwide turnover for Essential entities, and at least EUR 7 million or 1.4% of turnover for Important entities. These are floors — Member States may set higher maximums, but they cannot set lower ones.

CSIRT Reporting Obligation

All national transpositions must require entities to report significant incidents to their designated national CSIRT (or competent authority). The CSIRT's role in receiving, analysing, and coordinating incident response is mandated by the Directive and implemented consistently across all Member States, even though the specific CSIRT involved differs by country.

Management Body Accountability

Article 20's requirements for management body approval, oversight, training, and liability apply uniformly. All Member States must ensure that management bodies approve cybersecurity risk-management measures, oversee their implementation, can be held liable for infringements, and undergo cybersecurity training. The precise mechanisms for enforcing personal liability may vary (some countries may provide for criminal as well as administrative sanctions), but the substantive obligations are consistent.

What Varies by Member State

Within the consistent framework described above, meaningful variation exists across national transpositions. Understanding these areas of divergence is essential for multi-country compliance planning and for accurately assessing the regulatory exposure in each jurisdiction.

Competent Authorities and CSIRTs

Each Member State designates its own competent authorities and CSIRTs. The organisational structure varies significantly:

• Single centralised authority: Some countries (such as Belgium with the CCB, or Germany with the BSI) designate a single agency as the primary competent authority for most or all sectors
• Sector-specific authorities: Other countries distribute competent authority responsibilities across existing sector regulators — with the financial supervisor handling banking, the telecommunications regulator handling digital infrastructure, and so on
• Separate CSIRTs: The CSIRT function may be housed within the competent authority or operated by a separate entity. Belgium's CERT.be, for example, operates under the Centre for Cybersecurity Belgium (CCB)

The practical consequence is that the same organisation operating in three EU countries may need to register with three different authorities, report incidents to three different CSIRTs, and engage with three different supervisory approaches.

Penalty Ranges Above the EU Minimum

The NIS2 Directive sets minimum penalty thresholds, but Member States are free to set higher maximums. Some countries have aligned their NIS2 penalties with GDPR levels for legislative consistency. Others have maintained the Directive's minimum floors. A few have introduced additional penalty categories — such as daily penalty payments for continuing non-compliance — that go beyond what the Directive explicitly requires. The variation in penalty maximums across Member States means that the same infringement could result in materially different financial exposure depending on the jurisdiction.

Additional Sectors or Sub-Sectors

Some Member States have used the transposition process to extend NIS2's scope beyond the 18 sectors defined in the Directive. Belgium, for example, has broadened the scope to include additional entity types. Germany's NIS2UmsuCG incorporates its existing critical infrastructure definitions, which in some areas are broader than the Directive's sector lists. Member States may also refine sub-sector definitions — for example, specifying which types of manufacturing entities or food producers fall within scope based on national economic priorities.

Registration Processes and Timelines

NIS2 requires entities to register with the relevant competent authority, but the precise registration mechanism is left to national implementation. Some countries have established online registration portals with defined timelines. Others require entities to self-assess their classification and notify the authority within a specified period. The registration deadline, the information required, and the process for confirming classification all vary by country.

Supervision Approach and Resources

Whilst the Directive establishes proactive supervision for Essential entities and reactive supervision for Important entities, the intensity, methodology, and resources devoted to supervision vary enormously across Member States. Well-resourced authorities (such as the BSI in Germany or the CCB in Belgium) are expected to conduct more frequent and more detailed inspections. Smaller or less resourced authorities may focus their supervisory efforts more narrowly, prioritising the highest-risk entities. The practical supervisory experience — how inspections are conducted, what evidence is requested, and how findings are communicated — will differ based on each authority's institutional culture and capacity.

Small Entity Exceptions or Inclusions

The NIS2 Directive applies primarily to medium and large enterprises (50+ employees or EUR 10M+ turnover), but includes specific exceptions where certain entity types qualify regardless of size (for example, qualified trust service providers, TLD registries, DNS providers). Member States have discretion to include additional smaller entities where they determine that the entity is the sole provider of a critical service or that disruption would have a significant impact on public safety or public health. Some Member States have used this discretion more expansively than others, meaning that the effective scope threshold differs across countries.

Country-by-Country Tracker

The following table summarises the transposition status, national legislation, competent authority, and key variations for twelve major EU Member States. This tracker reflects the position as of early 2026 and is subject to change as legislative processes conclude.

Germany (BSI-Gesetz / NIS2UmsuCG)

Germany's NIS2 transposition — the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) — is one of the most closely watched implementations in the EU due to Germany's economic weight and the central role of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). The legislation experienced significant delays in the parliamentary process before being enacted in 2025.

BSI as Central Authority

The BSI serves as Germany's primary competent authority for NIS2, building on its long-established role under the original NIS1 transposition and the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0). The BSI has extensive experience in supervising critical infrastructure operators and possesses one of the largest cybersecurity agency workforces in Europe. This institutional maturity means that German entities can expect a relatively active and well-resourced supervisory approach.

Integration with Existing KRITIS Framework

Germany's approach is distinctive in that the NIS2UmsuCG does not simply replace the existing critical infrastructure (KRITIS) regime — it layers NIS2 requirements on top of an already comprehensive domestic framework. Entities classified as KRITIS operators may face obligations that exceed the NIS2 minimum, particularly regarding physical security measures, business continuity requirements, and audit obligations. The result is a layered regulatory structure where some entities must comply with both the NIS2 baseline and additional KRITIS-specific requirements.

Scope and Classification

The NIS2UmsuCG classifies entities as "besonders wichtige Einrichtungen" (particularly important entities, equivalent to Essential) and "wichtige Einrichtungen" (important entities). The scope definitions incorporate the NIS2 size-cap thresholds but also retain references to Germany's existing KRITIS sector definitions, which in some areas are more granular than the Directive's Annex I and II categories. The estimated number of entities in scope in Germany under NIS2 is approximately 30,000 — a dramatic increase from the approximately 4,500 entities previously regulated under the KRITIS regime.

Penalties and Enforcement

Germany has adopted penalty maximums that meet the NIS2 minimum thresholds. The BSI has broad enforcement powers including on-site inspections, audit mandates, binding instructions, and the ability to require entities to implement specific security measures within defined timeframes. Non-compliance with BSI orders can trigger escalated penalties, including periodic penalty payments.

France (Transposition via ANSSI)

France's NIS2 transposition centres on the Agence nationale de la sécurité des systèmes d'information (ANSSI), which has served as France's national cybersecurity authority since 2009. France's approach builds on its existing framework for operators of vital importance (opérateurs d'importance vitale, OIV) and extends cybersecurity obligations to a significantly broader set of entities.

ANSSI's Role

ANSSI retains its position as France's primary competent authority for cybersecurity under NIS2. ANSSI is responsible for regulatory guidance, supervision, and incident coordination. However, France also designates sector-specific competent authorities for certain regulated industries — meaning that entities in the financial sector, for example, may interact with both ANSSI and the financial regulator (ACPR) on cybersecurity matters.

Extended Scope: OIV Integration

France's existing OIV framework already imposed stringent cybersecurity requirements on approximately 300 operators in critical sectors. The NIS2 transposition extends comparable obligations to a far larger set of entities whilst preserving the enhanced requirements that apply to OIV operators. In practice, this creates a three-tier system: OIV operators face the strictest requirements, NIS2 Essential entities face the Directive's full baseline, and NIS2 Important entities face a lighter supervisory regime.

Legislative Structure

France's transposition follows the standard French legislative approach: a framework law (loi) establishes the core obligations and institutional framework, whilst detailed implementing provisions are set out in regulatory decrees (décrets) and orders (arrêtés) issued by the government. This multi-layered structure means that the full picture of France's NIS2 requirements emerges over time as implementing decrees are published, and organisations must monitor both the primary legislation and the secondary instruments.

Belgium (NIS2 Law)

Belgium was among the first EU Member States to complete NIS2 transposition, with its national NIS2 law enacted and entering into force in 2024. Belgium's early completion is attributable in part to the Centre for Cybersecurity Belgium (CCB) having driven the legislative process proactively, and in part to Belgium's existing cybersecurity governance framework being relatively well developed.

CCB as Centralised Authority

The CCB serves as Belgium's competent authority for NIS2, with CERT.be operating as the national CSIRT under the CCB's umbrella. This centralised model simplifies the regulatory landscape for Belgian entities — unlike countries with sector-specific authorities, organisations in Belgium generally interact with a single cybersecurity authority regardless of their sector. The CCB has been actively developing guidance, registration tools, and supervisory procedures since before the Directive's transposition deadline.

Broadened Scope

Belgium has used the transposition process to extend NIS2's scope beyond the Directive's minimum. The Belgian NIS2 law includes additional entity types and has adopted a relatively expansive interpretation of sector definitions. Belgium also established its entity registration platform early, enabling organisations to self-assess their classification and register with the CCB ahead of supervisory activities commencing.

Practical Significance

Belgium's early transposition makes it a useful benchmark for other Member States. The CCB's published guidance, registration procedures, and supervisory framework provide concrete examples of how the Directive's requirements translate into operational obligations. Organisations operating in Belgium have had more time to prepare than those in late-transposing countries, and the CCB's proactive approach means that supervisory engagement is likely to commence earlier than in many other jurisdictions.

Netherlands (NIB2)

The Netherlands' NIS2 transposition — the Wet beveiliging netwerk- en informatiesystemen 2 (NIB2) — builds on the country's existing approach under the original NIS1 transposition (the Wbni, or Wet beveiliging netwerk- en informatiesystemen). The Netherlands has taken a phased approach to implementation, reflecting the significant increase in the number of entities falling within scope.

NCSC-NL and Sector Authorities

The Nationaal Cyber Security Centrum (NCSC-NL) serves as the Netherlands' coordinating authority and national CSIRT, but supervision is distributed across sector-specific regulators. The Dutch Central Bank (De Nederlandsche Bank) oversees financial sector entities, the Authority for Consumers and Markets (ACM) handles digital providers, and other sector authorities manage their respective domains. This distributed model requires entities to identify and engage with the correct sector-specific authority — a process that is straightforward for entities operating in a single sector but more complex for diversified organisations.

Emphasis on Self-Assessment

The Netherlands' approach places particular emphasis on entities' duty of care and self-assessment obligations. Organisations are expected to proactively determine whether they fall within scope, classify themselves correctly, and register with the relevant authority. The Dutch framework is designed to encourage a risk-based, proportionate approach to cybersecurity, with entities expected to demonstrate that their security measures are appropriate to the specific risks they face rather than simply implementing a checklist of prescriptive requirements.

Phased Implementation

Recognising the scale of the increase in scope (from approximately 400 entities under NIS1 to potentially several thousand under NIS2), the Netherlands has adopted a phased implementation approach. This includes transitional periods for certain obligations and a gradual ramp-up of supervisory activities. Entities newly brought into scope are expected to achieve compliance progressively, with authorities prioritising engagement and guidance over immediate enforcement during the initial period.

Impact on Multi-Country Organisations

For organisations operating across multiple EU Member States, the variation in national NIS2 transpositions creates genuine compliance complexity. Understanding the jurisdictional rules and developing a practical multi-country strategy is essential.

Primary Establishment Rule

The NIS2 Directive establishes a primary establishment rule for jurisdiction. In general, an entity falls under the jurisdiction of the Member State where it has its main establishment — defined as the place where decisions related to cybersecurity risk-management measures are predominantly taken. If those decisions are not taken within the EU, the main establishment is the Member State where cybersecurity operations are carried out. This rule aims to prevent entities being subject to duplicative supervision by multiple Member States.

Specific Jurisdiction Rules for Digital Infrastructure

For certain entity types, the Directive overrides the primary establishment rule with specific jurisdiction provisions. DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and providers of online marketplaces, search engines, or social networking services are subject to jurisdiction based on where their head office is located in the EU (or, if not established in the EU, where their designated representative is located). These rules are intended to prevent forum shopping and ensure clear jurisdictional responsibility for entities providing cross-border digital services.

Practical Compliance Strategy

Multi-country organisations should adopt the following approach:

• Map jurisdictions: Identify every Member State where the organisation operates, provides services, or has subsidiaries. Determine which national NIS2 transposition applies to each entity within the group
• Identify competent authorities: For each jurisdiction, determine the relevant competent authority and CSIRT. Register as required under each country's national legislation
• Assess variation: Identify the material differences between the national transpositions applicable to the organisation — focusing on penalty ranges, additional sector inclusions, registration requirements, and supervisory approach
• Design to the highest standard: In practice, the most efficient approach is to build a compliance baseline that meets the requirements of the strictest applicable national transposition, and then adapt marginally for jurisdictions with lower or different requirements. This "comply to the highest standard" approach avoids maintaining multiple parallel compliance programmes
• Coordinate incident reporting: Establish clear procedures for reporting incidents to the correct CSIRT in each jurisdiction, respecting the 24-hour and 72-hour timelines. Where an incident affects operations in multiple countries, multiple notifications may be required

Single vs Multiple Assessments

Whether a multi-country organisation can undergo a single compliance assessment or must submit to separate assessments in each jurisdiction depends on the national transposition and the competent authority's approach. Some authorities may accept assessment reports conducted by recognised bodies covering multiple jurisdictions. Others may insist on conducting their own supervisory activities. Organisations should clarify the position with each relevant competent authority early in the compliance process.

How to Monitor Transposition

Transposition is not a one-off event. Even after national legislation is enacted, implementing provisions, regulatory guidance, and supervisory practice evolve over time. Organisations must monitor developments on an ongoing basis.

Official EU Sources

• EUR-Lex: The official legal database of the EU publishes national transposition measures as they are notified by Member States. Search for Directive 2022/2555 to find the national implementing measures for each country
• European Commission: The Commission publishes updates on transposition progress, infringement proceedings, and guidance documents related to NIS2 implementation
• ENISA: The European Union Agency for Cybersecurity provides NIS2 implementation resources, including guidance documents, good practice references, and information on national competent authorities

National Authority Websites

• Germany: BSI (bsi.bund.de) — publishes NIS2UmsuCG guidance, registration information, and supervisory updates
• France: ANSSI (ssi.gouv.fr) — publishes regulatory guidance, implementing decrees, and compliance resources
• Belgium: CCB (ccb.belgium.be) — provides the NIS2 registration platform, guidance documents, and supervisory framework
• Netherlands: NCSC-NL (ncsc.nl) — publishes NIB2 guidance and sector-specific supervisory information
• Italy: ACN (acn.gov.it) — publishes NIS2 transposition measures and implementing provisions

Legal and Advisory Firms

Specialist law firms and advisory firms maintain NIS2 transposition trackers that aggregate information across multiple jurisdictions. These trackers provide comparative analysis and are typically updated more frequently than official EU sources. For organisations operating in multiple countries, a reliable third-party tracker is an efficient way to stay informed of developments across all relevant jurisdictions.

Planning Compliance Across Jurisdictions

Building a compliance programme that satisfies NIS2 requirements across multiple national transpositions requires a structured, layered approach. The Directive itself provides the foundation; national transpositions add the jurisdiction-specific requirements.

Step 1: Start with the Directive as Your Baseline

The NIS2 Directive sets the minimum requirements that all national transpositions must implement. Building your compliance programme on the Directive's core requirements — the ten Article 21 measures, the incident reporting timelines, the management accountability provisions, and the supply chain security obligations — ensures that the foundation is sound regardless of which Member State you operate in. No national transposition may weaken these minimum requirements.

Step 2: Layer National Requirements

For each jurisdiction where the organisation operates, identify the national requirements that go beyond the Directive's minimum. This may include higher penalty thresholds (which primarily affect risk assessment rather than operational measures), additional sector inclusions, specific registration requirements and deadlines, enhanced requirements for certain entity types, and procedural rules for incident reporting and supervisory engagement. Document these jurisdiction-specific requirements as addenda to the baseline compliance programme.

Step 3: Identify the Strictest Jurisdiction

Where the organisation operates in multiple countries, identify the national transposition with the most stringent requirements across each compliance dimension. In many cases, the strictest jurisdiction will be the one with the most well-resourced competent authority (such as Germany or Belgium), as these authorities tend to impose more detailed requirements and conduct more active supervision. Designing the compliance programme to satisfy the strictest applicable standard avoids the need to maintain separate programmes for different jurisdictions.

Step 4: Unified vs Jurisdiction-Specific Approach

Most organisations find that a unified approach — building a single compliance programme that meets the highest applicable standard — is more efficient than maintaining jurisdiction-specific programmes. The incremental cost of complying with the strictest jurisdiction across all operations is typically lower than the overhead of managing multiple parallel compliance tracks. However, certain elements — such as entity registration, CSIRT identification, and incident reporting channels — are inherently jurisdiction-specific and must be managed on a per-country basis.

Step 5: Engage with Competent Authorities Early

Proactive engagement with the relevant competent authorities demonstrates good faith and can provide valuable clarity on supervisory expectations. Many competent authorities — particularly the CCB in Belgium, the BSI in Germany, and ANSSI in France — publish guidance documents, conduct information sessions, and offer pre-registration support that can inform compliance planning. Early engagement also helps clarify jurisdictional questions, particularly for entities operating across multiple countries.

The organisations that manage multi-country NIS2 compliance most effectively are those that invest early in jurisdictional mapping, build their programme on the Directive's universal baseline, and then layer national variations systematically. The alternative — reacting to each national transposition as it is enacted — leads to fragmented compliance efforts, duplicated work, and gaps that emerge only during supervisory engagement.

Frequently Asked Questions