NIS2 Member State Tracker.

Law:

Netz- und Informationssystemsicherheitsgesetz 2024 (NIS-G 2024)

Enacted:

2024-10-17

In force:

2024-10-18

Authority:

Bundesministerium für Inneres (BMI) + Bundeskanzleramt

Registration:

3 months after scope trigger

Essential fines:

€10M or 2% worldwide turnover

Important fines:

€7M or 1.4% worldwide turnover

Management:

Explicit personal liability + mandatory training

Austria was among the first Member States to fully transpose NIS2, on time for the EU deadline.

Law:

Loi du 26 avril 2024 sur la cybersécurité / Wet van 26 april 2024 inzake cyberbeveiliging

Enacted:

2024-04-26

In force:

2024-10-18

Authority:

Centre pour la Cybersécurité Belgique (CCB) / Centrum voor Cybersecurity België

Registration:

5 months after law entering force

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability + training obligation

Belgium transposed ahead of deadline. CCB manages the national Safeonweb.be portal for registrations.

Law:

Закон за кибер сигурност (Cybersecurity Act amendment)

Enacted:

2025-01-15

In force:

2025-04-15

Authority:

State Agency for Electronic Governance + National CSIRT

Registration:

6 months from scope trigger

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability clause

Delayed transposition resolved via late-Q1 2025 amendment. Infringement proceedings closed.

Law:

Zakon o kibernetičkoj sigurnosti (Cybersecurity Act)

Enacted:

2024-02-15

In force:

2024-02-28

Authority:

Središnji državni ured za razvoj digitalnog društva (SDURDD)

Registration:

3 months after scope trigger

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability explicit

Croatia was the first Member State to transpose (February 2024, 8 months ahead of deadline).

Law:

Network and Information Systems Security (Amendment) Law of 2025

Enacted:

2025-04-25

In force:

2025-04-25

Authority:

Digital Security Authority (DSA) + Commissioner of Communications

Registration:

3 months after scope trigger

Essential fines:

€10M or 2% worldwide turnover

Important fines:

€7M or 1.4% worldwide turnover

Management:

Personal liability + training obligation

Amendment Law published 25 April 2025, transposing NIS2 in full. Secondary implementing framework (sectoral guidance, operational capacity of the DSA) is still maturing — ECSO classifies Cyprus at maturity level 3. Early-warning notification set at 6 hours, stricter than NIS2 baseline.

Law:

Zákon o kybernetické bezpečnosti (amended 2024)

Enacted:

2024-11-01

In force:

2025-01-01

Authority:

Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB)

Registration:

3 months after scope trigger

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability explicit

NÚKIB is an experienced cyber authority — transposition proceeded smoothly with industry consultation.

Law:

Lov om informationssikkerhed i net og systemer (NIS2-loven)

Enacted:

2024-06-12

In force:

2024-10-18

Authority:

Center for Cybersikkerhed (CFCS) under Danish Defence Intelligence Service

Registration:

3 months after scope trigger

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability + training

Denmark transposed on time. CFCS leads national implementation.

Law:

Küberturvalisuse seadus (Cybersecurity Act, amended)

Enacted:

2024-09-25

In force:

2024-10-18

Authority:

Riigi Infosüsteemi Amet (RIA)

Registration:

3 months after scope trigger

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability clause

Estonia, as a digital-government leader, prioritized smooth NIS2 transposition. RIA manages the portal.

Law:

Kyberturvallisuuslaki (Cybersecurity Act)

Enacted:

2024-05-30

In force:

2024-10-18

Authority:

Kyberturvallisuuskeskus (Traficom / NCSC-FI)

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability

Finland transposed on time. Traficom / NCSC-FI has a strong national CSIRT tradition.

Law:

Loi n° 2024-911 du 14 octobre 2024 relative à la résilience des activités d'importance vitale

Enacted:

2024-10-14

In force:

2024-10-18

Authority:

Agence nationale de la sécurité des systèmes d'information (ANSSI)

Registration:

3 months after scope trigger via ANSSI portal

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability explicit; ANSSI can sanction management individually

France took the opportunity to harmonize NIS2 with the existing LPM (Loi de Programmation Militaire) regime for critical operators. ANSSI is a powerful and active supervisor.

Law:

NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG)

Enacted:

2025-11-20

In force:

2025-12-06

Authority:

Bundesamt für Sicherheit in der Informationstechnik (BSI) + sectoral authorities

Registration:

3 months after scope trigger; BSI registration window closed 2026-03-06

Essential fines:

€10M or 2% worldwide turnover

Important fines:

€7M or 1.4% worldwide turnover

Management:

§ 38 BSIG-neu: personal liability + training obligation

Germany missed the October 2024 transposition deadline. After the Ampel coalition collapse the draft fell to parliamentary discontinuity; the successor coalition re-introduced it and the Bundestag passed NIS2UmsuCG on 13 November 2025, the Bundesrat on 20 November 2025, and it was promulgated in the BGBl on 6 December 2025. In force since 6 December 2025; no transition period. BSI registration deadline 6 March 2026.

Law:

Ν. 5160/2024 (Law 5160/2024) - Cybersecurity Act

Enacted:

2024-10-15

In force:

2024-10-18

Authority:

National Cybersecurity Authority (formerly National Cybersecurity Directorate)

Registration:

3 months after scope trigger

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability

Greece transposed on time. National Cybersecurity Authority coordinates with sector-specific regulators.

Law:

2024. évi LXIX. törvény (Act LXIX of 2024 on cybersecurity)

Enacted:

2024-11-28

In force:

2025-01-01

Authority:

Nemzeti Kiberbiztonsági Intézet (National Cybersecurity Institute)

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability clause

Short delay beyond deadline resolved via November 2024 enactment.

Law:

Network and Information Security (Amendment) Act 2024

Enacted:

2024-10-09

In force:

2024-10-18

Authority:

National Cyber Security Centre (NCSC) of Ireland

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability + director-level training

Ireland transposed on time. NCSC Ireland plays particularly important role given Ireland's position as EU data/cloud hub.

Law:

Decreto legislativo 4 settembre 2024, n. 138 (recepimento NIS2)

Enacted:

2024-09-04

In force:

2024-10-16

Authority:

Agenzia per la Cybersicurezza Nazionale (ACN)

Registration:

180 days from scope trigger (generous by EU standards)

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability; training obligation documented

Italy transposed just ahead of the deadline. ACN (founded 2021) is a relatively new but active authority.

Law:

Nacionālās kiberdrošības likums (National Cybersecurity Law)

Enacted:

2024-09-12

In force:

2024-10-18

Authority:

Latvijas Informācijas un komunikāciju tehnoloģiju asociācija (CERT.LV) + Cabinet

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability

Transposed on time.

Law:

Kibernetinio saugumo įstatymas (amended 2024)

Enacted:

2024-07-18

In force:

2024-10-18

Authority:

Nacionalinis kibernetinio saugumo centras (NKSC)

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability

Transposed ahead of deadline. NKSC is the coordinating authority.

Law:

Loi du 4 octobre 2024 sur la cybersécurité

Enacted:

2024-10-04

In force:

2024-10-18

Authority:

Haut-Commissariat à la Protection Nationale (HCPN) + ILR + CSSF for financial

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability

Luxembourg transposed on time. Given its financial-services hub status, CSSF coordinates NIS2+DORA overlap for financial entities.

Law:

Network and Information Systems (Amendment) Act 2025

Enacted:

2025-02-14

In force:

2025-05-01

Authority:

Malta Communications Authority (MCA) + Malta Digital Innovation Authority (MDIA)

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability

Slight delay. MCA oversees for most sectors; MDIA for digital services.

Law:

Wet beveiliging netwerk- en informatiesystemen 2 (Wbni 2)

Enacted:

2024-12-10

In force:

2025-03-01

Authority:

Nationaal Cyber Security Centrum (NCSC-NL) + Agentschap Telecom + sectoral

Registration:

3 months after scope trigger

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability + mandatory training

Short delay beyond deadline. Wbni 2 replaces original Wbni. NCSC-NL leads with Agentschap Telecom handling digital services.

Law:

Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczeństwa (UKSC2)

Enacted:

2026-02-19

In force:

—

Authority:

Ministerstwo Cyfryzacji + CSIRT NASK + sectoral CSIRTs

Registration:

12 months after meeting threshold criteria; first audit at 24 months for key entities

Essential fines:

€10M or 2% worldwide turnover

Important fines:

€7M or 1.4% worldwide turnover

Management:

Personal liability; mandatory training

Draft submitted to the Sejm on 7 November 2025 after Council adoption in October 2025. Parliament adopted the amendment as law of 23 January 2026; signed by the President on 19 February 2026 (UKSC2). Entry-into-force date per vacatio legis; supervisory practice had already aligned to NIS2 de facto.

Law:

Decreto-Lei n.º 65/2024 (NIS2 transposition)

Enacted:

2024-10-11

In force:

2024-10-18

Authority:

Centro Nacional de Cibersegurança (CNCS)

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability

On-time transposition. CNCS leads.

Law:

Legea nr. 201/2024 (Cybersecurity Law, amended)

Enacted:

2024-12-20

In force:

2025-03-20

Authority:

Direcția Națională de Securitate Cibernetică (DNSC)

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability

Short delay. DNSC is the coordinating authority.

Law:

Zákon o kybernetickej bezpečnosti (amended 2024)

Enacted:

2024-10-02

In force:

2024-10-18

Authority:

Národný bezpečnostný úrad (NBÚ)

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability

On-time transposition.

Law:

Zakon o informacijski varnosti (ZInfV-1, amended)

Enacted:

2024-09-26

In force:

2024-10-18

Authority:

Uprava Republike Slovenije za informacijsko varnost (URSIV)

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability

On-time.

Law:

Real Decreto-ley 7/2024, de 11 de julio (transposition of NIS2)

Enacted:

2024-07-11

In force:

2024-10-18

Authority:

Centro Criptológico Nacional (CCN-CERT) + sectoral

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability; INCIBE coordinates for private sector

Spain used a Royal Decree-Law (emergency mechanism) to transpose ahead of the October deadline. INCIBE provides business-facing resources.

Law:

Cybersäkerhetslag (SFS 2024:824)

Enacted:

2024-10-21

In force:

2025-01-01

Authority:

Myndigheten för samhällsskydd och beredskap (MSB) + sectoral

Registration:

3 months

Essential fines:

€10M or 2%

Important fines:

€7M or 1.4%

Management:

Personal liability explicit

Marginal delay beyond deadline. MSB coordinates; sectoral authorities (Finansinspektionen for finance, Läkemedelsverket for health) supervise their sectors.