NIS2 guide · 6 min
NIS2 transposition status: which EU countries have it in force
NIS2 is an EU directive, which means each Member State has to write it into its own national law before it bites. The transposition deadline was 17 October 2024. It passed with most countries still drafting, and they have been catching up at very different speeds since. This page tracks where each of the 27 Member States stands, and why the gaps matter even if your own country is late.
Key takeaways
- • NIS2 had to be in national law by 17 October 2024; many Member States missed it.
- • The obligation reaches you through your customers, not only through your own country's law.
- • Status changes constantly: always confirm against the official EU and national sources.
Where the 27 Member States stand
20 of 27
national law in force
7 of 27
transposition in progress
Why the patchwork still reaches you
It is tempting to relax if your own country has not finished its law. That is the wrong read. NIS2's supply-chain duty (Article 21(2)(d)) flows down by contract: if even one of your customers is established in a Member State where the law is already in force, that customer is required to assess and keep assessing your security, regardless of where you sit. In practice the earliest-transposing countries set the pace for everyone who sells into them.
Status by country
Each country links to its own page with the competent authority, national CSIRT, the national law and key dates.
In force (20)
In progress (7)
How we keep this current
National transposition is a moving target. We review each country against the official national authority and the European Commission's transposition tracker, and date every entry so you can see how fresh it is. For the live, per-country detail, use the country pages above or the Commission's tracker directly.
European Commission transposition trackerSee NIS2-grade supplier monitoring
A sample supplier report (findings, NIS2 mapping and evidence) in two minutes.
7-day free trial · no credit card · cancel anytime
Related guides
How to comply with NIS2: a step-by-step roadmap
The steps to NIS2 compliance in order: confirm scope, register, management accountability (Art. 20), the Article 21(2) measures, supply-chain security, incident reporting (Art. 23) and continuous, evidenced assurance.
Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds
Determine whether NIS2 applies to you: the two tiers, the Annex I/II sectors, the size thresholds, size-independent exceptions, and how the supply chain pulls you in even if you're not designated.
NIS2 for suppliers: you're not designated, but your customers are
Most companies are never designated under NIS2, yet many must comply anyway. How a covered customer's Article 21(2)(d) supply-chain duty flows down to you, what they'll ask for, and how to respond credibly.
NIS2 and the supply chain requirement: what it means in practice
NIS2 requires essential and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.
Supplier cyber risk assessment: what automated NIS2 monitoring checks
All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.
NIS2 Art. 21(2): supplier security checklist
Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.
NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template
What to ask suppliers under Art. 21(2)(d), how to score answers and respond to gaps, why self-attestation needs verification, and a free copy-paste questionnaire template.
NIS2 incident reporting: the 24- and 72-hour deadlines explained
What counts as a significant incident, the Article 23 timeline (24-hour early warning, 72-hour notification, one-month final report), and when a supplier's incident becomes your obligation.
NIS2 and management responsibility: what boards and leadership must know
What NIS2 expects of the management body: approval and oversight duties, personal liability (Art. 20), training, board reporting KPIs, and the penalties under Art. 34.
ISO 27001 and NIS2: what your ISMS already covers, and the gaps it doesn't
If you hold ISO 27001, what carries over to NIS2 and what does not: statutory incident reporting, management liability, registration, and continuous supply-chain assurance: plus how to close the gap.
NIS2 fines and penalties: how much, who is liable, and how to avoid them
What NIS2 penalties are: the Article 34 caps (€10M / 2% for essential, €7M / 1.4% for important entities), the management body's personal liability (Art. 20, Art. 32), non-monetary enforcement, and how to avoid them with continuous, evidenced diligence.
NIS2 vs DORA: how they differ, where they overlap, and which one applies to you
How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.
GDPR vs NIS2: how they overlap, where they differ, and when one incident triggers both
How GDPR and NIS2 differ and overlap, when one incident triggers both (GDPR Art. 33 72h to the DPA vs NIS2 Art. 23 24h/72h/1-month to the CSIRT), the Art. 35 cooperation and no-double-fine rule, and what both mean for supplier due diligence.
The EU Cyber Resilience Act (CRA): scope, timeline and what it means for your supply chain
What the CRA requires, its phased dates (in force 2024, reporting Sept 2026, full compliance Dec 2027), who is in scope and why pure SaaS often isn't, how it complements NIS2, and what it means for procurement and supplier due diligence.
The EU AI Act: risk tiers, the timeline, and what deployers must do (Article 26)
What the EU AI Act requires: the risk tiers, the phased dates (in force 2024, prohibited Feb 2025, GPAI Aug 2025, high-risk Aug 2026), the Article 26 deployer obligations, how it stacks with NIS2 and the GDPR, and what it means for AI procurement.
NIS2 supplier contract clauses: what to require from your suppliers
The contract clauses that turn NIS2's supply-chain duty into something enforceable: security baseline, incident-notification window, evidence and audit rights, subcontractor flow-down, and how to verify them continuously.
Last reviewed: 19 June 2026
This guide is general information about EU law, not legal advice. NIS2 takes effect through each EU Member State's national transposition law, which can differ in detail. Verify the obligations that apply to you with your competent authority or legal counsel.