NIS2 Transposition Status by Country: Where Every EU Member State Stands in 2025
The NIS2 Directive deadline was October 17, 2024. Yet as of June 2025, only a handful of the 27 member states have fully transposed it into national law. If your organization operates across multiple EU jurisdictions, the compliance landscape is fragmented, confusing, and moving fast. This page tracks it all — updated monthly.
27
EU member states tracked
160,000+
entities affected across the EU
European Commission estimate, 2023
24h
incident reporting window
NIS2 Directive, Article 23
No signup required. Bookmark this page — we update it monthly.
NIS2 Transposition Tracker: All 27 EU Member States
Each card below reflects the current NIS2 implementation status, national implementing law, competent authority, and any noteworthy deviations from the directive's minimum requirements. Tracking the NIS2 transposition status by country is essential for organizations operating across multiple EU jurisdictions — what applies in Belgium may differ significantly from what's required in Germany. Updated monthly by Priverion's regulatory intelligence team.
Austria
NISG 2024 — enacted December 2024
Austria enacted its updated Network and Information Systems Security Act (NISG 2024) in late 2024. The law expands the scope of regulated entities significantly and designates existing sector-specific authorities alongside the national CERT. Austria's approach adds stricter requirements for critical infrastructure operators in the energy and transport sectors beyond the directive's baseline.
Key Deviation: Stricter requirements for energy and transport critical infrastructure
Source: Austrian Federal Law Gazette, December 2024 — Last updated: June 2025
Belgium
Loi NIS2 — enacted April 2024
Among the first EU member states to complete transposition. Belgium's law closely mirrors the directive but expands the definition of essential entities to include certain regional government bodies. The Centre for Cybersecurity Belgium (CCB) serves as the competent national authority with enforcement powers.
Key Deviation: Expanded scope to include regional government entities
Source: Belgian Official Gazette, April 2024 — Last updated: June 2025
Bulgaria
No draft published — no estimated timeline
Bulgaria has not published draft transposition legislation. The State Agency for Electronic Government is expected to play a role in implementation, but no formal legislative process has commenced. The European Commission has initiated infringement proceedings. Organizations operating in Bulgaria should align with the directive's baseline requirements while monitoring developments.
Key Deviation: Unknown — no draft available
Source: European Commission infringement proceedings tracker — Last updated: June 2025
Croatia
Zakon o kibernetičkoj sigurnosti — enacted October 2024
Croatia met the October 17, 2024 deadline with its Cybersecurity Act. The law aligns closely with NIS2 requirements and designates the National Council for Cybersecurity as the coordinating body. Incident reporting follows the directive's 24-hour early warning and 72-hour notification framework without significant deviations.
Key Deviation: Minimal — closely follows directive baseline
Source: Croatian Official Gazette, October 2024 — Last updated: June 2025
Cyprus
Draft cybersecurity bill — under ministerial review
Cyprus has published a draft cybersecurity bill that is currently under ministerial review. The Digital Security Authority (DSA) is expected to serve as the competent national authority. The draft closely follows the directive's structure but is still subject to amendments before parliamentary submission. Timeline for enactment remains uncertain.
Key Deviation: Still under review — potential amendments pending
Source: Cyprus government consultation documents, 2024 — Last updated: June 2025
Czech Republic
Zákon o kybernetické bezpečnosti (amended) — enacted October 2024
The Czech Republic amended its existing Cybersecurity Act to incorporate NIS2 requirements, meeting the October deadline. NUKIB (National Cyber and Information Security Agency) retains its role as the central authority with expanded powers. The Czech approach adds mandatory cybersecurity audits for essential entities every two years — a requirement that goes beyond the directive.
Key Deviation: Mandatory biennial cybersecurity audits for essential entities
Source: Czech Collection of Laws, October 2024 — Last updated: June 2025
Denmark
Multiple sector-specific acts — phased implementation ongoing
Denmark has taken a sector-by-sector approach to NIS2 transposition, with separate legislative instruments for different sectors. The Centre for Cyber Security (CFCS) coordinates across sectors. While some sector legislation is enacted, others remain in parliamentary process. This decentralized approach means compliance requirements may vary by sector and timeline.
Key Deviation: Sector-by-sector transposition rather than single unified law
Source: Danish Ministry of Defence publications, 2024 — Last updated: June 2025
Estonia
Küberturvalisuse seaduse muutmine — draft published, parliamentary review
Estonia, despite its reputation as a digital leader, missed the October 2024 deadline but has published comprehensive draft amendments to its Cybersecurity Act. The Information System Authority (RIA) will continue as the primary authority. Estonia's draft includes provisions for government digital services that extend scope beyond the directive's baseline.
Key Deviation: Extended scope covering government digital services
Source: Estonian Ministry of Economic Affairs, 2024 — Last updated: June 2025
Finland
Kyberturvallisuuslaki — enacted January 2025
Finland enacted its Cybersecurity Act in early 2025, slightly past the deadline. The law follows the directive closely and designates Traficom as the primary competent authority. Secondary implementing regulations are still being finalized, particularly around sector-specific incident reporting thresholds and registration timelines for important entities.
Key Deviation: Secondary regulations for incident thresholds still pending
Source: Finnish Government legislative tracker, January 2025 — Last updated: June 2025
France
Projet de loi NIS2 — parliamentary review, expected H1 2025
France's ANSSI has been actively preparing for NIS2 since 2023, but formal legislative transposition has been delayed by political instability. The draft law is currently under parliamentary review. France is expected to significantly expand the number of regulated entities from approximately 500 under NIS1 to an estimated 15,000+ under NIS2. ANSSI's enforcement approach emphasizes proportionality and support for newly in-scope organizations.
Key Deviation: Significant scope expansion; proportionality-based enforcement
Source: ANSSI public statements, December 2024 — Last updated: June 2025
Germany
NIS2-Umsetzungsgesetz (NIS2UmsuCG) — expected 2025
Germany's NIS2 transposition has been delayed by the collapse of the governing coalition in late 2024. The draft NIS2UmsuCG significantly expands the number of entities in scope — estimated at 29,000+ organizations — and introduces stricter management liability provisions. BSI (Federal Office for Information Security) will serve as the central authority with expanded enforcement powers.
Key Deviation: Expanded scope to ~29,000 entities; stricter management liability
Source: BMI draft legislation, July 2024 — Last updated: June 2025
Greece
Draft cybersecurity law — under parliamentary committee review
Greece has published draft legislation transposing NIS2, currently under review by the relevant parliamentary committee. The National Cybersecurity Authority, established in 2022, is designated as the competent authority. The draft includes specific provisions for the maritime and tourism sectors reflecting Greece's economic priorities, extending requirements slightly beyond the directive baseline for these industries.
Key Deviation: Additional requirements for maritime and tourism sectors
Source: Greek Ministry of Digital Governance, 2024 — Last updated: June 2025
Hungary
Government Decree 418/2024 — enacted October 2024
Hungary transposed NIS2 through a government decree rather than a standalone parliamentary act, allowing faster implementation. The National Directorate General for Cyber Defence serves as the primary authority. Hungary's approach includes additional registration requirements for entities that go slightly beyond the directive's minimum.
Key Deviation: Additional entity registration requirements
Source: Hungarian Official Gazette, October 2024 — Last updated: June 2025
Ireland
No draft published — expected 2025
Despite hosting the European headquarters of many major technology companies, Ireland has not yet published a draft transposition law. The NCSC Ireland is expected to serve as the competent authority. Given Ireland's significance as a data processing hub, the eventual national law could have outsized impact on technology and cloud service providers operating across Europe. The European Commission has opened infringement proceedings.
Key Deviation: Unknown — significant impact expected for tech sector
Source: European Commission infringement proceedings, November 2024 — Last updated: June 2025
Italy
Decreto Legislativo NIS2 — enacted October 2024, implementation ongoing
Italy published its transposition decree in October 2024, technically meeting the deadline. However, key implementing provisions — including entity registration requirements and detailed incident reporting procedures — are still being finalized through secondary legislation. ACN (National Cybersecurity Agency) is leading implementation with phased compliance milestones through 2025. Italy's approach includes gold-plating in supply chain risk management requirements.
Key Deviation: Stricter supply chain risk management; phased implementation
Source: Italian Official Gazette, October 2024 — Last updated: June 2025
Latvia
Kiberdrošības likums — enacted September 2024
Latvia was one of the early transposers, enacting its Cybersecurity Act ahead of the October 2024 deadline. CERT.LV serves as the national CSIRT with expanded coordination responsibilities. Latvia's law closely follows the directive with minimal deviations, providing a clear compliance baseline for entities operating in the Baltics.
Key Deviation: Minimal — closely follows directive baseline
Source: Latvian Official Gazette, September 2024 — Last updated: June 2025
Lithuania
Kibernetinio saugumo įstatymas (amended) — enacted October 2024
Lithuania amended its existing Cybersecurity Law to meet the NIS2 deadline. The National Cyber Security Centre (NKSC) retains its primary role. Lithuania's approach adds a national cybersecurity certification scheme for critical infrastructure suppliers, going beyond the directive's baseline and reflecting the country's focus on supply chain resilience given its geopolitical position.
Key Deviation: National supplier certification scheme for critical infrastructure
Source: Lithuanian Seimas records, October 2024 — Last updated: June 2025
Luxembourg
Projet de loi NIS2 — draft published, parliamentary review
Luxembourg has published its draft NIS2 transposition law, currently in parliamentary review. Given Luxembourg's role as a major financial services hub, the draft includes specific provisions coordinating NIS2 compliance with existing DORA (Digital Operational Resilience Act) requirements. The ILR and CSSF are expected to share competent authority responsibilities across sectors.
Key Deviation: Coordinated NIS2-DORA compliance framework for financial sector
Source: Luxembourg Chamber of Deputies records, 2024 — Last updated: June 2025
Malta
No draft published — expected 2025
Malta has not yet published draft transposition legislation. The Malta Information Technology Agency (MITA) and the Critical Infrastructure Protection Directorate are expected to play roles in implementation. Given Malta's growing igaming and fintech sectors, both of which may fall within NIS2 scope, timely transposition is commercially significant. The European Commission has opened infringement proceedings.
Key Deviation: Unknown — potential impact on igaming and fintech sectors
Source: European Commission infringement proceedings tracker — Last updated: June 2025
Netherlands
Cyberbeveiligingswet (Cbw) — draft submitted, expected H1 2025
The Netherlands published its draft Cybersecurity Act (Cbw) to replace the existing Wbni, but parliamentary approval remains pending. The Dutch approach designates sector-specific regulators as competent authorities rather than a single central body — meaning different regulators for energy, healthcare, transport, and digital infrastructure. This decentralized model adds complexity for multi-sector organizations operating in the Netherlands.
Key Deviation: Decentralized enforcement across sector regulators
Source: Dutch Ministry of Justice consultation, September 2024 — Last updated: June 2025
Poland
Nowelizacja ustawy o KSC — draft published, parliamentary process
Poland has published draft amendments to its National Cybersecurity System Act (ustawa o KSC) but parliamentary passage has been delayed. The draft significantly expands the entities in scope and introduces a new national cybersecurity incident classification system. NASK and sector-specific CSIRTs will share responsibilities. Poland's approach includes enhanced requirements for public administration entities.
Key Deviation: New incident classification system; expanded public administration scope
Source: Polish Ministry of Digital Affairs, 2024 — Last updated: June 2025
Portugal
No draft published — no estimated timeline
Portugal is among the member states with no publicly available draft legislation for NIS2 transposition. The National Cybersecurity Centre (CNCS) is expected to serve as the competent authority, but no formal timeline for legislative action has been communicated. Organizations operating in Portugal should monitor developments closely and consider aligning with the directive's baseline requirements in the interim.
Key Deviation: Unknown — no draft available
Source: European Commission infringement proceedings tracker — Last updated: June 2025
Romania
Proiect de lege NIS2 — draft under governmental review
Romania has published a draft NIS2 transposition law currently under governmental review before parliamentary submission. DNSC (National Cyber Security Directorate) is designated as the competent authority. The draft includes provisions for a national cybersecurity exercises program and mandatory risk assessments for entities operating critical infrastructure, extending slightly beyond the directive's baseline.
Key Deviation: Mandatory national cybersecurity exercises program
Source: Romanian government legislative portal, 2024 — Last updated: June 2025
Slovakia
Zákon o kybernetickej bezpečnosti (amendment) — draft published
Slovakia has published draft amendments to its Cybersecurity Act, currently working through the legislative process. The National Security Authority (NBU) is designated as the central competent authority. Slovakia's draft follows the directive closely but includes an accelerated entity registration timeline requiring compliance within 90 days of the law's enactment.
Key Deviation: Accelerated 90-day entity registration requirement
Source: Slovak Ministry of Investment, Regionalism and Informatization, 2024 — Last updated: June 2025
Slovenia
Zakon o informacijski varnosti (ZInfV-1) — enacted late 2024, secondary measures pending
Slovenia enacted its updated Information Security Act in late 2024, but secondary implementing measures are still being developed. The Office of the Government of the Republic of Slovenia for Information Security (URSIV) serves as the coordinating body. The law covers the core NIS2 requirements but defers several operational details to bylaws expected in 2025.
Key Deviation: Phased implementation with secondary measures pending
Source: Slovenian Official Gazette, 2024 — Last updated: June 2025
Spain
Anteproyecto de Ley NIS2 — draft published, Council of State review
Spain has published its draft NIS2 transposition law (anteproyecto), which is undergoing review by the Council of State before parliamentary submission. CCN-CERT and INCIBE share competent authority responsibilities depending on entity type. Spain's draft introduces a national compliance certification scheme and includes specific provisions for the tourism and hospitality sectors.
Key Deviation: National compliance certification; tourism sector provisions
Source: Spanish Ministry of Digital Transformation, 2024 — Last updated: June 2025
Sweden
Cybersäkerhetslag — enacted early 2025, secondary regulations in progress
Sweden enacted its Cybersecurity Act in early 2025 after a thorough governmental inquiry. MSB (Swedish Civil Contingencies Agency) serves as the central coordinating authority, with sector regulators handling enforcement. Secondary regulations specifying detailed compliance requirements for different entity categories are still being finalized, with expected completion by mid-2025.
Key Deviation: Sector-regulator enforcement model; secondary regulations pending
Source: Swedish Government Official Reports, 2024 — Last updated: June 2025
200+
Hours saved on compliance documentation
Medtec saved 200+ hours preparing for ISO 27001 certification by replacing manual documentation with automated compliance workflows — within their first year on Priverion.
60%
Less compliance admin time
Aircraft manufacturer reduced compliance admin time by 60% in their first 6 months — with predictable pricing based on entities, not per-user or per-module expansion traps.
3 mo
Ahead of schedule on ISO 27001
Medtec completed ISO 27001 preparation three months ahead of their projected timeline using Priverion's audit-ready evidence packages and automated documentation.
Why mid-market teams switch from OneTrust to Priverion
Enterprise privacy platforms were built for Fortune 500 budgets and complexity. If you're managing compliance across 5–50 subsidiaries, you need something different — not something smaller.
Typical enterprise platform
What you get with OneTrust
Per-module, per-user pricing
Costs escalate unpredictably as you add subsidiaries, users, or features. Budget conversations happen quarterly, not annually.
US-headquartered, global hosting
Data may be processed in US or other non-European jurisdictions. Post-Schrems II, this creates ongoing legal exposure for cross-border transfers.
200+ integrations, shallow depth
Impressive connector count, but many require custom configuration and ongoing maintenance that strains mid-market IT teams.
Built for Fortune 500 buyers
Feature-rich, but overwhelming for teams under 20. DPOs report spending weeks in onboarding just to configure modules they don't need.
Months-long implementation
Enterprise deployments routinely take 6–12 months before teams see value. Professional services costs add up fast.
Built for multi-entity mid-market
What you get with Priverion
Predictable pricing by company count
No per-user seats, no per-module upsells. One platform, all capabilities included. Your CFO gets a number that doesn't change mid-year.
Swiss-built, Swiss-hosted — guaranteed
All data processed within Swiss infrastructure. European data residency is not a configuration option — it's
