Technology

Network and Information Systems

NIS: EU cybersecurity directive framework; NIS2 is its 2022 revision requiring transposition by all EU member states by October 2024.

Last refreshed: 17 April 2026

Key Question

How many EU countries actually implemented the NIS2 cybersecurity rules on time?

Timeline for Network and Information Systems

#117 Apr

Mentioned in: UK 24-hour reporting bill at Report

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is NIS2 and does it apply to my company?: NIS2 is the EU's 2022 cybersecurity directive requiring operators of essential services and digital service providers to implement security measures and report incidents. It applies to medium and large organisations in sectors including energy, transport, health, digital infrastructure and ICT services across EU member states.Source: European Commission
Which EU countries have actually implemented NIS2?: As of June 2025, only 14 of 27 EU member states had fully transposed NIS2. Germany's transposition law came into force in December 2025; the European Commission is pursuing infringement proceedings against non-transposing states.Source: European Commission / briefing

Background

The Network and Information Systems (NIS) Directive is the EU's foundational cybersecurity legislation requiring operators of essential services and digital service providers to implement security measures and report incidents. Its 2022 revision, NIS2, significantly expanded scope and raised the fine ceiling to €15 million or 2.5 per cent of worldwide annual turnover. As of June 2025, only 14 of 27 EU member states had fully transposed NIS2; Germany published its transposition law on 5 December 2025 and required covered entities to register by 6 March 2026, with approximately one-third having actually registered by that date.

NIS was adopted in 2016 as the EU's first binding cybersecurity directive. NIS2 replaced it in December 2022, with a transposition deadline of 17 October 2024 that most member states missed. NIS2 introduces new obligations including supply-chain risk management, vulnerability disclosure programmes, and executive accountability for cybersecurity governance. The Cyber Resilience Act (CRA) operates in parallel with NIS2, covering product security requirements rather than operator obligations.

For EU organisations in scope of NIS2, the German registration example illustrates the practical challenge: even where transposition law is in place, entity registration and compliance are materially incomplete. The European Commission's infringement proceedings against non-transposing member states are running in parallel with these compliance gaps, creating a complex enforcement calendar over 2026 and 2027.

How the World Sees Them

UK (post-Brexit)

The UK's Cyber Security and Resilience Bill parallels NIS2 in its obligations but follows a separate legislative track; UK-EU cross-border organisations must track both frameworks independently.

German regulators

Germany's transposition law entered force December 2025 with a March 2026 registration deadline; only about one-third of covered entities had registered by that deadline.

European Commission

Infringement proceedings against non-transposing member states are running; enforcement divergence across 27 national implementations is an ongoing regulatory risk for cross-border EU operators.