
Network and Information Systems
NIS: EU cybersecurity directive framework; NIS2 is its 2022 revision requiring transposition by all EU member states by October 2024.
Last refreshed: 17 April 2026
How many EU countries actually implemented the NIS2 cybersecurity rules on time?
Timeline for Network and Information Systems
Mentioned in: NIS2 fines now reach directors personally
Cybersecurity: Threats and DefencesMentioned in: UK 24-hour reporting bill at Report
Cybersecurity: Threats and DefencesWhat is NIS2 and does it apply to my company?
Which EU countries have actually implemented NIS2?
Background
The Network and Information Systems (NIS) Directive is the EU's foundational cybersecurity legislation requiring operators of essential services and digital service providers to implement security measures and report incidents. Its 2022 revision, NIS2, significantly expanded scope and raised the fine ceiling to €15 million or 2.5 per cent of worldwide annual turnover. As of June 2025, only 14 of 27 EU member states had fully transposed NIS2; Germany published its transposition law on 5 December 2025 and required covered entities to register by 6 March 2026, with approximately one-third having actually registered by that date.
NIS was adopted in 2016 as the EU's first binding cybersecurity directive. NIS2 replaced it in December 2022, with a transposition Deadline of 17 October 2024 that most member states missed. NIS2 introduces new obligations including supply-chain risk management, vulnerability disclosure programmes, and executive accountability for cybersecurity governance. The Cyber Resilience Act (CRA) operates in parallel with NIS2, covering product security requirements rather than operator obligations.
For EU organisations in scope of NIS2, the German registration example illustrates the practical challenge: even where transposition law is in place, entity registration and compliance are materially incomplete. The European Commission's infringement proceedings against non-transposing member states are running in parallel with these compliance gaps, creating a complex enforcement calendar over 2026 and 2027.