Concept

NIS2 Directive

NIS2: EU 2022 cybersecurity directive requiring member-state transposition by October 2024; only 14 of 27 states complied by June 2025.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

Why have most EU countries failed to implement their own mandatory cybersecurity rules on time?

Timeline for NIS2 Directive

#117 Apr

EU CRA guidance; German NIS2 missed

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Has Germany implemented NIS2?: Germany published its NIS2 transposition law on 5 December 2025, over a year after the October 2024 deadline. Covered entities had until 6 March 2026 to register; approximately one-third had done so by that date.Source: European Commission / briefing
What is the NIS2 Directive fine for non-compliance?: NIS2 sets a fine ceiling of €15 million or 2.5% of worldwide annual turnover for essential entities, and €10 million or 2% for important entities. Fine levels depend on member-state transposition and national authority enforcement.Source: European Commission

Background

The NIS2 Directive (Network and Information Security Directive 2) is the EU's core cybersecurity framework, replacing the original 2016 NIS Directive. Only 14 of 27 EU member states had fully transposed NIS2 by June 2025, missing the 17 October 2024 deadline. Germany published its transposition law on 5 December 2025 and required covered entities to register by 6 March 2026, with approximately one-third having registered by that date. The European Commission's infringement proceedings against non-transposing states are running in parallel.

NIS2 significantly expanded the scope of the original NIS Directive: more sectors are covered (including ICT services, digital infrastructure, and postal services); new obligations include supply-chain risk management and executive accountability; and the fine ceiling was raised to €15 million or 2.5 per cent of worldwide annual turnover. The directive requires member states to designate national competent authorities and CERTs for each covered sector.

For multinational organisations operating across EU member states, NIS2's incomplete transposition creates compliance uncertainty: obligations, enforcement timescales and sector-authority designations vary by member state. The CRA operates in parallel with NIS2, with manufacturer reporting obligations starting 11 September 2026 and main obligations from 11 December 2027, creating a dual-compliance calendar for connected-product manufacturers.

How the World Sees Them

UK (post-Brexit)

The UK's Cyber Security and Resilience Bill is the closest parallel to NIS2 in British law; UK companies with EU operations must track both frameworks independently.

German regulators

Germany's December 2025 transposition and March 2026 registration deadline both arrived late; only one-third compliance by registration deadline is an enforcement warning signal.

European Commission

Infringement proceedings against non-transposing states are the Commission's primary enforcement lever; the political will to pursue them against member state governments is itself a test of EU regulatory credibility.