NIS2 by Country
Every EU member state transposes NIS2 in its own way, with different competent authorities, registration portals, and national additions. Select your country for a detailed compliance guide.
Find out if your company is in scope
Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?
Germany
Germany transposed NIS2 via the NIS2UmsuCG (KRITIS-Dachgesetz + BSI-Gesetz update). BSI is the primary supervisory authority with fines up to €10 million.
France
France transposed NIS2 through Loi n°2024-1177 (the RGCP law) in January 2025. ANSSI leads supervision with a graduated enforcement approach.
Netherlands
The Netherlands transposed NIS2 via the Cyberbeveiligingswet (CBW), which entered into force in late 2024. NCSC-NL and sector-specific regulators share supervisory duties.
Belgium
Belgium enacted its NIS2 law in April 2024, one of the first EU member states to fully transpose. CCB leads enforcement with fines up to €10 million.
Italy
Italy transposed NIS2 via Legge 90/2024, with ACN (Agenzia per la Cybersicurezza Nazionale) as the central authority. Enforcement is phased through 2026.
Sweden
Sweden transposed NIS2 via the Cybersäkerhetslagen (2024:1247) effective January 2025. NCSC Sweden coordinates, with MSBFS issuing sector-specific binding regulations.
Poland
Poland is updating its national cybersecurity act (UKSC) to transpose NIS2. The draft NIS2 law is in final legislative stages with enforcement expected mid-2025.
Austria
Austria transposed NIS2 via the Netz- und Informationssystemsicherheitsgesetz 2024 (NISG 2024). The Federal Ministry of the Interior (BMI) is the primary supervisory authority.
Bulgaria
Bulgaria is transposing NIS2 through amendments to the national Cybersecurity Act. The Ministry of Electronic Governance acts as the primary coordinator.
Croatia
Croatia transposed NIS2 through the Zakon o kibernetičkoj sigurnosti. ZSIS coordinates the cybersecurity framework across all sectors.
Cyprus
Cyprus implemented NIS2 through the Security of Network and Information Systems Law. The Digital Security Authority (DSA) supervises compliance.
Czechia
Czechia transposed NIS2 through the new Cybersecurity Act. NÚKIB regulates compliance with robust technical guidelines and strict penalties.
Denmark
Denmark transposed NIS2 via amendments to the national Netsikkerhedslov. CFCS coordinates cross-sector cybersecurity strategies.
Estonia
Estonia transposed NIS2 via the Küberturvalisuse seadus. RIA enforces advanced cyber protocols across the highly digitized nation.
Finland
Finland transposed NIS2 via the Cybersecurity Governance Act. Traficom handles supervisory coordination and incident tracking.
Greece
Greece enacted Law 5160/2024 to transpose NIS2. The National Cybersecurity Authority (NCSA) manages compliance across all critical infrastructure.
Hungary
Hungary transposed NIS2 via Act XXIII of 2023. SZTFH coordinates audits, registrations, and enforcement structures.
Ireland
Ireland is in the final legislative phases of passing the National Cyber Security Bill 2024. NCSC-IE is designated as the primary supervisor.
Latvia
Latvia implemented NIS2 through the Nacionālās kiberdrošības likums. Coordination is handled jointly by the NCSC-LV and CERT.LV.
Lithuania
Lithuania transposed NIS2 into the national Cybersecurity Act. NKSC coordinates compliance audits and threat alerts.
Luxembourg
Luxembourg is transposing NIS2 via Projet de loi n°8385. ANSSI-LU is the designated competent authority for broad cybersecurity coordination.
Malta
Malta transposed NIS2 via the Cybersecurity Act, 2024. MITA regulates network defense and guides organizations through self-registration.
Portugal
Portugal transposed NIS2 through Decreto-Lei n.º 65/2024. GNS coordinates standards, with CNCS coordinating incident response.
Romania
Romania transposed NIS2 through amendments to its cybersecurity legislation. DNSC acts as the central supervisory authority.
Slovakia
Slovakia transposed NIS2 via amendments to its Cybersecurity Act. The National Security Authority (NBÚ) directs enforcement and audits.
Slovenia
Slovenia transposed NIS2 via amendments to the Information Security Act. URSIV regulates network standards and audits.
Spain
Spain is transposing NIS2 through a draft national Cybersecurity Governance Act. CCN-CERT and INCIBE share coordination duties.
EU-wide NIS2 Transposition
NIS2 had to be transposed by all EU member states by 17 October 2024. While core obligations (Articles 20-23) are harmonised, registration procedures, competent authorities, and national additions vary significantly.
For entities operating across multiple EU countries, the law of the member state where you have your main establishment generally applies.