NIS2 transposition by country: why your obligations depend on national law

By ComplyBricks · Last reviewed Jul 12, 2026

A point that trips up a lot of organisations: NIS2 itself does not directly bind you. It's a directive, which each EU member state must turn into its own national law. Your actual obligations live in that national transposition — which is why "what does NIS2 require of me?" has a slightly different answer depending on where you operate.

Directive vs regulation — why it matters

Unlike the GDPR (a regulation that applies directly and uniformly), NIS2 is a directive. It sets the objectives and a common baseline, but each member state:

  • passes its own transposing law;
  • designates the competent authorities and CSIRT(s) you report to;
  • may add sectors or entities beyond the directive's minimum;
  • sets national details on registration, supervision, and penalties.

The transposition deadline was 17 October 2024 (Art. 41). In practice, national implementation timing has varied — some member states transposed on time, others later — so both the substance and the "is it in force yet?" answer can differ by country.

What this means for you

  • The baseline (in-scope sectors, the Art. 21 measures, the Art. 23 reporting timeline) is broadly consistent across the EU.
  • The specifics — exactly who you register with, which authority you notify, additional sectors, and enforcement details — come from your national law.
  • If you operate in several member states, you may deal with more than one national regime and authority.

How to find the rules that bind you

  1. Identify the member state(s) where you're established or provide services.
  2. Find that country's NIS2 transposition law and its designated competent authority / CSIRT.
  3. Confirm the current status and any sector additions with that authority.
  4. If you're unsure whether you're even in scope, start with Am I in scope for NIS2? or the scope checker.

A note on accuracy

Because national transposition is still settling and changes over time, we don't publish specific per-country legal claims here — verify the current position with your national competent authority or a qualified professional. For how NIS2 relates to a framework you may already run, see NIS2 vs ISO 27001.

References

  • NIS2 — Directive (EU) 2022/2555, incl. Art. 41 (transposition, deadline 17 Oct 2024)

This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.

See how one control satisfies ISO 27001, NIS2 and GDPR at once.

Explore the live demo →