NIS2 transposition by country: why your obligations depend on national law
By ComplyBricks · Last reviewed Jul 12, 2026
A point that trips up a lot of organisations: NIS2 itself does not directly bind you. It's a directive, which each EU member state must turn into its own national law. Your actual obligations live in that national transposition — which is why "what does NIS2 require of me?" has a slightly different answer depending on where you operate.
Directive vs regulation — why it matters
Unlike the GDPR (a regulation that applies directly and uniformly), NIS2 is a directive. It sets the objectives and a common baseline, but each member state:
- passes its own transposing law;
- designates the competent authorities and CSIRT(s) you report to;
- may add sectors or entities beyond the directive's minimum;
- sets national details on registration, supervision, and penalties.
The transposition deadline was 17 October 2024 (Art. 41). In practice, national implementation timing has varied — some member states transposed on time, others later — so both the substance and the "is it in force yet?" answer can differ by country.
What this means for you
- The baseline (in-scope sectors, the Art. 21 measures, the Art. 23 reporting timeline) is broadly consistent across the EU.
- The specifics — exactly who you register with, which authority you notify, additional sectors, and enforcement details — come from your national law.
- If you operate in several member states, you may deal with more than one national regime and authority.
How to find the rules that bind you
- Identify the member state(s) where you're established or provide services.
- Find that country's NIS2 transposition law and its designated competent authority / CSIRT.
- Confirm the current status and any sector additions with that authority.
- If you're unsure whether you're even in scope, start with Am I in scope for NIS2? or the scope checker.
A note on accuracy
Because national transposition is still settling and changes over time, we don't publish specific per-country legal claims here — verify the current position with your national competent authority or a qualified professional. For how NIS2 relates to a framework you may already run, see NIS2 vs ISO 27001.
References
- NIS2 — Directive (EU) 2022/2555, incl. Art. 41 (transposition, deadline 17 Oct 2024)
This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.
See how one control satisfies ISO 27001, NIS2 and GDPR at once.
Explore the live demo →