The NIS2 Directive (EU 2022/2555) set a deadline of October 17, 2024 for EU Member States to transpose it into national law. Yet by July 2025, many are still catching up — and depending on how you define “transposed,” the answer to who’s compliant can vary.
Let’s break down what “transposition” really means, why there’s confusion, and which countries are currently aligned — based on the most reliable source available: the European Cyber Security Organisation (ECSO).
Transposing an EU directive isn’t a one-step action. It typically involves four stages:
Drafting – National authorities prepare draft legislation aligned with the directive.
Primary Law Adoption – Parliament or government enacts a national law (e.g., Cybersecurity Act).
Secondary Legislation – Supporting regulations or ministerial decrees flesh out the law’s application.
Formal Notification to the EU Commission – The final legal texts are submitted to Brussels to confirm official compliance.
The Commission requires full notification of all applicable legislation. Until this happens, the country is deemed non-compliant, regardless of whether national laws exist.
⚠️ As of May 2025, the Commission had issued reasoned opinions to 19 Member States for failing to notify full transposition — even though some had already adopted national laws.
Belgium
Croatia
Cyprus
Denmark
Finland
Greece
Hungary
Italy
Latvia
Lithuania
Malta
Romania
Slovakia
Slovenia
These countries now have NIS2-based obligations legally in force. Some are also issuing sector-specific guidelines and enforcement mechanisms.
All other EU Member States remain at the “draft law” stage or are otherwise pending formal enactment. This includes major economies like:
France
Germany
Netherlands
Spain
Ireland
Poland
Austria
Sweden
Portugal
Estonia, and others.
These countries may face mounting pressure from both the EU and industry as the compliance gap continues.
To accelerate full implementation, the European Commission is taking action:
Reasoned Opinions were sent to 19 Member States in May 2025 — a formal warning that non-compliance could lead to referral to the Court of Justice of the EU (CJEU).
Financial Penalties may be imposed if Member States fail to complete transposition and notification.
Public Accountability: The Commission has published lists naming non-compliant countries, increasing political pressure domestically.
If you’re part of a regulated sector — such as finance, energy, transport, health, digital infrastructure, or ICT — your obligations under NIS2 depend on national enforcement.
In countries where NIS2 laws are in force, you may be required to register, implement controls, and report incidents.
In draft-stage countries, enforcement is delayed — but once adopted, compliance may apply retroactively or come with compressed deadlines.
| Country Status | What It Means |
|---|---|
| Transposed (ECSO) | National law is adopted and in force — NIS2 obligations apply |
| Draft Law | Law not yet passed — obligations pending, but coming soon |
| Non-notified (Commission) | Even if law exists, not formally notified — EU considers it non-compliant |
✅ As of July 2025, 14 EU countries have fully transposed NIS2.
❗ The rest remain in draft or delayed status — and face pressure to act.
If your organisation operates across borders, you must track NIS2 implementation country by country. Let us know if you’d like help understanding your obligations or mapping your readiness.
