Has Your Country Transposed the NIS2 Directive? Understanding Where Things Stand in July 2025

The NIS2 Directive (EU 2022/2555) set a deadline of October 17, 2024 for EU Member States to transpose it into national law. Yet by July 2025, many are still catching up — and depending on how you define “transposed,” the answer to who’s compliant can vary.

Let’s break down what “transposition” really means, why there’s confusion, and which countries are currently aligned — based on the most reliable source available: the European Cyber Security Organisation (ECSO).

What Does “Transposition” Actually Mean?

Transposing an EU directive isn’t a one-step action. It typically involves four stages:

  1. Drafting – National authorities prepare draft legislation aligned with the directive.

  2. Primary Law Adoption – Parliament or government enacts a national law (e.g., Cybersecurity Act).

  3. Secondary Legislation – Supporting regulations or ministerial decrees flesh out the law’s application.

  4. Formal Notification to the EU Commission – The final legal texts are submitted to Brussels to confirm official compliance.


Two Ways to Interpret “Transposition”

National Legislative View (e.g., ECSO Tracker)

This view focuses on whether a country has passed and enacted its primary law implementing NIS2. Once this law is active, the country is generally considered to have “transposed” the directive — even if some secondary rules are pending.

EU Commission Compliance View

The Commission requires full notification of all applicable legislation. Until this happens, the country is deemed non-compliant, regardless of whether national laws exist.

⚠️ As of May 2025, the Commission had issued reasoned opinions to 19 Member States for failing to notify full transposition — even though some had already adopted national laws.


✅ Countries That Have Transposed NIS2 (ECSO Status: “Transposed”)

  • Belgium

  • Croatia

  • Cyprus

  • Denmark

  • Finland

  • Greece

  • Hungary

  • Italy

  • Latvia

  • Lithuania

  • Malta

  • Romania

  • Slovakia

  • Slovenia

These countries now have NIS2-based obligations legally in force. Some are also issuing sector-specific guidelines and enforcement mechanisms.


❌ Countries Still Working on Draft Laws

All other EU Member States remain at the “draft law” stage or are otherwise pending formal enactment. This includes major economies like:

  • France

  • Germany

  • Netherlands

  • Spain

  • Ireland

  • Poland

  • Austria

  • Sweden

  • Portugal

  • Estonia, and others.

These countries may face mounting pressure from both the EU and industry as the compliance gap continues.


⚖️ EU Enforcement Action

To accelerate full implementation, the European Commission is taking action:

  • Reasoned Opinions were sent to 19 Member States in May 2025 — a formal warning that non-compliance could lead to referral to the Court of Justice of the EU (CJEU).

  • Financial Penalties may be imposed if Member States fail to complete transposition and notification.

  • Public Accountability: The Commission has published lists naming non-compliant countries, increasing political pressure domestically.


🧩 Why This Matters for Regulated Entities

If you’re part of a regulated sector — such as finance, energy, transport, health, digital infrastructure, or ICT — your obligations under NIS2 depend on national enforcement.

  • In countries where NIS2 laws are in force, you may be required to register, implement controls, and report incidents.

  • In draft-stage countries, enforcement is delayed — but once adopted, compliance may apply retroactively or come with compressed deadlines.


📝 Final Takeaways

Country StatusWhat It Means
Transposed (ECSO)National law is adopted and in force — NIS2 obligations apply
Draft LawLaw not yet passed — obligations pending, but coming soon
Non-notified (Commission)Even if law exists, not formally notified — EU considers it non-compliant

✅ As of July 2025, 14 EU countries have fully transposed NIS2.
❗ The rest remain in draft or delayed status — and face pressure to act.


If your organisation operates across borders, you must track NIS2 implementation country by country. Let us know if you’d like help understanding your obligations or mapping your readiness.


Implementation Blog