The NIS2 Directive (Directive (EU) 2022/2555) is the EU’s updated network and information security legislation, replacing the original 2016 NIS Directive. It entered into force on January 16, 2023, with member states required to transpose it into national law by October 17, 2024.
Transposition Status
Most EU member states missed the October 2024 deadline. As of January 2026, only 14 of 27 member states have completed transposition. Key jurisdictions that were late include France, Ireland, and Spain (still pending) and Germany, which enacted its law in December 2025. On May 7, 2025, the European Commission issued reasoned opinions to 19 member states for failing to notify full transposition.
Country Updates
Germany enacted its NIS2 implementation law on December 6, 2025, over a year after the deadline. France’s Senate adopted the transposition bill in March 2025, but National Assembly examination is still pending. Sweden has proposed a new Cyber Security Act to take effect on January 15, 2026.
January 2026 Amendments
On January 20, 2026, the Commission proposed targeted amendments to NIS2 to increase legal clarity and simplify compliance. The amendments are expected to ease requirements for 28,700 companies, including 6,200 micro and small-sized enterprises.
Who Is Covered
NIS2 significantly expands scope compared to the original directive.
Essential Entities
Energy (electricity, oil, gas, hydrogen), transport (air, rail, water, road), banking and financial market infrastructure, health (hospitals, laboratories, pharmaceutical manufacturing), drinking water and wastewater, digital infrastructure (DNS, TLD registries, cloud, data centers, CDNs), public administration, and space.
Important Entities
Postal and courier services, waste management, chemical manufacturing, food production and distribution, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networks), and research organizations.
Key Compliance Requirements
Risk management measures require implementing policies for risk analysis, incident handling, business continuity, and supply chain security. Incident reporting means notifying national authorities within 24 hours for initial notification and 72 hours for full notification of significant incidents. Supply chain security requires assessing and managing cybersecurity risks from suppliers and service providers. Management accountability means senior management must approve and oversee cybersecurity measures, and they can be held personally liable for gross negligence. Regular cybersecurity awareness training for management and staff is also required.
Penalties
Non-compliance penalties are significant. Essential entities face up to 10 million euros or 2% of global annual turnover, whichever is higher. Important entities face up to 7 million euros or 1.4% of global annual turnover, whichever is higher. C-level executives can face personal liability in cases of gross negligence.
National Variations
Although NIS2 establishes a common EU baseline, member states are adding their own requirements. Organizations operating across multiple EU jurisdictions should assess NIS2 scope in each relevant country, as national implementing laws may introduce sector-specific or governance requirements beyond the directive’s baseline.
Recommendations
Organizations in scope should determine which member state laws apply based on establishment and operations, map all applicable requirements including national variations, implement incident detection and 24/72-hour reporting capabilities, review supply chain contracts for cybersecurity obligations, and ensure management is formally accountable for cybersecurity decisions.