NIS2Free Resource

EU NIS2 Directive Timeline and Compliance Guide

Use this artifact to scope NIS2 applicability under Annex I or Annex II, test the size cap and regardless of size triggers, decide whether you are an essential or important entity, and convert Article 20, Article 21, and Article 23 into an implementation plan.

NIS2 entered into force on 16 January 2023. Member States had to transpose it by 17 October 2024 and apply national measures from 18 October 2024. The exact supervisory route, reporting portal, and local penalty regime still depend on Member State implementation.

Run the NIS2 applicability test
Publication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Feb 23, 2026
Updated
May 9, 2026
What you can decide faster
In scope or out of scope
Annex I or Annex II mapping, size cap logic, regardless of size triggers, and Article 4 overlap checks.
Essential vs important
What changes in supervision, evidence expectations, management accountability, and enforcement.
Controls + reporting
Article 21 measures, Implementing Regulation (EU) 2024/2690 where relevant, and Article 23 reporting.
By Sorena AIGrounded in official EU sourcesUpdated May 2026
Quick scan
NIS2
Scope
Map services to Annex I or Annex II and document size and jurisdiction logic.
Controls
Implement Article 21 measures and the 2024/2690 baseline where applicable.
Reporting
Run a 24h early warning, 72h notification, and 1 month final report workflow.
Use the linked guides to turn NIS2 into scope memos, management approvals, incident runbooks, and evidence packs.
16 Jan 2023
In force
17 Oct 2024
Transposition
17 Apr 2025
Entity lists
2024/2690
Implementing act
Essential vs important
Article 21 baseline
24h/72h reporting
NIS2 Timeline

Key dates for NIS2 compliance planning

Track adoption, transposition, entity list deadlines, the 2024 implementing regulation, the 2025 Commission enforcement step on late transposition, and the 2026 targeted amendment proposal while keeping your local overlays current.

Loading timeline...

Topic guides

Deep dive pages for implementation planning, controls, reporting, and evidence.

1
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
Read Guide
2
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
Read Guide
3
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
Read Guide
4
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
Read Guide
5
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
Read Guide
6
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
Read Guide
7
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
Read Guide
8
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
Read Guide
9
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
Read Guide
10
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
Read Guide
11
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
Read Guide
12
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
Read Guide
13
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
Read Guide
14
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
Read Guide
15
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
Read Guide
16
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
Read Guide
17
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
Read Guide
18
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
Read Guide
19
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
Read Guide
20
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
Read Guide
21
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
Read Guide
22
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
Read Guide
23
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
Read Guide
24
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
Read Guide
25
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
Read Guide
26
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
Read Guide
27
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
Read Guide
28
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
Read Guide
29
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.
Read Guide
Next step

Turn NIS2 scoping, controls, and reporting into an assessment workflow

Use the timeline as the entry point for an NIS2 work plan: confirm Annex I or Annex II scope, record essential or important entity status, assign Article 21 control owners, and prepare the Article 23 incident reporting clock for the Member State authorities that apply to your services.

What this unlocks
  • Create a scope record for each service, legal entity, Member State, Annex sector, size-cap result, and any regardless-of-size trigger.
  • Translate Article 20 and Article 21 into management approvals, risk-management measures, control owners, and evidence requests.
  • Prepare incident triage so significant incidents can move from early warning to notification to final report within the NIS2 reporting sequence.
  • Track national transposition overlays separately from the EU-level dates because portals, supervisory routes, and penalty rules are Member State specific.
Recommended route
Open Assessment Autopilot
Convert NIS2 scope, Article 21 measures, and reporting duties into owned tasks, evidence requests, and review checkpoints.
Supporting route
Open Research Copilot
Research scope, timing, Article 4 overlap, and Member State implementation questions with cited outputs.
Talk to Sorena
Talk through implementation
Review NIS2 applicability, control evidence, incident reporting handoffs, and national implementation dependencies.
Discuss your setup
EU NIS2 timeline and compliance planning preview
Share it internally
Download the timeline export to align legal, product, engineering, and commercial teams on milestones and deadlines.