DeadlinesEU

EU NIS2 Directive (EU) 2022/2555 Deadlines and Compliance Calendar

Turn NIS2 dates into deliverables, owners, and escalation gates.

Focus: legal anchor dates, transposition reality, entity listing milestones, and operational readiness for Article 21 and Article 23.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

Dates only help if they drive work. Use this page to convert NIS2 anchor dates into scope memos, entity registry submissions, management approvals, incident reporting tests, and evidence refresh cycles.

Section 1

EU-level anchor dates you should track

These dates are in the directive or in official Commission material. National measures can add registration or reporting steps, but they do not replace these EU-level anchors.

  • 16 January 2023: NIS2 entered into force.
  • 17 October 2024: Member States had to adopt and publish transposition measures.
  • 18 October 2024: Member States had to apply those measures, and NIS1 was repealed.
  • 17 January 2025: entities within Article 27 had to submit core entity information to competent authorities, and Member States had to notify the Commission of national penalty rules under Article 36.
  • 17 April 2025: Member States had to establish lists of essential and important entities and notify key figures to the Commission.
Section 2

Current transposition milestones you should reflect in planning

The Commission tracker is a state-of-play tool, not a formal legal assessment. It is still useful for planning because it shows where local overlays may still be moving.

  • 7 May 2025: the Commission sent reasoned opinions to 19 Member States for not notifying full transposition.
  • 1 July 2025: the Commission transposition tracker page showed its latest update date.
  • 20 January 2026: the Commission proposed targeted NIS2 amendments to simplify and clarify parts of the framework. This is a proposal, not current law.
Recommended next step

Turn EU NIS2 Directive (EU) 2022/2555 Deadlines and Compliance Calendar into an operational assessment

Assessment Autopilot can take EU NIS2 Directive (EU) 2022/2555 Deadlines and Compliance Calendar from planning deadlines, owners, and milestones from this page to a reusable workflow inside Sorena. Teams working on EU NIS2 Directive (EU) 2022/2555 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU NIS2 Directive (EU) 2022/2555 Deadlines and Compliance Calendar

Start from EU NIS2 Directive (EU) 2022/2555 Deadlines and Compliance Calendar and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU NIS2 Directive (EU) 2022/2555

Review your current process, evidence gaps, and next steps for EU NIS2 Directive (EU) 2022/2555 Deadlines and Compliance Calendar.

Explore next step
Section 3

What to deliver before each milestone

Convert each date into a concrete output. If a calendar item does not point to a file, a register, or a tested workflow, it is too vague.

  • Before transposition review: scope memo, Annex I or Annex II mapping, essential or important classification note, and Article 4 overlap analysis.
  • Before Article 27 data collection: entity registry data set, legal-entity identifiers, contact points, and service mapping ready for authority submission.
  • Before operational go-live: authority and CSIRT route map, portal accounts, 24h and 72h templates, and a tested significant incident decision log.
  • Before supervisory contact: Article 21 control register, management approval evidence, and indexed evidence vault.
Section 4

Internal recurring calendar items

NIS2 compliance is a repeating management system. Use recurring reviews to keep evidence current and reduce incident severity.

  • Monthly: vulnerability backlog review, patch SLA performance, and privileged access and MFA coverage checks.
  • Monthly: backup integrity and restore test review for critical systems.
  • Quarterly: supplier risk review, incident reporting tabletop, and management oversight meeting.
  • Annually: crisis simulation, evidence vault refresh, and scope memo revalidation after organisational changes.
Primary sources

References and citations

Related guides

Explore more topics

Applicability Test | EU NIS2 Directive (EU) 2022/2555 | In Scope? Essential vs Important?
A grounded NIS2 applicability test: map each legal entity to Annex I or Annex II, apply the NIS2 size-cap rule and regardless-of-size triggers.
Article 21 Control Baseline | EU NIS2 Directive (EU) 2022/2555 | Cybersecurity Risk Management Measures
A practical Article 21 control baseline for NIS2: translate Article 21(2)(a) to (j) into owned controls, KPIs, tests, and evidence.
Checklist | EU NIS2 Directive (EU) 2022/2555 | Audit-Ready Owners, Evidence, Acceptance Criteria
An audit-ready EU NIS2 compliance checklist: scope (Annex I/II + size-cap rules), essential vs important classification, Article 21 control baseline.
Compliance Guide | EU NIS2 Directive (EU) 2022/2555 | Build an Audit-Ready Program
A practical EU NIS2 compliance guide: how to run scope and classification, build Article 21 controls, implement Article 23 reporting workflows.
FAQ | EU NIS2 Directive (EU) 2022/2555 | Scope, Essential vs Important, Article 21, Article 23 (24h/72h)
High-intent EU NIS2 FAQ: who is in scope, how essential vs important works, what Article 21 requires.
Incident Reporting Workflow | EU NIS2 Directive (EU) 2022/2555 | 24h Early Warning, 72h Notification, Final Report (1 Month)
A practical NIS2 incident reporting workflow grounded in Article 23 and Commission Implementing Regulation (EU) 2024/2690: define significant incidents.
Management Body Accountability | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Training, Liability
A practical Article 20 governance guide for EU NIS2: what the management body must approve and oversee, how liability and training work.
National Transposition Tracker | EU NIS2 Directive (EU) 2022/2555 | How to Track Local Laws, Authorities, Portals
A practical NIS2 national transposition tracker: monitor Member State implementation, find competent authority and CSIRT routes.
NIS2 vs ISO/IEC 27001 | How to Reuse Your ISMS for EU NIS2 Directive (EU) 2022/2555
A practical NIS2 vs ISO/IEC 27001 mapping: how to reuse an ISMS (risk assessment, policies, internal audits, management review.
NIS2 vs ISO/IEC 27017 | Cloud Security Mapping for EU NIS2 Directive (EU) 2022/2555
A practical mapping for cloud teams: how NIS2 Article 21 controls and Article 23 reporting apply to cloud service providers and cloud-dependent organisations.
NIS2 vs NIS1 | Directive (EU) 2022/2555 vs Directive (EU) 2016/1148 | Scope, Supervision, Reporting
A practical comparison of NIS2 vs NIS1: what changed in scope and sectors, how essential vs important works.
Penalties and Fines | EU NIS2 Directive (EU) 2022/2555 | Article 32-34 Enforcement + Fine Thresholds
A practical NIS2 enforcement guide: how supervision works for essential vs important entities (Articles 32-33), what enforcement measures authorities can use.
Requirements | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Article 21 Controls, Article 23 Reporting
A practical EU NIS2 requirements breakdown grounded in Articles 20 to 23, the Article 3 and Article 4 guidelines, and Implementing Regulation (EU) 2024/2690.
Scope: Essential vs Important | EU NIS2 Directive (EU) 2022/2555 | Article 3 Classification + What Changes
A practical guide to NIS2 scope classification: how essential vs important entities work (Article 3).
Supply Chain Security Program | EU NIS2 Directive (EU) 2022/2555 | Article 21(d) Supplier Risk + Evidence
A practical NIS2 supply chain security program (Article 21(d)): vendor tiering, security requirements, onboarding/offboarding controls, continuous assurance.