EU NIS2 Directive deadlines and compliance calendar

The first calendar rows should come from the Directive itself. Article 41 required Member States to adopt and publish measures by 17 October 2024 and apply those measures from 18 October 2024. Article 44 repealed Directive (EU) 2016/1148 with effect from 18 October 2024.

For affected organisations, those EU-level dates are not the whole answer. The practical calendar must also track the national implementing law, the competent authority or CSIRT route, and any local registration or reporting mechanism in each Member State where services are provided.

Article 27 creates a separate registry workstream for DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, online search engines, and social networking services platforms.

Member States must require those entities to submit specified information to competent authorities by 17 January 2025. After submission, changes must be notified without delay and in any event within three months of the change.

Article 3 required Member States to establish a list of essential and important entities, plus entities providing domain name registration services, by 17 April 2025. Member States must review and, where appropriate, update that list regularly and at least every two years.

The same article required competent authorities to notify the Commission and the Cooperation Group by 17 April 2025 and every two years thereafter with entity-count information by sector and subsector. Organisations should treat this as a national classification and evidence-maintenance cycle, not merely an EU reporting date for authorities.

Article 23 is an operational clock, not a fixed calendar date. The deadlines start when the entity becomes aware of a significant incident, so the calendar should link incident-severity triage, legal review, CSIRT or competent-authority routing, and customer communication into one runbook.

The Directive requires an early warning within 24 hours, an incident notification within 72 hours, possible intermediate reporting when requested, and a final report not later than one month after the incident notification. If the incident is ongoing at final-report time, the entity must provide a progress report then and a final report within one month of handling the incident.

NIS2 also placed implementing-act work on the Commission. Article 21(5) required the Commission, by 17 October 2024, to adopt implementing acts for technical and methodological cybersecurity risk-management requirements for specified digital infrastructure, ICT service management, digital provider, and trust service provider categories.

Commission Implementing Regulation (EU) 2024/2690 is therefore a calendar dependency for covered digital sectors. The practical row is not just the regulation date; it is the evidence plan for policies, procedures, asset handling, incident handling, access control, supply-chain controls, vulnerability handling, and other technical measures covered by the implementing regulation and ENISA implementation guidance.

The Commission's transposition page is a country-watch source because national implementation was still uneven after the EU deadline. It records that on 7 May 2025 the Commission sent reasoned opinions to 19 Member States for failing to notify full transposition; those Member States had two months to respond and take the necessary measures.

The longer-term EU review row is Article 40: by 17 October 2027 and every 36 months thereafter, the Commission must review the functioning of the Directive and report to the European Parliament and the Council. Compliance calendars should treat that as a policy-watch item, not an entity filing deadline.