TrackerEU

NIS2 National Transposition Tracker

Maintain a source-linked register for NIS2 national transposition across EU Member States, without turning EU-level deadlines into unsupported local-law conclusions.

Use Commission transposition pages, country implementation pages, Article 41 dates, source wording, last-check dates, and legal review triggers to keep national status decisions auditable.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
8

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

This tracker is an operating model for NIS2 national transposition evidence. It helps teams record what the European Commission and official country pages say, when the source was checked, which business exposure depends on the country, and when legal review is needed before applying national obligations.

Section 1

Tracker purpose and limits

The national transposition tracker should answer a narrow evidence question: which official source supports the current NIS2 status for a Member State, what exact wording did it use, and what follow-up is needed before that status is used in product scoping, contracts, incident routing, registration, or management reporting.

Do not treat the Commission state-of-play page as a final legal opinion on every national measure. The Commission page says its content is based on information provided by Member States and is without prejudice to formal assessment of compliance with the NIS2 Directive.

  • Use the Commission NIS2 transposition page as the first tracker index for country implementation pages.
  • Keep the original source wording next to any simplified internal status label.
  • Separate EU-level deadlines from national-law duties, authority processes, and sector-specific implementation details.
  • Escalate to legal review before relying on a row for local registration, incident notification routing, customer commitments, or enforcement exposure.
  • Do not infer a country's full-transposition status from absence from an enforcement list; verify the current country source.
Sources for this answer
European Commission - NIS2 Directive transposition in EU countries
Primary Commission state-of-play page for NIS2 transposition across EU countries and links to country implementation pages.
Directive (EU) 2022/2555 (NIS2), Article 41
Binding NIS2 source for Member State transposition and application dates.
Section 2

EU baseline dates and enforcement signals

Every tracker row should include the EU baseline so reviewers can see when the Directive expected national action. Article 41 required Member States to adopt and publish implementing measures by 17 October 2024, immediately inform the Commission, and apply those measures from 18 October 2024.

The Commission transposition page records a later enforcement signal: on 7 May 2025, the Commission sent reasoned opinions to 19 Member States for failing to notify full transposition of the NIS2 Directive.

  • EU transposition deadline: 17 October 2024.
  • EU application date: 18 October 2024.
  • Reasoned-opinion checkpoint: 7 May 2025.
  • Member States listed by the Commission for the 7 May 2025 reasoned opinions: Bulgaria, Czechia, Denmark, Germany, Estonia, Ireland, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, the Netherlands, Austria, Poland, Portugal, Slovenia, Finland, and Sweden.
  • Use the reasoned-opinion flag as an escalation signal, not as the only status field.
Sources for this answer
Directive (EU) 2022/2555 (NIS2), Article 41
Legal source for the 17 October 2024 deadline and 18 October 2024 application date.
European Commission - NIS2 Directive transposition in EU countries
Commission source for the 7 May 2025 reasoned-opinion list and country implementation links.
European Commission - The Commission calls on 23 Member States to fully transpose the NIS2 Directive
Commission press release recording the 28 November 2024 letter-of-formal-notice stage and the 17 October 2024 national-law deadline.
Section 3

Country row fields

The tracker should be concise enough to maintain but specific enough to support audit and customer-facing answers. Use one row per Member State that matters to the business, and create separate rows when a country has multiple relevant authority contacts or business exposures.

Country rows should not collapse source nuance into a single green or red label. Preserve the source URL, source wording, date checked, and decision owner so later reviewers can see whether a row is still usable.

  • Record the Member State name and ISO code for each row.
  • Paste the Commission country page URL and the date it was last checked.
  • Capture the exact source status wording, such as the country page's status of transposition phrase.
  • Mark any reasoned-opinion flag and cite the 7 May 2025 Commission source when it applies.
  • List a national point of contact, competent authority, or CSIRT only when an official country page or other official public source verifies it.
  • Describe the relevant business exposure, such as legal entity, customer country, regulated service, supplier dependency, incident-reporting route, or no current exposure.
  • Name the decision owner, legal reviewer, next action, and reassessment date.
Sources for this answer
European Commission - NIS2 Directive transposition in EU countries
Use this Commission page to preserve the state-of-play caveat and navigate to country implementation pages.
European Commission - NIS2 Directive implementation in Italy
Country-page example from the grounding where the Commission records Italy's status of transposition as transposed and lists points of contact.
European Commission - NIS2 Directive implementation in Germany
Country-page example from the grounding where the Commission records a 7 May 2025 reasoned opinion for failure to notify full transposition.
European Commission - NIS2 Directive implementation in Sweden
Country-page example from the grounding with points of contact, competent authorities, and national CSIRT information.
Section 4

Review cadence and change triggers

National transposition status can change independently of product planning. Assign a tracker owner for source checks and a legal reviewer for interpretations that will be reused outside the compliance team.

A row should be reopened when an official source changes, the business enters a new Member State, an authority contact is needed for incident routing, or a customer asks for country-specific NIS2 evidence.

  • Schedule reviews at least quarterly while transposition and enforcement signals remain active.
  • Recheck the row when the Commission transposition page changes, a country page changes, a new national-law link appears, or a source URL breaks.
  • Reopen the row when the business adds a legal entity, customer market, regulated service, supplier dependency, or incident-reporting route.
  • Flag missing last-checked dates, missing source wording, unsupported status labels, stale contact details, and source URLs without the required reference parameter.
  • Require approval before using any tracker row for local-law scope, registration, incident notification, contract language, or management-body reporting.
Sources for this answer
European Commission - NIS2 Directive transposition in EU countries
Commission page states that country information is a state of play and links to country pages that may be updated as information becomes available.
Directive (EU) 2022/2555 (NIS2), Article 3
Legal source for Member State lists of essential and important entities and recurring review expectations.
Recommended next step

Keep country status decisions source-linked and reviewable

Sorena can help convert NIS2 national transposition checks into a maintained register with source URLs, exact status wording, last-check dates, reviewer approvals, and escalation triggers for country-specific legal follow-up.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about NIS2 transposition status, country implementation pages, Article 41 dates, and authority contacts using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through national coverage

Review your Member State coverage, country-source gaps, legal escalation rules, and tracker maintenance process with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Binding NIS2 directive text, including Article 41 transposition and application dates and Article 3 entity-list review obligations.
"measures necessary to comply"
Directive (EU) 2022/2555 (NIS2), Article 3
eur-lex.europa.eu
Referenced sections
  • Legal source for Member State lists of essential and important entities and recurring review expectations.
"review and, where appropriate, update"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.