What is the NIS2 Directive 17 January 2025 deadline?

5 obligations from NIS2 Directive carry 17 January 2025 as their deadline in the Fontvera corpus. The page above lists each, grouped by sector.

Is the NIS2 Directive 17 January 2025 deadline still active?

That date is past (499 days ago). The obligations listed should already be in force for any organisation in scope.

What happens if you miss the NIS2 Directive 17 January 2025 deadline?

Per-obligation penalties vary — see the Penalty column on each obligation. Where the row is silent, the regulation's general fine ceiling applies. Refer to a qualified legal advisor for exposure modelling.

§ NIS2 Directive BRIEFING

NIS2 Directive Compliance Deadline: 17 January 2025

5 obligations from NIS2 Directive fell due on 17 January 2025. In force since this date — see what should already be in place.

Summary

5 NIS2 Directive obligations carry 17 January 2025 as their deadline. This page lists them grouped by sector with article references and the action each obligation requires — extracted verbatim from the Regulation.

The deadline has passed (499 days ago). The obligations listed below should already be in force for any organisation in scope. Use the page as an audit checklist.

Who this applies to

Any organisation in scope of NIS2 Directive that has obligations dated 17 January 2025.

Compliance deadline

17 January 2025 — already in force.

§ Detail

In depth

Obligations due by this deadline

For all in-scope entities

Art 19 — The Cooperation Group shall establish the methodology and organisational aspects of peer reviews with the assistance of the Commission and ENISA.
Art 15 — By 17 January 2025, and every two years thereafter, the CSIRTs network shall assess the progress made with regard to the operational cooperation and adopt a report.
Art 36 — Member States shall notify the Commission of the rules on penalties and measures taken to ensure implementation by 17 January 2025.

For online platforms and search engines

Art 27 — Member States shall require entities listed in paragraph 1 to submit specific identification and contact information to the competent authorities by 17 January 2025.
Art 27 — Entities referred to in paragraph 1 must submit their name, sector, address, contact details, Member States of service provision, and IP ranges to competent authorities.

Checklist — what you need to have done

Art 19: establish
Art 15: assess
Art 27: require submission
Art 27: submit
Art 36: notify

What should already be in place — audit framing

17 January 2025 is 499 days behind us. The obligations on this page have been in force since then; treat any gap as an audit finding, not a planning question. The expected baseline under NIS2 Directive:

entity registration with the competent authority — should be done already
incident-reporting playbook update — should be done already
management-body cybersecurity training — should be done already

If any of these are missing, the right next step is a gap assessment plus a documented remediation plan — not a re-design of the underlying programme.

Related Fontvera pages

Check your full compliance exposure with the 5-minute Fontvera diagnostic →

§ What Fontvera found

Documents in our corpus

Enforcement data is expanding. AI Act enforcement begins 2 August 2026 — this section will populate automatically as authorities and courts publish decisions citing the regulations covered on this page.

§ Cross-references

Related Fontvera intelligence

Need a cross-border briefing on this?

Search Fontvera ↵ Run the AI Act diagnostic

AI Act enforcement

63 days

until 2026-08-02, when most AI Act provisions begin to apply.