§ NIS2 Directive · Article 15

NIS2 Directive Article 15: Obligations, Deadlines & Penalties

Directive (EU) 2022/2555, Article 15 · All obligations · NIS2 Directive
At a glance
Article 15 of the NIS2 Directive imposes 18 obligations on CSIRTs network. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 15

Obligation 1
The CSIRTs network shall exchange information about the CSIRTs’ capabilities. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
exchange
Deadline
Penalty
Obligation 2
The CSIRTs network shall facilitate the sharing, transfer and exchange of technology and relevant measures, policies, tools, processes, best practices and frameworks among the CSIRTs. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
facilitate
Deadline
Penalty
Obligation 3
The CSIRTs network shall exchange relevant information about incidents, near misses, cyber threats, risks and vulnerabilities. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
exchange
Deadline
Penalty
Obligation 4
The CSIRTs network shall exchange information with regard to cybersecurity publications and recommendations. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
exchange
Deadline
Penalty
Obligation 5
The CSIRTs network shall ensure interoperability with regard to information-sharing specifications and protocols. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
ensure
Deadline
Penalty
Obligation 6
At the request of a member potentially affected by an incident, the CSIRTs network shall exchange and discuss information in relation to that incident and associated cyber threats, risks and vulnerabilities. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
exchange
Deadline
Penalty
Obligation 7
At the request of a member, the CSIRTs network shall discuss and, where possible, implement a coordinated response to an incident identified within the jurisdiction of that Member State. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
implement
Deadline
Penalty
Obligation 8
The CSIRTs network shall provide Member States with assistance in addressing cross-border incidents pursuant to this Directive. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
provide
Deadline
Penalty
Obligation 9
The CSIRTs network shall cooperate, exchange best practices and provide assistance to the CSIRTs designated as coordinators with regard to the management of the coordinated disclosure of vulnerabilities which could have a significant impact on entities in more than one Member State. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
cooperate
Deadline
Penalty
Obligation 10
The CSIRTs network shall discuss and identify further forms of operational cooperation, including in relation to categories of cyber threats, early warnings, mutual assistance, and coordination principles. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
discuss
Deadline
Penalty
Obligation 11
The CSIRTs network shall inform the Cooperation Group of its activities and of the further forms of operational cooperation discussed, and, where necessary, request guidance in that regard. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
inform
Deadline
Penalty
Obligation 12
The CSIRTs network shall take stock of cybersecurity exercises, including those organised by ENISA. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
take stock
Deadline
Penalty
Obligation 13
At the request of an individual CSIRT, the CSIRTs network shall discuss the capabilities and preparedness of that CSIRT. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
discuss
Deadline
Penalty
Obligation 14
The CSIRTs network shall cooperate and exchange information with regional and Union-level Security Operations Centres (SOCs) in order to improve common situational awareness on incidents and cyber threats across the Union. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
cooperate
Deadline
Penalty
Obligation 15
Where relevant, the CSIRTs network shall discuss the peer-review reports referred to in Article 19(9). Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
discuss
Deadline
Penalty
Obligation 16
The CSIRTs network shall provide guidelines in order to facilitate the convergence of operational practices with regard to the application of the provisions of this Article concerning operational cooperation. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
provide
Deadline
Penalty
Obligation 17
By 17 January 2025, and every two years thereafter, the CSIRTs network shall assess the progress made with regard to the operational cooperation and adopt a report. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
assess
Deadline
17 January 2025, and every two years thereafter
Penalty
Obligation 18
The CSIRTs network shall submit the report on operational cooperation progress to the Cooperation Group. Directive (EU) 2022/2555, Article 15, Article 15
Obligated entity
CSIRTs network
Action required
submit
Deadline
Penalty
§ National transposition

Verified transposition provisions

Country Axis Value / approach Diverges National act
AT audit_requirement National phased assurance model: entities must submit a self-declaration (Selbstdeklaration) of implemented risk-management measures by 30 September 2027, and the authority may demand formal compliance verification (Nachweis) at the earliest from 1 October 2028. Yes NISG 2026, BGBl. I Nr. 94/2025
AT competent_authority A newly established Cybersicherheitsbehörde (cybersecurity authority) within the Federal Ministry of the Interior (BMI) supervises and enforces the NISG 2026; incident reports run via the NIS2 reporting platform and the CSIRT. No NISG 2026, BGBl. I Nr. 94/2025
AT incident_definition Reporting attaches to significant incidents ("erhebliche Sicherheitsvorfälle") per the directive Art. 23(3) criteria (severe operational disruption/financial loss or considerable damage to others), as implemented in the NISG 2026 and operationalised via the WKO/BMI guidance. No NISG 2026, BGBl. I Nr. 94/2025
AT management_liability Management (Geschäftsführer/Vorstand) bears responsibility for approving, implementing and monitoring cybersecurity risk-management measures and must complete cybersecurity training, per the NISG 2026 governance provisions. No NISG 2026, BGBl. I Nr. 94/2025
AT national_act Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026), Art. 1 of BGBl. I Nr. 94/2025, promulgated 23 December 2025; consolidated text in the RIS (Bundesrecht konsolidiert). No NISG 2026, BGBl. I Nr. 94/2025
AT penalties Administrative fines up to EUR 10 million or 2% of worldwide annual turnover for wesentliche Einrichtungen (essential entities) and up to EUR 7 million or 1.4% for wichtige Einrichtungen (important entities). No NISG 2026, BGBl. I Nr. 94/2025
AT registration_requirement Essential and important entities must register with the Cybersicherheitsbehörde within 3 months of the law taking effect — i.e. by 31 December 2026 for entities in scope on 1 October 2026. No NISG 2026, BGBl. I Nr. 94/2025
AT reporting_timeline Three-stage reporting of significant incidents via the NIS2 reporting platform / CSIRT: early warning within 24 hours, incident notification within 72 hours, final report within one month. No NISG 2026, BGBl. I Nr. 94/2025
AT transposition_date Promulgated 23 December 2025 (BGBl. I Nr. 94/2025); entry into force 1 October 2026 (nine months after promulgation, on the first of the following month). Yes NISG 2026, BGBl. I Nr. 94/2025
AT transposition_status Adopted, entering into force 1 October 2026. The Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026) was passed by the Nationalrat with the required two-thirds majority on 12 December 2025 and promulgated in BGBl. I Nr. 94/2025 on 23 December 2025; it enters into force nine months after promulgation, on 1 October 2026. A first transposition attempt failed in 2024 for lack of a two-thirds majority. Yes Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026), BGBl. I Nr. 94/2025
BE audit_requirement Articles 39-40: essential entities must undergo regular conformity assessment — either periodic conformity evaluation/certification under the CyberFundamentals (CyFun) framework or ISO/IEC 27001 (frameworks set by the Royal Decree of 9 June 2024), or inspection by the national cybersecurity authority. Voluntary for important entities. This ex-ante verification regime exceeds the directive minimum. Yes Loi du 26 avril 2024 (numac 2024202344); Arrêté royal du 9 juin 2024
BE competent_authority Centre for Cybersecurity Belgium (CCB) is the national cybersecurity authority (Art. 16) and national CSIRT; registration and incident notification run through the CCB's Safeonweb@Work platform, with sectoral authorities for some sectors. No Loi du 26 avril 2024 (numac 2024202344)
BE incident_definition Significant-incident criteria track directive Art. 23(3): an incident causing or capable of causing severe operational disruption or financial loss, or affecting others with considerable material or non-material damage; notification duties set out in Article 35 of the law. No Loi du 26 avril 2024 (numac 2024202344)
BE management_liability Article 31 §1: management bodies must approve cybersecurity risk-management measures, supervise their implementation and are responsible ("sont responsables") for violations; members must follow cybersecurity training. No Loi du 26 avril 2024 (numac 2024202344)
BE national_act Loi du 26 avril 2024 établissant un cadre pour la cybersécurité des réseaux et des systèmes d'information d'intérêt général pour la sécurité publique ("NIS2 Law"), Moniteur belge 17 May 2024, numac 2024202344, plus implementing Royal Decree of 9 June 2024. No Loi du 26 avril 2024 (numac 2024202344); Arrêté royal du 9 juin 2024
BE penalties Administrative fines up to EUR 10,000,000 or 2% of worldwide annual turnover (whichever higher) for essential entities and up to EUR 7,000,000 or 1.4% for important entities (Title 4, Arts. 58-61 "Mesures et amendes administratives"); fines are doubled on repeat offence within three years. Yes Loi du 26 avril 2024 (numac 2024202344)
BE registration_requirement Article 13: essential and important entities must register (name, BCE number, contacts, sector, IP ranges) via the CCB's Safeonweb@Work portal within 5 months of entry into force — i.e. by 18 March 2025 for entities in scope at commencement. Yes Loi du 26 avril 2024 (numac 2024202344)
BE reporting_timeline Article 35: early warning ("alerte précoce") to the national CSIRT within 24 hours of awareness, complete incident notification with initial assessment within 72 hours, final report within 1 month. No Loi du 26 avril 2024 (numac 2024202344)
BE transposition_date Entry into force 18 October 2024 (law of 26 April 2024, published Moniteur belge 17 May 2024). No Loi du 26 avril 2024 (numac 2024202344)
BE transposition_status Adopted and in force. Law of 26 April 2024 published in the Moniteur belge on 17 May 2024, in force since 18 October 2024 — Belgium transposed on time (one of the first member states), completed by the NIS2 Royal Decree of 9 June 2024. No Loi du 26 avril 2024 établissant un cadre pour la cybersécurité des réseaux et des systèmes d'information d'intérêt général pour la sécurité publique (Moniteur belge 17 mai 2024, numac 2024202344)
BG competent_authority Multi-authority model: national competent authorities designated by the Council of Ministers, with compliance control also exercised by the Ministry of Defence, Ministry of Interior and the State Agency for National Security; the Minister of e-Government maintains the national register of essential/important entities; the national CSIRT is CERT Bulgaria (govcert.bg) under the e-Government administration. Yes Zakon za kibersigurnost, as amended SG 13.02.2026
BG management_liability Managers and members of governing bodies bear direct responsibility for approving cybersecurity risk-management measures and for ensuring management and staff undergo appropriate cybersecurity training; personal fines of EUR 500 to EUR 5,000 (BGN equivalent) may be imposed on managers/governing-body members for non-compliance. Yes Zakon za kibersigurnost, as amended SG 13.02.2026
BG national_act Act amending and supplementing the Cybersecurity Act (Zakon za kibersigurnost, originally SG No. 94/2018), NIS2 amendments promulgated in the State Gazette of 13 February 2026. A new National Cybersecurity Strategy and implementing Ordinance are mandated from the Council of Ministers. No Zakon za kibersigurnost (SG 94/2018), as amended SG 13.02.2026
BG penalties Essential entities: fines up to EUR 10,000,000 or 2% of global annual turnover, with a statutory minimum of EUR 25,000; important entities: up to EUR 7,000,000 or 1.4%, minimum EUR 12,500; personal manager fines EUR 500-5,000. Reduced penalty levels apply during a grace period until 1 June 2026. Yes Zakon za kibersigurnost, as amended SG 13.02.2026
BG registration_requirement Hybrid identification model: the Council of Ministers must adopt an identification/designation methodology within 6 months of entry into force; national competent authorities then have a further 5 months to designate essential and important entities and notify the Minister of e-Government, who establishes and maintains the national register. Registered entities must report changes to registry information within two weeks. Yes Zakon za kibersigurnost, as amended SG 13.02.2026
BG reporting_timeline Early warning within 24 hours, formal incident notification within 72 hours, final report within one month. No Zakon za kibersigurnost, as amended SG 13.02.2026
BG scope_extension Regulated sectors expanded from 8 to 18, adding manufacturing, postal and courier services, waste management, food and chemical production, digital services and scientific research; previous designation-based system replaced by automatic coverage of medium-sized and larger enterprises in scoped sectors, with dual essential/important categorisation. No Zakon za kibersigurnost, as amended SG 13.02.2026
BG transposition_date Promulgated in the State Gazette on 13 February 2026; effective 17 February 2026 (per Chambers analysis; standard vacatio legis), with no transitional compliance period but reduced penalties applying until 1 June 2026. Yes Zakon za izmenenie i dopalnenie na Zakona za kibersigurnost (SG 13.02.2026)
BG transposition_status Adopted. Parliament adopted comprehensive NIS2 amendments to the Cybersecurity Act on 5 February 2026; promulgated in the State Gazette on 13 February 2026, ~16 months after the directive deadline. Bulgaria had received a Commission reasoned opinion for non-transposition on 7 May 2025. Yes Zakon za izmenenie i dopalnenie na Zakona za kibersigurnost (amendments to the Cybersecurity Act, State Gazette 13 February 2026; SG issue number not confirmed)
CY audit_requirement Directive-baseline supervision: essential entities subject to ex-ante and ex-post supervision by the DSA (information requests, inspections, audits); important entities subject to ex-post supervision only. No Ν. 60(Ι)/2025 (τροποποιεί Ν. 89(Ι)/2020)
CY competent_authority Digital Security Authority (DSA / Αρχή Ψηφιακής Ασφάλειας) is the competent authority and single point of contact (also acting via the Commissioner of Communications); CSIRT-CY is the national CSIRT. No Ν. 60(Ι)/2025 (τροποποιεί Ν. 89(Ι)/2020)
CY management_liability The law expressly provides that the highest level of management bears final responsibility for cybersecurity risk management in both essential and important entities, embedding cybersecurity into corporate governance in line with Art. 20 NIS2. No Ν. 60(Ι)/2025 (τροποποιεί Ν. 89(Ι)/2020)
CY national_act Ο περί Ασφάλειας Δικτύων και Συστημάτων Πληροφοριών (Τροποποιητικός) Νόμος του 2025 - Ν. 60(Ι)/2025, amending Ν. 89(Ι)/2020 (Official Gazette of the Republic of Cyprus, 25 April 2025). No Ν. 60(Ι)/2025 (τροποποιεί Ν. 89(Ι)/2020)
CY penalties Administrative fines imposed by the DSA of up to EUR 10,000,000 or 2% of global annual turnover (whichever higher) for essential entities and up to EUR 7,000,000 or 1.4% for important entities - directive baseline. No Ν. 60(Ι)/2025 (τροποποιεί Ν. 89(Ι)/2020)
CY reporting_timeline Stricter than the directive: initial notification of a significant incident within SIX (6) hours (vs the directive's 24-hour early warning), full notification within 72 hours, and a final report within one month. Yes Ν. 60(Ι)/2025 (τροποποιεί Ν. 89(Ι)/2020)
CY scope_extension Scope follows the directive: essential/important entities in the directive sectors, with size-cap exemptions for trust service providers, cloud computing and data centres; relative to the prior NIS1 law it substantially broadens coverage (public sector entities, postal services, digital infrastructure), but no significant additions beyond the directive minimum identified. No Ν. 60(Ι)/2025 (τροποποιεί Ν. 89(Ι)/2020)
CY transposition_date Law 60(I)/2025 published in the Official Gazette of the Republic of Cyprus and in force since 25 April 2025. Yes Ν. 60(Ι)/2025 (τροποποιεί Ν. 89(Ι)/2020)
CY transposition_status Adopted (late). Cyprus transposed NIS2 by the Network and Information Systems Security (Amendment) Law of 2025, Law 60(I)/2025, amending the Security of Networks and Information Systems Law of 2020 (Law 89(I)/2020); published/in force 25 April 2025. Cyprus had received a Commission reasoned opinion (7 May 2025) for failure to notify full transposition. Yes Ο περί Ασφάλειας Δικτύων και Συστημάτων Πληροφοριών (Τροποποιητικός) Νόμος του 2025, Ν. 60(Ι)/2025 (τροποποιεί Ν. 89(Ι)/2020)
CZ competent_authority NUKIB (Narodni urad pro kybernetickou a informacni bezpecnost) is the competent authority and single point of contact; its GovCERT.CZ acts as governmental CSIRT for higher-obligations providers; the National CERT (CSIRT.CZ) receives incident reports from lower-obligations providers. No Zakon c. 264/2025 Sb., o kyberneticke bezpecnosti
CZ incident_definition Reportable cybersecurity incident: an incident within the regulated scope that originates in cyberspace and for which intentional causation cannot be excluded within a maximum of 24 hours. Higher-obligations providers report ALL such incidents to NUKIB (which assesses significant impact within 24 hours); lower-obligations providers report only incidents with significant impact (self-assessed under the implementing decree) to the National CERT. Yes Zakon c. 264/2025 Sb., o kyberneticke bezpecnosti
CZ management_liability Statutory body members of higher-obligations providers who repeatedly or seriously breach their duties in connection with an ordered corrective measure may be banned by NUKIB from exercising the managerial function until deficiencies are remedied, for at least 6 months; continuing in a top-management role despite the ban is a separate administrative offence. NUKIB may also suspend cybersecurity certificates. No Zakon c. 264/2025 Sb., o kyberneticke bezpecnosti
CZ national_act Act No. 264/2025 Sb., on Cybersecurity (zakon o kyberneticke bezpecnosti) - a full replacement of Act No. 181/2014 Sb., plus accompanying Act No. 265/2025 Sb. amending related statutes. No Zakon c. 264/2025 Sb., o kyberneticke bezpecnosti; zakon c. 265/2025 Sb. (doprovodny zakon)
CZ penalties Maximum administrative fines: CZK 250,000,000 or up to 2% of net worldwide annual turnover (higher-obligations regime); CZK 175,000,000 or up to 1.4% (lower-obligations regime); further offence tiers at CZK 100M / 50M / 35M / 20M, including continuing in top management despite a ban. Fines must not be existentially ruinous by law. Yes Zakon c. 264/2025 Sb., o kyberneticke bezpecnosti
CZ registration_requirement Self-identification model: providers must assess whether they provide a regulated service and notify it via the NUKIB Portal; existing providers had 60 days from entry into force (1 November - 31 December 2025). Registration decision triggers transitional deadlines: contact/technical data within 30 days, security measures within 1 year of the registration decision. Yes Zakon c. 264/2025 Sb., o kyberneticke bezpecnosti (prechodna ustanoveni)
CZ reporting_timeline Initial incident report without undue delay via NUKIB Portal; where the incident has significant impact: further report within 72 hours, interim report on request, final report within 30 days (60 days if the incident is still ongoing). NUKIB confirms significant-impact assessment within 24 hours for higher-regime providers. Yes Zakon c. 264/2025 Sb., o kyberneticke bezpecnosti
CZ scope_extension Czech-specific additions beyond the directive: (1) 'strategically important services' must be operable/available from Czech territory; (2) supply-chain security screening mechanism - NUKIB assesses security-significant suppliers of critical parts of strategically important services and the government may prohibit use of a supplier or issue a risk warning; supplier reporting within 1 year of designation. Self-identification 'regulated service' model replaces essential/important entity lists with higher/lower obligations regimes. Yes Zakon c. 264/2025 Sb., o kyberneticke bezpecnosti
CZ transposition_date Entry into force 1 November 2025. Yes Zakon c. 264/2025 Sb., o kyberneticke bezpecnosti
CZ transposition_status Adopted and in force. New Cybersecurity Act No. 264/2025 Sb. published in the Collection of Laws on 4 August 2025, effective 1 November 2025; missed the 17 October 2024 directive deadline. Yes Zakon c. 264/2025 Sb., o kyberneticke bezpecnosti (Sbirka zakonu, 4 August 2025)
DE audit_requirement Operators of critical facilities (KRITIS tier) must regularly demonstrate compliance to the BSI via audits, tests or certifications (Nachweispflichten, § 39 BSIG) — an ex-ante proof duty beyond the directive minimum. No general mandatory audit for other besonders wichtige/wichtige Einrichtungen. Yes BSIG as amended by NIS2UmsuCG, BGBl. 2025 I Nr. 301
DE competent_authority Bundesamt für Sicherheit in der Informationstechnik (BSI) is the competent supervisory authority, registration point, incident-reporting recipient and hosts the national CSIRT function. No BSIG as amended by NIS2UmsuCG, BGBl. 2025 I Nr. 301
DE incident_definition Reporting duty attaches to "erhebliche Sicherheitsvorfälle" (significant security incidents) as defined in the amended BSIG, tracking the directive's Art. 23(3) criteria (severe operational disruption or financial loss, or considerable material/non-material damage to others). No BSIG as amended by NIS2UmsuCG, BGBl. 2025 I Nr. 301
DE management_liability § 38 BSIG imposes implementation, monitoring and training duties on management bodies (Geschäftsleitungen): they must approve and oversee risk-management measures and attend security training; secondary commentary reports personal liability of managers for culpable breaches of these duties. Yes BSIG as amended by NIS2UmsuCG, BGBl. 2025 I Nr. 301
DE national_act Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung (NIS-2-Umsetzungsgesetz, NIS2UmsuCG), amending the BSI-Gesetz (BSIG). BGBl. 2025 I Nr. 301, promulgated 5 December 2025. No NIS2UmsuCG, BGBl. 2025 I Nr. 301
DE penalties Fine catalogue in § 65 BSIG: up to EUR 10 million or 2% of global annual turnover for besonders wichtige Einrichtungen; up to EUR 7 million or 1.4% for wichtige Einrichtungen, mirroring directive Art. 34. No BSIG as amended by NIS2UmsuCG, BGBl. 2025 I Nr. 301
DE registration_requirement Entities must register with the BSI within 3 months of first (or renewed) falling in scope (§ 33 BSIG); operators of critical facilities have a special registration duty (§ 34). Registration runs via "Mein Unternehmenskonto" plus the BSI portal; changes must be notified within 2 weeks. No BSIG as amended by NIS2UmsuCG, BGBl. 2025 I Nr. 301
DE reporting_timeline Early warning to BSI within 24 hours of awareness, incident notification within 72 hours, final/follow-up report within 30 days (one month). No BSIG as amended by NIS2UmsuCG, BGBl. 2025 I Nr. 301
DE scope_extension Germany keeps its pre-existing KRITIS regime as a third, stricter tier: "Betreiber kritischer Anlagen" (operators of critical facilities) sit above the directive's besonders wichtige / wichtige Einrichtungen split, with special requirements (§ 31), special registration (§ 34) and proof duties (§ 39 BSIG). BSI estimates ~29,500 entities in scope. Yes BSIG as amended by NIS2UmsuCG, BGBl. 2025 I Nr. 301
DE transposition_date Entry into force 6 December 2025 (day after promulgation in BGBl. 2025 I Nr. 301 of 5 December 2025). Yes NIS2UmsuCG, BGBl. 2025 I Nr. 301
DE transposition_status Adopted and in force. NIS-2 implementation act promulgated in the Federal Law Gazette on 5 December 2025 and in force since 6 December 2025 (no transition period). Yes Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung (NIS2UmsuCG), BGBl. 2025 I Nr. 301
DK audit_requirement No standing mandatory audit beyond the directive minimum; competent authorities may order regular and targeted security audits and on-site inspections as supervisory measures (§§ 21-22 for essential entities, § 24 reactive supervision for important entities). No Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025
DK competent_authority Decentralised sectoral model: sector-responsible ministries/authorities supervise their own sectors (designated under § 20); national CSIRT is the Centre for Cyber Security (CFCS) under the Danish Defence Intelligence Service; overall coordination by Ministeriet for Samfundssikkerhed og Beredskab / Styrelsen for Samfundssikkerhed. Yes Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025
DK incident_definition An incident is significant (væsentlig) if it (1) has caused or is capable of causing serious operational disruption of services or financial loss for the entity, or (2) has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage (§ 12 stk. 2). Mirrors Art. 23(3) NIS2. No Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025
DK management_liability The entity's management body must approve cybersecurity risk-management measures, supervise their implementation, and participate in relevant courses on cyber risk management (§ 7). Follows directive Art. 20 baseline. No Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025
DK national_act Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven) — LOV nr 434 af 06/05/2025 (Lovtidende A). Energy, telecoms and financial sectors are transposed via separate sector acts (§ 1 stk. 2). No LOV nr 434 af 06/05/2025 (Lovtidende A)
DK penalties Violations are punished with criminal fines (bøde) via the ordinary prosecution system (§ 32); legal persons liable under Criminal Code chapter 5. The act itself sets no fixed maximum amounts and Denmark does not use administrative fines — deviating from the directive's administrative-fine model (EUR 10M/2% and 7M/1.4% ceilings). Yes Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025
DK registration_requirement All essential and important entities must register with the relevant competent authority (§ 10; DNS/TLD/digital-provider entities under § 9), information due by 1 October 2025 (§ 33 stk. 3). Registration is made via the Virk.dk portal. Yes Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025
DK reporting_timeline Early warning without undue delay and within 24h; incident notification within 72h; interim report on CSIRT request; final report within 1 month of the incident notification (or 1 month after handling if ongoing). Trust service providers: notification within 24h (§ 13). No Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025
DK scope_extension No general extension beyond the directive minimum in the main act; instead Denmark carves OUT energy, telecoms and financial entities into separate sector legislation (lov om styrket beredskab i energisektoren; lov om sikkerhed og beredskab i telesektoren; lov om finansiel virksomhed § 333). Yes Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025
DK transposition_date Entry into force 1 July 2025 (§ 33). Registration duties phased: information under §§ 9-10 due by 1 October 2025 (§ 33 stk. 3). Yes Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025
DK transposition_status Adopted and in force. Main act passed by Folketinget 29 April 2025, promulgated 6 May 2025, in force 1 July 2025 (after the 17 Oct 2024 directive deadline). Yes Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau (NIS 2-loven), LOV nr 434 af 06/05/2025
EE audit_requirement Estonia requires implementation of security measures per the Estonian information security standard E-ITS or ISO/IEC 27001; audit-obligated service providers must submit the E-ITS audit conclusion to RIA within 30 days of receiving the audit results (ISO route: conformity certificate to RIA). Exceeds the directive's supervisory-audit minimum. Yes Küberturvalisuse seadus (KüTS) and implementing rules
EE competent_authority Single national competent authority: Riigi Infosüsteemi Amet (RIA, Information System Authority), with CERT-EE (within RIA) as national CSIRT and incident-reporting point (raport.cert.ee). No Küberturvalisuse seadus (KüTS), as amended RT I, 30.12.2025, 4
EE management_liability Management must actively own cybersecurity: organisations must conduct regular risk assessments, implement protective measures, build incident-detection capability and provide staff training, with responsibility anchored at management level per RIA guidance on the amended KüTS. No Küberturvalisuse seadus (KüTS), as amended RT I, 30.12.2025, 4
EE national_act Küberturvalisuse seadus (KüTS, in force since 2018) as amended by the Küberturvalisuse seaduse ja teiste seaduste muutmise seadus (NIS2 transposition), RT I, 30.12.2025, 4. No Küberturvalisuse seadus (KüTS); amending act RT I, 30.12.2025, 4
EE penalties Fines up to EUR 10,000,000 or 2% of annual turnover for essential entities and up to EUR 7,000,000 or 1.4% of previous-year total turnover for important entities, per RIA on the amended KüTS. No Küberturvalisuse seadus (KüTS), as amended RT I, 30.12.2025, 4
EE registration_requirement Covered service providers must notify/register with the Information System Authority (RIA) within three months of the provisions entering into force (i.e. by about 1 April 2026). Yes Küberturvalisuse seadus (KüTS), as amended RT I, 30.12.2025, 4
EE scope_extension Scope roughly doubled: from ~3,500 to ~6,500 covered entities per RIA, adding airlines, railways, utilities, district heating, port operators, cloud providers, hospitals, food processors, postal and waste-management companies meeting size criteria. Pre-existing KüTS scope (state and local authorities, vital service providers) already exceeded the directive baseline. Yes Küberturvalisuse seadus (KüTS), as amended RT I, 30.12.2025, 4
EE transposition_date Amendment act entered into force 1 January 2026; covered service providers must bring activities into conformity within a three-month transition (registration by ~1 April 2026), with a three-year transition period for full alignment of security measures. Yes Küberturvalisuse seaduse ja teiste seaduste muutmise seadus, RT I, 30.12.2025, 4
EE transposition_status Adopted and in force. NIS2 transposed by amending the existing Cybersecurity Act (küberturvalisuse seadus, KüTS): amendment act adopted by Riigikogu 10 December 2025, published RT I, 30.12.2025, 4, in force 1 January 2026. Yes Küberturvalisuse seaduse ja teiste seaduste muutmise seadus (küberturvalisuse 2. direktiivi ülevõtmine), RT I, 30.12.2025, 4
ES competent_authority The draft law creates the Centro Nacional de Ciberseguridad (National Cybersecurity Centre), attached to the Office of the Prime Minister, as the single national competent authority and single point of contact. Pending adoption, the NIS1-era authorities (CCN, INCIBE/CNPIC arrangements under RD-ley 12/2018) continue to operate. Yes Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad (draft, not yet in force)
ES national_act Draft only: Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad, approved by the Council of Ministers 14 January 2025; no BOE publication yet as no law has been adopted. Existing NIS1 transposition (Real Decreto-ley 12/2018) remains in force. Yes Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad (draft, not yet in force)
ES transposition_status Not yet transposed. The draft "Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad" was approved by the Council of Ministers on 14 January 2025 (urgent procedure) but remains stuck in parliamentary processing as of mid-2026. Spain missed the 17 October 2024 deadline and received a European Commission reasoned opinion (May 2025) in infringement proceedings. Yes Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad (draft, not yet in force)
FI audit_requirement No standing mandatory audit beyond the directive minimum; supervisory authorities exercise oversight and may issue supervision decisions and warnings (ch. 4, incl. 31 §). No Kyberturvallisuuslaki 124/2025
FI competent_authority Sectoral supervision by existing regulators (Traficom, Energy Authority/Energiavirasto, FIN-FSA, Tukes, Valvira, Fimea, etc.); the National Cyber Security Centre Finland (NCSC-FI) at Traficom acts as CSIRT and single point of contact under Art. 8(3) NIS2 and coordinates supervisory cooperation. Yes Kyberturvallisuuslaki 124/2025
FI incident_definition Significant incident (merkittävä poikkeama / betydande incident) defined as one causing or capable of causing serious operational disruption or financial loss, or affecting others through considerable material or immaterial damage; additionally any situation specified in Commission implementing acts under Art. 23(11) NIS2 is deemed significant. No Kyberturvallisuuslaki 124/2025
FI management_liability Management is responsible for approving and overseeing cybersecurity risk management; for essential entities the supervisory authority may temporarily restrict management's activity (Begränsning av ledningens verksamhet, 32 §) if enforcement measures fail. Follows directive Art. 20/32(5) baseline. No Kyberturvallisuuslaki 124/2025
FI national_act Kyberturvallisuuslaki / Cybersäkerhetslag 124/2025 (Finlands författningssamling), the general NIS2 implementing act; sector-specific supervision remains with existing regulators. No Kyberturvallisuuslaki 124/2025
FI penalties Administrative sanction fee (hallinnollinen seuraamusmaksu): essential entities up to EUR 10,000,000 or 2% of total global annual turnover (whichever is higher); other (important) entities up to EUR 7,000,000 or 1.4%. Imposed by a dedicated Sanction Fee Board (påföljdsavgiftsnämnd, 36-37 §). Public-sector bodies (state authorities, municipalities, welfare regions, the national churches, etc.) are exempt from the sanction fee. Yes Kyberturvallisuuslaki 124/2025
FI registration_requirement Entities must submit their identification/contact information to the supervisory authority for the list of essential and important entities (41 §); under the transitional provision the notification was due within one month of entry into force, i.e. by 8 May 2025. Yes Kyberturvallisuuslaki 124/2025
FI reporting_timeline First notification within 24 hours of detecting the significant incident and follow-up notification within 72 hours of detection (11 §); interim report on request (12 §); final report to the supervisory authority within one month of the follow-up notification, or for prolonged incidents within one month after handling ends (13 §). Trust service providers: follow-up within 24 hours. No Kyberturvallisuuslaki 124/2025
FI scope_extension Scope follows the directive annex sectors (energy, transport, banking, health, digital infrastructure, chemicals/REACH operators, etc.) as listed in the act's annexes; no significant national extension of entity scope beyond the directive minimum identified in the act text. No Kyberturvallisuuslaki 124/2025
FI transposition_date Entry into force 8 April 2025 ("Denna lag träder i kraft den 8 april 2025", transitional provisions). Registration under 41 § due within one month of entry into force. Yes Kyberturvallisuuslaki 124/2025
FI transposition_status Adopted and in force. Kyberturvallisuuslaki (Cybersecurity Act) 124/2025 approved by Eduskunta in March 2025; in force 8 April 2025 — after the 17 Oct 2024 directive deadline. Yes Kyberturvallisuuslaki 124/2025
FR competent_authority ANSSI (Agence nationale de la sécurité des systèmes d'information) is the national cybersecurity authority: NIS2 supervisor, incident-notification recipient, CSIRT (CERT-FR) and CyCLONe participant. Since 17 March 2026 ANSSI also publishes the voluntary Référentiel Cyber France (ReCyF) aligned with NIS2. No Projet de loi résilience (pending); ANSSI guidance
FR incident_definition Bill (Senate first-reading text) defines a notifiable "incident important" as one that caused or could cause severe operational disruption of services or financial losses, or affected/could affect third parties causing considerable material, bodily or moral damage — tracking directive Art. 23(3). No Projet de loi résilience, texte adopté Sénat n° 78 (2024-2025)
FR management_liability Bill requires that management bodies (organes de direction) approve and supervise network and information system security governance measures, and that their members and risk-exposed staff receive cybersecurity training (Article 14, texte Sénat). No Projet de loi résilience, texte adopté Sénat n° 78 (2024-2025)
FR national_act Projet de loi relatif à la résilience des infrastructures critiques et au renforcement de la cybersécurité (bill, not yet law). Senate texte adopté n° 78 (2024-2025) of 12 March 2025; Assemblée nationale dossier 17e législature DLR5L17N50731. Titre II transposes NIS2; also transposes CER and DORA-adjacent provisions. No Projet de loi résilience des infrastructures critiques et renforcement de la cybersécurité (PRMD2412608L)
FR penalties Bill provides administrative fines, imposed via an ANSSI sanctions commission, of up to EUR 10 million or 2% of worldwide annual turnover (whichever is higher) for essential entities, and up to EUR 7 million or 1.4% for important entities; the 10M/2% ceiling appears in the Senate text (e.g. Art. L.1332-17 for the resilience strand). No Projet de loi résilience, texte adopté Sénat n° 78 (2024-2025)
FR registration_requirement Bill requires entities to communicate to ANSSI the information needed to establish and keep up to date the list of essential and important entities (Article 12, texte Sénat). ANSSI has pre-launched the "MonEspaceNIS2" service (now MesServicesCyber) with a scope simulator and registration anticipation via ClubSSI. No Projet de loi résilience, texte adopté Sénat n° 78 (2024-2025)
FR reporting_timeline Bill provides notification to ANSSI: initial notification within 24 hours of awareness, intermediate notification with first assessment within 72 hours (24 hours for trust service providers), final report no later than one month after the intermediate notification. No Projet de loi résilience, texte adopté Sénat n° 78 (2024-2025)
FR scope_extension Per the Senate special-commission report, roughly 15,000 entities will be regulated, including ~1,500 territorial collectivities (départements, régions), ~1,000 inter-municipal groupings, 300+ communes above 30,000 inhabitants and higher-education institutions — an explicit extension to local government beyond the directive's public-administration minimum. Yes Projet de loi résilience (Senate report n° 393, 2024-2025)
FR transposition_status Not yet adopted. The "projet de loi relatif à la résilience des infrastructures critiques et au renforcement de la cybersécurité" was adopted by the Sénat at first reading on 12 March 2025 (texte adopté n° 78, 2024-2025) and by the Assemblée nationale special commission on 10 September 2025; no public-session adoption or promulgation as of July 2026. Yes Projet de loi relatif à la résilience des infrastructures critiques et au renforcement de la cybersécurité (PRMD2412608L)
GR audit_requirement Essential entities: regular, ad hoc and targeted security audits, on-site inspections, off-site supervision, information requests, binding instructions; important entities: ex-post targeted assessments, inspections, scans and spot checks. Entities must maintain policies/procedures to assess the effectiveness of their cyber risk-management measures; the national requirements framework is set by JMD 1689/2025. Yes Νόμος 5160/2024 (ΦΕΚ Α' 195/27.11.2024); ΚΥΑ 1689/2025 (ΦΕΚ Β' 2186/06.05.2025)
GR competent_authority Εθνική Αρχή Κυβερνοασφάλειας (EAK / National Cybersecurity Authority, established by Law 5086/2024, under the Ministry of Digital Governance) is the single competent authority - handling registration, supervision, incident handling (national CSIRT) and enforcement. No Νόμος 5160/2024 (ΦΕΚ Α' 195/27.11.2024)
GR incident_definition Significant incident: one causing serious operational disruption of services or financial loss, or affecting other natural/legal persons by causing considerable material or non-material damage - mirroring Art. 23(3) NIS2. No Νόμος 5160/2024 (ΦΕΚ Α' 195/27.11.2024)
GR management_liability Management bodies had to approve cybersecurity risk-management measures within 3 months of the law's entry into force, ensure implementation, and maintain a unified cybersecurity policy subject to annual approval by the National Cybersecurity Authority; managers (managing directors, legal representatives) can face temporary prohibition from exercising managerial functions for non-compliance. Yes Νόμος 5160/2024 (ΦΕΚ Α' 195/27.11.2024)
GR national_act Law 5160/2024 "transposition of Directive (EU) 2022/2555 (NIS2)" - ΦΕΚ Α' 195/27.11.2024; implemented by Joint Ministerial Decisions 1381/2025 (entity registration) and 1689/2025 (National Cybersecurity Requirements Framework, ΦΕΚ Β' 2186/06.05.2025). No Νόμος 5160/2024 (ΦΕΚ Α' 195/27.11.2024)
GR penalties Administrative fines up to EUR 10,000,000 or 2% of global annual turnover for essential entities; up to EUR 7,000,000 or 1.4% for important entities; plus fines for public administration bodies, temporary suspension of certifications/authorisations and temporary bans on managerial function holders. No Νόμος 5160/2024 (ΦΕΚ Α' 195/27.11.2024)
GR registration_requirement Mandatory registration in the EAK Registry of Obligated Entities via the national platform (nis2register.cyber.gov.gr) or interim email channel: digital-infrastructure providers by 28 March 2025, other essential/important entities by 11 April 2025 per JMD 1381/2025; submission window subsequently extended (ultimately to 30 September 2025). Yes Νόμος 5160/2024 (ΦΕΚ Α' 195/27.11.2024); ΚΥΑ 1381/2025
GR reporting_timeline Three-stage reporting to the National Cybersecurity Authority/CSIRT: early warning within 24 hours, detailed incident notification within 72 hours (with interim updates on request), final report within one month - matching the directive baseline. No Νόμος 5160/2024 (ΦΕΚ Α' 195/27.11.2024)
GR scope_extension Scope largely tracks the directive: entities in Annex I/II sectors meeting the medium-size threshold (plus qualitative criteria such as sole provider or critical national/regional importance); DORA-covered financial entities excluded as lex specialis. No major national sector additions identified. No Νόμος 5160/2024 (ΦΕΚ Α' 195/27.11.2024)
GR transposition_date Law 5160/2024 published in ΦΕΚ Α' 195 on 27 November 2024 and in force from publication, with phased implementing acts through 2025 (e.g. JMD 1381/2025 on registration, JMD 1689/2025 on the national cybersecurity requirements framework, ΦΕΚ Β' 2186/06.05.2025). No Νόμος 5160/2024 (ΦΕΚ Α' 195/27.11.2024)
GR transposition_status Adopted. Greece transposed NIS2 by Law 5160/2024, published in the Government Gazette (ΦΕΚ Α' 195) on 27 November 2024 - shortly after the 17 October 2024 directive deadline. No Νόμος 5160/2024 (ΦΕΚ Α' 195/27.11.2024)
HR audit_requirement Beyond the directive: key entities must undergo a cybersecurity audit at least once every two years by a certified auditor (Čl. 34), delivering the report to the competent authority within 8 days; important entities must perform a cybersecurity self-assessment at least every two years (Čl. 35), producing a compliance statement or remediation plan. Yes Zakon o kibernetičkoj sigurnosti (NN 14/2024)
HR competent_authority Multi-authority model: the Security and Intelligence Agency (SOA) is the central cybersecurity authority operating the National Cyber Security Centre (NCSC-HR); UVNS is central authority for information security; ZSIS handles technical information security; sectoral regulators (e.g. HAKOM) act per Annex III of the Act; CSIRT functions at SOA and CARNET. No Zakon o kibernetičkoj sigurnosti (NN 14/2024)
HR incident_definition Significant incident criteria follow the directive concept (serious operational disruption/financial loss or considerable damage to others); detailed significance thresholds and notification criteria are specified in the implementing Uredba o kibernetičkoj sigurnosti (NN 135/2024). No Zakon o kibernetičkoj sigurnosti (NN 14/2024); Uredba o kibernetičkoj sigurnosti (NN 135/2024)
HR management_liability Members of management bodies of key and important entities are responsible for implementation of cyber risk-management measures: they must approve the measures, control their implementation, and undergo (and enable employee) cybersecurity training (Čl. 29) - tracking the directive's Art. 20 baseline. No Zakon o kibernetičkoj sigurnosti (NN 14/2024)
HR national_act Zakon o kibernetičkoj sigurnosti - Narodne novine br. 14/2024 (7.2.2024), implemented by Uredba o kibernetičkoj sigurnosti - Narodne novine br. 135/2024. No Zakon o kibernetičkoj sigurnosti (NN 14/2024); Uredba o kibernetičkoj sigurnosti (NN 135/2024)
HR penalties Misdemeanour fines up to EUR 10,000,000 or 2% of total worldwide annual turnover for key (essential) entities and up to EUR 7,000,000 or 1.4% for important entities, in line with the directive; sanctions set out in the Act's misdemeanour provisions (Dio sedmi - Prekršajne odredbe). No Zakon o kibernetičkoj sigurnosti (NN 14/2024)
HR registration_requirement Authority-driven categorisation plus entity data duties: competent authorities categorise entities and notify them within 30 days (Čl. 19(4)); entities must supply registry data on request within 15-45 days (Čl. 20(2)); specific digital service providers must provide special-register data within 15 days of request and report changes within 3 months (Čl. 23). Registration handled via the national JISKB portal (first cycle deadline reported as 1 March 2025). Yes Zakon o kibernetičkoj sigurnosti (NN 14/2024)
HR reporting_timeline Notification clocks for significant incidents follow the NIS2 scheme, with detail set in the Uredba o kibernetičkoj sigurnosti (NN 135/2024). Phase-in under the Act: key and important entities must start notifying significant incidents within 30 days of receiving their categorisation notice (Čl. 37(4), 38(3)); audit/self-assessment reports go to the competent authority within 8 days. No Zakon o kibernetičkoj sigurnosti (NN 14/2024); Uredba o kibernetičkoj sigurnosti (NN 135/2024)
HR scope_extension Scope exceeds the directive minimum: public sector bodies of any size and critical-infrastructure-designated entities of any size are key entities; interoperability intermediaries covered regardless of size; the act also adds a domain-registration data regime (identity verification, 25-year retention, 72-hour law-enforcement disclosure), active cyber defence provisions and a voluntary national threat-detection system for out-of-scope entities. Yes Zakon o kibernetičkoj sigurnosti (NN 14/2024)
HR transposition_date Published in Narodne novine 14/2024 on 7 February 2024; entered into force 15 February 2024. Implementing Uredba o kibernetičkoj sigurnosti published NN 135/2024 (November 2024). No Zakon o kibernetičkoj sigurnosti (NN 14/2024)
HR transposition_status Adopted. Croatia was the first Member State to transpose NIS2: Zakon o kibernetičkoj sigurnosti (Cybersecurity Act), Narodne novine 14/2024 of 7 February 2024, in force 15 February 2024 - eight months ahead of the directive deadline. No Zakon o kibernetičkoj sigurnosti (NN 14/2024)
HU audit_requirement Mandatory recurring cybersecurity audit by an auditor entered in the SZTFH auditor register: entities operating before 1 January 2025 had to contract an auditor by 31 August 2025 (contract reported to SZTFH) and complete the first audit by 30 June 2026 (deadlines extended from the original 120-days/1 May 2025 and 31 December 2025 scheme). Yes 2024. evi LXIX. torveny; Kormanyrendelet 418/2024 (XII. 23.)
HU competent_authority Dual structure: the Supervisory Authority for Regulated Activities (SZTFH) supervises NIS2-covered private/market entities (registration, security classification oversight, auditor register, fines); the National Security Service's National Cybersecurity Incident Response Centre (NBSZ NKI) is the national CSIRT receiving incident reports, with NBSZ competent for state administrative bodies and state-owned enterprises. Yes 2024. evi LXIX. torveny
HU incident_definition Significant incidents must be reported to the National Cybersecurity Incident Response Centre (NKI, run by NBSZ) without undue delay and no later than 24 hours after detection; significance criteria and procedural detail are set by Government Decree 418/2024 (XII. 23.). No 2024. evi LXIX. torveny; Kormanyrendelet 418/2024 (XII. 23.)
HU national_act Act LXIX of 2024 on Hungary's Cybersecurity (2024. evi LXIX. torveny, 'Kibertv.'), Magyar Kozlony December 2024, plus Government Decree 418/2024 (XII. 23.) on its implementation; replaces Act XXIII of 2023. No 2024. evi LXIX. torveny; Kormanyrendelet 418/2024 (XII. 23.)
HU penalties Directive-aligned maxima (up to EUR 10,000,000 or 2% of worldwide turnover for essential entities; EUR 7,000,000 or 1.4% for important entities) complemented by specific Hungarian fine bands: failure to contract an accredited auditor HUF 1-15 million; failure to complete the audit up to 2% of prior-year revenue (min HUF 1 million, max HUF 150 million); breach of incident-reporting duty HUF 500,000-5 million. Yes 2024. evi LXIX. torveny; Kormanyrendelet 418/2024 (XII. 23.)
HU registration_requirement Mandatory registration with the SZTFH: existing in-scope entities by 31 January 2025, otherwise within 30 days of commencing the relevant activity; entities registered under the 2023 act had to file their EU service-provision list by 15 February 2025. An annual supervisory fee is payable under SZTFH decree 2/2025. Yes 2024. evi LXIX. torveny; SZTFH rendelet 2/2025
HU reporting_timeline Early warning within 24 hours of detection, incident notification within 72 hours, final report within 1 month, reported to the NKI (National Cybersecurity Incident Response Centre). No 2024. evi LXIX. torveny; Kormanyrendelet 418/2024 (XII. 23.)
HU scope_extension Scope extends beyond the directive minimum: public administration at all levels, entities under majority state ownership, organisations providing services to 20,000+ persons in critical sectors, and entities processing data for covered organisations. Financial entities under DORA are carved out. All covered entities must classify each electronic information system into 'basic', 'significant' or 'high' security classes with escalating mandatory controls. Yes 2024. evi LXIX. torveny; Kormanyrendelet 418/2024 (XII. 23.)
HU transposition_date Entry into force 1 January 2025 (Act LXIX of 2024 and implementing Government Decree 418/2024 (XII. 23.)). Yes 2024. evi LXIX. torveny (Act LXIX of 2024)
HU transposition_status Adopted and in force. Act LXIX of 2024 on Hungary's Cybersecurity adopted by Parliament on 20 December 2024, in force 1 January 2025; repealed the partial transposition Act XXIII of 2023 on Cybersecurity Certification and Supervision. Yes 2024. evi LXIX. torveny Magyarorszag kiberbiztonsagarol (Act LXIX of 2024), with Government Decree 418/2024 (XII. 23.)
IE competent_authority Decentralised model (General Scheme Head 17, designations approved by Government December 2023): CRU (energy, drinking water, waste water), ComReg (digital infrastructure, ICT service management, space, digital providers), Central Bank of Ireland (banking, financial market infrastructure), IAA (aviation), CRR (rail), Minister for Transport (maritime), NTA (road), Health agency for health, and the NCSC as CSIRT, single point of contact and competent authority for all remaining sectors. Yes National Cyber Security Bill 2024 (General Scheme)
IE incident_definition General Scheme Head 15(5): an incident is significant if it has caused or is capable of causing severe operational disruption or financial loss for the entity, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage — verbatim directive Art. 23(3). No National Cyber Security Bill 2024 (General Scheme)
IE management_liability General Scheme Head 28 (Governance, transposing Art. 20): management bodies must approve cybersecurity risk-management measures, oversee implementation and follow training. The explanatory note adds that management and executives can be found personally liable on gross negligence after an incident, and can be mandated to publicly disclose non-compliance and the persons responsible. Yes National Cyber Security Bill 2024 (General Scheme)
IE national_act National Cyber Security Bill 2024 — General Scheme (Heads of Bill) published 30 August 2024; transposes Directive (EU) 2022/2555 and puts the NCSC on a statutory footing. Not yet enacted; no Statutory Instrument / Act number exists. No National Cyber Security Bill 2024 (General Scheme)
IE penalties General Scheme (Part 8, adjudicator-imposed financial penalties): maximum the greater of EUR 10 million or 2% of worldwide turnover for essential entities, and the greater of EUR 7 million or 1.4% for important entities (breaches of Heads 15 or 29); enforcement runs through compliance notices, with possible High Court steps and temporary suspension measures. No National Cyber Security Bill 2024 (General Scheme)
IE registration_requirement General Scheme Head 31: digital-category entities (DNS, TLD registries, cloud, data centres, CDNs, managed (security) service providers, online marketplaces, search engines, social networks) submit registry information incl. IP ranges to the NCSC (drafted deadline 17 January 2025, per directive Art. 27); changes notified within 3 months. NCSC states the registration portal will open once the Act commences, with registration expected within 3 months of launch. No National Cyber Security Bill 2024 (General Scheme)
IE reporting_timeline General Scheme Head 15(6): early warning to the CSIRT within 24 hours of awareness; incident notification with initial assessment within 72 hours; intermediate report on CSIRT request; final report within one month of the incident notification (trust service providers: 24 hours). CSIRT responds to the early warning within 24 hours. No National Cyber Security Bill 2024 (General Scheme)
IE scope_extension General Scheme includes state powers beyond the directive: NCSC scanning (Head 6), DNS blocking and sinkholing (Head 7), and sensor employment on networks of essential and important entities (Heads 8-9). Scope expands from ~450 NIS1 operators to an estimated 4,500-6,000 entities. Yes National Cyber Security Bill 2024 (General Scheme)
IE transposition_status Not yet transposed. General Scheme of the National Cyber Security Bill published 30 August 2024; pre-legislative scrutiny resumed 2025 after the November 2024 general election interrupted it (Joint Committee briefing 15 July 2025); Bill drafting at advanced stage but not enacted as of July 2026. NIS1 regime still applies to designated OES. Yes National Cyber Security Bill 2024 (General Scheme, 30 August 2024)
IT audit_requirement No general mandatory third-party audit beyond the directive: essential entities are subject to ex-ante and ex-post supervision by ACN (inspections, security audits, requests for evidence); important entities to ex-post supervision - as in the directive baseline. No Decreto Legislativo 4 settembre 2024, n. 138 (GU Serie Generale n. 230 del 01-10-2024)
IT competent_authority Agenzia per la Cybersicurezza Nazionale (ACN) is the single national NIS2 competent authority and single point of contact; CSIRT Italia (within ACN) is the national CSIRT and incident notification channel. No Decreto Legislativo 4 settembre 2024, n. 138 (GU Serie Generale n. 230 del 01-10-2024)
IT incident_definition Significant incident defined in line with Art. 23(3) NIS2 (severe operational disruption or financial loss; considerable material or non-material damage to others); ACN determinations further specify incident categories/criteria for notification. No Decreto Legislativo 4 settembre 2024, n. 138 (GU Serie Generale n. 230 del 01-10-2024)
IT management_liability Management and administrative bodies must approve cyber risk-management measures, oversee implementation, and follow cybersecurity training; they bear liability for violations, and for essential entities ACN can impose a temporary ban on individuals (CEO/legal representative level) from managerial functions. Yes Decreto Legislativo 4 settembre 2024, n. 138 (GU Serie Generale n. 230 del 01-10-2024)
IT national_act Decreto Legislativo 4 settembre 2024, n. 138 - "Recepimento della direttiva (UE) 2022/2555" - Gazzetta Ufficiale Serie Generale n. 230 del 01-10-2024, implemented via ACN determinations. No Decreto Legislativo 4 settembre 2024, n. 138 (GU Serie Generale n. 230 del 01-10-2024)
IT penalties Administrative fines up to EUR 10,000,000 or 2% of total worldwide annual turnover (whichever higher) for essential entities; up to EUR 7,000,000 or 1.4% for important entities. Specific reduced caps for registration breaches (up to 0.1% / 0.07% of turnover) and separate (lower, absolute) caps for public administrations; plus suspension powers and management bans. Yes Decreto Legislativo 4 settembre 2024, n. 138 (GU Serie Generale n. 230 del 01-10-2024)
IT registration_requirement Mandatory annual self-registration on the ACN digital platform between 1 January and 28 February each year (first window exceptionally 1 December 2024 - 28 February 2025; DNS/cloud/data-centre and other digital providers by 17 January). ACN then notifies entities of essential/important classification. Yes Decreto Legislativo 4 settembre 2024, n. 138 (GU Serie Generale n. 230 del 01-10-2024)
IT reporting_timeline Pre-notification within 24 hours of becoming aware of a significant incident, full notification within 72 hours, final report within one month - mirroring the directive clocks. Incident notification duties applied from 1 January 2026 for entities first designated by ACN (9 months after the April 2025 classification notices). No Decreto Legislativo 4 settembre 2024, n. 138 (GU Serie Generale n. 230 del 01-10-2024)
IT scope_extension Scope extended beyond directive minimum: the decree annexes bring in a broad range of public administrations (including regional/local level) and additional sectors/entity categories beyond Annexes I-II of the directive, with ACN able to identify further entities. Yes Decreto Legislativo 4 settembre 2024, n. 138 (GU Serie Generale n. 230 del 01-10-2024)
IT transposition_date Entered into force 16 October 2024; published in Gazzetta Ufficiale Serie Generale n. 230 on 1 October 2024. Directive deadline of 17 October 2024 was met. No Decreto Legislativo 4 settembre 2024, n. 138 (GU Serie Generale n. 230 del 01-10-2024)
IT transposition_status Adopted. Italy transposed NIS2 by Legislative Decree of 4 September 2024, No. 138, in force since 16 October 2024 (among the earliest EU transpositions). No Decreto Legislativo 4 settembre 2024, n. 138 (GU Serie Generale n. 230 del 01-10-2024)
LT audit_requirement No standing mandatory external audit beyond the directive minimum for most entities; NKSC supervises compliance and cooperates with RRT on cybersecurity audits of trust service providers; subjects must have policies and procedures to assess the effectiveness of cybersecurity requirements. No Kibernetinio saugumo įstatymas Nr. XII-1428 (nauja redakcija)
LT competent_authority Cybersecurity policy is formed by the Ministry of National Defence (KAM); the National Cyber Security Centre (Nacionalinis kibernetinio saugumo centras, NKSC, under KAM) is the central implementing/supervisory authority and national CSIRT receiving incident notifications; the Lithuanian Police and the State Data Protection Inspectorate implement policy in their respective fields. No Kibernetinio saugumo įstatymas Nr. XII-1428 (nauja redakcija)
LT incident_definition A cyber incident is significant (didelis) if it caused or is capable of causing serious operational disruption of services or financial loss, or affected or is capable of affecting other natural or legal persons by causing significant material or non-material damage; cases are further specified by European Commission implementing acts. Mirrors Art. 23(3)-(11) NIS2. No Kibernetinio saugumo įstatymas Nr. XII-1428 (nauja redakcija)
LT management_liability The head of the entity (or authorised person) must ensure and oversee compliance; members of management bodies, the head and the authorised person must complete cybersecurity training at least once every 2 years under the procedure set by the NKSC head; entities retain security officers (saugos įgaliotiniai) under Art. 15. Yes Kibernetinio saugumo įstatymas Nr. XII-1428 (nauja redakcija)
LT national_act Lietuvos Respublikos kibernetinio saugumo įstatymas Nr. XII-1428 (originally published TAR 2014-12-23, i. k. 2014-20553), restated in full by Law No. XIV-2902 of 11 July 2024 to transpose NIS2. No Kibernetinio saugumo įstatymas Nr. XII-1428; amending law Nr. XIV-2902
LT penalties Fines imposed by the head of the NKSC (30 str.): essential entities up to EUR 10,000,000 or 2% of total worldwide annual turnover (whichever higher); important entities up to EUR 7,000,000 or 1.4%; budgetary institutions that are essential subjects up to 1% of current-year budget capped at EUR 60,000, important ones up to 0.5% capped at EUR 30,000. Yes Kibernetinio saugumo įstatymas Nr. XII-1428 (nauja redakcija)
LT registration_requirement Entities do not self-register: sectoral identifying institutions and the NKSC identify subjects and register them in the Cybersecurity Information System (Kibernetinio saugumo informacinė sistema); subjects are officially notified of inclusion and must then provide required data to the NKSC and implement requirements within a government-set period of at least 12 months from registration. Yes Kibernetinio saugumo įstatymas Nr. XII-1428 (nauja redakcija)
LT reporting_timeline Early warning to the NKSC without delay and within 24 hours of becoming aware of a significant incident; incident notification without delay and within 72 hours; interim status report on NKSC request within the set term; final report (galutinė ataskaita) within one month of the incident notification. NKSC forwards trust-service-provider notifications to RRT within 24 hours. No Kibernetinio saugumo įstatymas Nr. XII-1428 (nauja redakcija)
LT scope_extension Scope follows the directive annex sectors (law's annexes 1-2); entities are identified by sectoral institutions and registered by the NKSC in the Cybersecurity Information System (preliminary NKSC estimate ~2,000 subjects). No significant national extension of entity scope beyond the directive minimum identified. No Kibernetinio saugumo įstatymas Nr. XII-1428 (nauja redakcija)
LT transposition_date New redaction of the Cybersecurity Law applicable from 18 October 2024 (Suvestinė redakcija nuo 2024-10-18), matching the directive's application date. No Kibernetinio saugumo įstatymas Nr. XII-1428, nauja redakcija (Nr. XIV-2902)
LT transposition_status Adopted and in force. NIS2 transposed via a full new redaction of the Cybersecurity Law: Law No. XIV-2902 amending Law No. XII-1428, adopted by Seimas 11 July 2024, consolidated redaction applicable from 18 October 2024 — on time. No Lietuvos Respublikos kibernetinio saugumo įstatymas Nr. XII-1428 (nauja redakcija pagal įstatymą Nr. XIV-2902); TAR 2014-12-23, i. k. 2014-20553
LU competent_authority Institut Luxembourgeois de Régulation (ILR) is the competent supervisory authority for Annex I/II sectors (CSSF by exception for banking and financial market infrastructures). CSIRT functions: CIRCL (Luxembourg House of Cybersecurity) for private essential/important entities and GOVCERT.LU (HCPN) as national/governmental CSIRT. Yes Loi du 5 mai 2026 (Mémorial A n° 225)
LU management_liability The law introduces direct responsibility of management bodies for cybersecurity risk-management measures (approval, supervision and training), per the ILR's summary of the Act of 5 May 2026. No Loi du 5 mai 2026 (Mémorial A n° 225)
LU national_act Loi du 5 mai 2026 concernant des mesures destinées à assurer un niveau élevé de cybersécurité, Journal officiel du Grand-Duché de Luxembourg, Mémorial A n° 225 du 10 mai 2026 (parliamentary bill n° 8364). No Loi du 5 mai 2026 (Mémorial A n° 225)
LU penalties Administrative fines up to EUR 10 million or 2% of worldwide annual turnover (whichever higher) for essential entities and up to EUR 7 million or 1.4% for important entities, in line with directive Art. 34. No Loi du 5 mai 2026 (Mémorial A n° 225)
LU registration_requirement Mandatory self-registration of essential and important entities with the ILR via its guichet.ilr.lu portal within two months of entry into force — deadline 10 July 2026 for entities in scope at commencement. Yes Loi du 5 mai 2026 (Mémorial A n° 225)
LU reporting_timeline Significant incidents must be notified to the ILR via the SERIMA platform on the directive schedule: early warning within 24 hours, incident notification within 72 hours, final report within 1 month. No Loi du 5 mai 2026 (Mémorial A n° 225)
LU transposition_date Entry into force 10 May 2026 (publication date of Mémorial A n° 225). Yes Loi du 5 mai 2026 (Mémorial A n° 225)
LU transposition_status Adopted and in force. Law of 5 May 2026 on measures to ensure a high level of cybersecurity, published in the Journal officiel (Mémorial A n° 225) on 10 May 2026 and in force since 10 May 2026; replaces the NIS1 law of 28 May 2019. Yes Loi du 5 mai 2026 concernant des mesures destinées à assurer un niveau élevé de cybersécurité (Mémorial A n° 225 du 10 mai 2026)
LV audit_requirement Subjects must submit a compliance self-assessment report (pašvērtējuma ziņojums) to the supervisor — first by 1 October 2025, then annually for ICT critical infrastructure/Category A systems and every 3 years for others (43. pants + Cabinet rules); NCSC/SAB may also conduct or order external compliance audits where violations are suspected (44. pants). Yes Nacionālās kiberdrošības likums
LV competent_authority National Cybersecurity Centre (Nacionālais kiberdrošības centrs, within the Ministry of Defence) is the national competent authority and single point of contact (4. pants); the Constitution Protection Bureau (SAB) supervises ICT critical infrastructure (7. pants); CERT.LV and MilCERT are the cyberincident response institutions (9. pants). Yes Nacionālās kiberdrošības likums
LV incident_definition "Nozīmīgs kiberincidents" (significant cyberincident) = a cross-border cyberincident, or a cyberincident affecting continuity of the service or public interests which meets criteria set by the Cabinet of Ministers (art. 1(19)); detailed criteria set in Cabinet Regulation No. 397. Yes Nacionālās kiberdrošības likums
LV management_liability The head of the entity is responsible for cybersecurity governance and must designate a cybersecurity manager (kiberdrošības pārvaldnieks) meeting Cabinet-set qualification requirements within three months of registration, notifying the NCSC within five working days (25. pants); deadline for existing subjects: 1 October 2025. Yes Nacionālās kiberdrošības likums
LV national_act Nacionālās kiberdrošības likums (NKDL), adopted 20.06.2024, in force 01.09.2024, published in Latvijas Vēstnesis; implemented in detail by Cabinet Regulation No. 397 "Minimālās kiberdrošības prasības" (minimum cybersecurity requirements). No Nacionālās kiberdrošības likums; MK noteikumi Nr. 397
LV penalties NCSC may impose fines (soda nauda) for material non-compliance: essential service providers up to EUR 10 million — or, where the provider's last-financial-year total net turnover exceeds EUR 500 million, up to 2% of that turnover; important providers up to EUR 7 million or (above EUR 500M turnover) up to 1.4%; SAB may fine ICT critical infrastructure owners up to EUR 10 million on the same model (46. pants). Yes Nacionālās kiberdrošības likums
LV registration_requirement Entities must self-assess whether they qualify as essential/important service providers and notify the National Cybersecurity Centre within one month of meeting the criteria (22. pants); initial registration deadline for existing providers was 1 April 2025 via NCSC registration form. Yes Nacionālās kiberdrošības likums
LV reporting_timeline Early warning to the competent cyberincident response institution (CERT.LV or MilCERT) without delay, at latest within 24 hours; initial report within 72 hours (trust service providers: 24 hours); recipients of services must be informed without delay; further reporting procedure and criteria per Cabinet regulation (34. pants). No Nacionālās kiberdrošības likums
LV scope_extension Beyond essential (būtisko pakalpojumu) and important (svarīgo pakalpojumu) service providers, the law also covers ICT critical infrastructure owners/legal possessors (supervised by the Constitution Protection Bureau) and state/municipal institutions, and imposes routing of state data flows through the unified state internet exchange point for designated subjects. Yes Nacionālās kiberdrošības likums
LV transposition_date Entry into force 1 September 2024 ("Likums stājas spēkā 2024. gada 1. septembrī"). Transitional deadlines: registration by 1 April 2025; cybersecurity manager and first self-assessment by 1 October 2025. No Nacionālās kiberdrošības likums
LV transposition_status Adopted and in force. Nacionālās kiberdrošības likums (National Cybersecurity Law, NKDL) adopted by Saeima 20 June 2024, in force 1 September 2024 — one of the first EU member states to transpose, ahead of the 17 Oct 2024 deadline. No Nacionālās kiberdrošības likums (adopted 20.06.2024, Latvijas Vēstnesis)
MT competent_authority The Critical Infrastructure Protection (CIP) Department is the national supervisory/competent authority and single point of contact; the national CSIRT (CSIRTMalta) sits within the CIP Department; the Malta Communications Authority is competent for digital infrastructure and postal/courier services. No Legal Notice 71 of 2025 - S.L. 460.41 (Government Gazette of Malta No. 21,418, 08.04.2025)
MT national_act Legal Notice 71 of 2025 - Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025, creating Subsidiary Legislation 460.41; Government Gazette of Malta No. 21,418, 8 April 2025. No Legal Notice 71 of 2025 - S.L. 460.41 (Government Gazette of Malta No. 21,418, 08.04.2025)
MT penalties Administrative penalties up to EUR 10,000,000 or 2% of total worldwide annual turnover (whichever higher) for essential entities; up to EUR 7,000,000 or 1.4% for important entities - directive baseline. No Legal Notice 71 of 2025 - S.L. 460.41 (Government Gazette of Malta No. 21,418, 08.04.2025)
MT registration_requirement Essential and important entities providing services in Malta, and domain name registration service providers, must register via a self-registration mechanism which the CIP Department was required to establish by 30 October 2025, providing the information specified in the Order. No Legal Notice 71 of 2025 - S.L. 460.41 (Government Gazette of Malta No. 21,418, 08.04.2025)
MT reporting_timeline Early warning to CSIRTMalta without undue delay and no later than 24 hours of becoming aware of a significant incident; full incident notification within 72 hours; final report not later than 1 month from the full notification - matching the directive baseline. No Legal Notice 71 of 2025 - S.L. 460.41 (Government Gazette of Malta No. 21,418, 08.04.2025)
MT scope_extension Scope largely mirrors the directive: essential and important entities across the directive's sectors, with the Malta Communications Authority designated for digital infrastructure and postal/courier services; the Order also defines "internal" and "autonomous" CSIRTs for entities. No significant national sector additions identified. No Legal Notice 71 of 2025 - S.L. 460.41 (Government Gazette of Malta No. 21,418, 08.04.2025)
MT transposition_date LN 71 of 2025 published 8 April 2025; commencement of provisions was left to ministerial designation, and all provisions commenced on 23 January 2026. Yes Legal Notice 71 of 2025 - S.L. 460.41 (Government Gazette of Malta No. 21,418, 08.04.2025)
MT transposition_status Adopted (late). Malta transposed NIS2 by Legal Notice 71 of 2025 - "Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025" (S.L. 460.41), published in Government Gazette No. 21,418 of 8 April 2025; all provisions were brought into force with commencement on 23 January 2026. Yes Legal Notice 71 of 2025 - S.L. 460.41 (Government Gazette of Malta No. 21,418, 08.04.2025)
NL competent_authority Split model: the NCSC is the national CSIRT and registration point; sectoral supervisors enforce per sector, with the Rijksinspectie Digitale Infrastructuur (RDI) as the generic supervisor for most sectors (scope determination, registration oversight, audits, enforcement). Yes Cyberbeveiligingswet (wetsvoorstel 36764)
NL incident_definition Reporting duty attaches to significant incidents per the directive's Art. 23(3) criteria; sector departments are developing more specific national thresholds ("drempelwaarden") for what counts as significant per sector. No Cyberbeveiligingswet (wetsvoorstel 36764)
NL management_liability Board members (bestuurders) must approve and supervise cybersecurity measures, hold demonstrable knowledge, and complete mandatory certified cybersecurity training within two years of entry into force (i.e. by mid-2028); the Cbw allows supervisors to impose fines or orders subject to periodic penalty payments (last onder dwangsom) on individual board members. Yes Cyberbeveiligingswet (wetsvoorstel 36764)
NL national_act Cyberbeveiligingswet (Cbw), parliamentary dossier 36764, implementing Directive (EU) 2022/2555; adopted by the Tweede Kamer 15 April 2026, pending Eerste Kamer approval; will replace the Wet beveiliging netwerk- en informatiesystemen (Wbni). No Staatsblad citation yet. No Cyberbeveiligingswet (wetsvoorstel 36764)
NL penalties Breaches of the duty of care or reporting duty can draw administrative fines of up to EUR 10 million (or 2% of worldwide turnover) for essential entities, with a lower ceiling for important entities, in line with directive Art. 34; individual board members can also be fined personally. No Cyberbeveiligingswet (wetsvoorstel 36764)
NL registration_requirement Registration duty (registratieplicht) via an online portal run by the NCSC, using eHerkenning login; voluntary pre-registration has been open since 17 October 2024, becoming mandatory when the Cbw enters into force. No Cyberbeveiligingswet (wetsvoorstel 36764)
NL reporting_timeline Early warning to CSIRT and supervisor within 24 hours of awareness; incident notification with initial assessment within 72 hours; interim updates on request; final report within 1 month. No Cyberbeveiligingswet (wetsvoorstel 36764)
NL scope_extension The Cbw covers essential and important entities across the directive's Annex I/II sectors and extends the public-administration category: central government, provinces, municipalities (gemeenten) and water boards (waterschappen) are designated as essential entities — broader than the directive's central-government minimum. Yes Cyberbeveiligingswet (wetsvoorstel 36764)
NL transposition_status Not yet in force. The Cyberbeveiligingswet (Cbw, wetsvoorstel 36764) was adopted by the Tweede Kamer on 15 April 2026 and is pending before the Eerste Kamer (plenary vote scheduled 7 July 2026); targeted entry into force is 1 July 2026 but Staatsblad publication had not occurred as of early July 2026. Yes Cyberbeveiligingswet (wetsvoorstel 36764)
PL audit_requirement Mandatory periodic security audit for key entities; first audit due within 24 months of entry into force, i.e. by 3 April 2028 (continuing the biennial audit tradition of the 2018 KSC Act). ISMS/chapter-3 obligations due by 3 April 2027. Yes Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczenstwa oraz niektorych innych ustaw (Dz.U. 2026 poz. 252)
PL competent_authority Sectoral competent authorities (organy wlasciwe ds. cyberbezpieczenstwa, e.g. Minister of Digital Affairs, KNF, energy regulator) supervise; national CSIRTs are CSIRT NASK, CSIRT GOV and CSIRT MON; Government Plenipotentiary for Cybersecurity coordinates. No Ustawa z dnia 5 lipca 2018 r. o krajowym systemie cyberbezpieczenstwa, as amended by Dz.U. 2026 poz. 252
PL management_liability Head of entity (kierownik podmiotu) bears personal responsibility for cybersecurity obligations; monetary penalty on the manager of up to 300% of remuneration (public-sector managers up to 100%); management approval and training duties transposed. Yes Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczenstwa oraz niektorych innych ustaw (Dz.U. 2026 poz. 252)
PL national_act Act of 23 January 2026 amending the Act on the National Cybersecurity System and certain other acts (Dz.U. 2026 poz. 252); amends the Act of 5 July 2018 on the National Cybersecurity System (consolidated text Dz.U. 2026 poz. 20). No Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczenstwa oraz niektorych innych ustaw (Dz.U. 2026 poz. 252)
PL penalties Administrative fines up to EUR 10,000,000 or 2% of worldwide annual turnover for key entities and up to EUR 7,000,000 or 1.4% for important entities; aggravated violations causing a direct serious cyber threat can attract fines up to PLN 100,000,000. Yes Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczenstwa oraz niektorych innych ustaw (Dz.U. 2026 poz. 252)
PL registration_requirement Self-identification duty: existing key and important entities must complete self-assessment and submit registration to the national cybersecurity system within 6 months of entry into force, i.e. by 3 October 2026. Yes Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczenstwa oraz niektorych innych ustaw (Dz.U. 2026 poz. 252)
PL reporting_timeline Serious incident (incydent powazny): early warning within 24 hours of detection, incident notification within 72 hours, final report within 1 month, to the competent CSIRT (CSIRT NASK / CSIRT GOV / CSIRT MON per entity type). No Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczenstwa oraz niektorych innych ustaw (Dz.U. 2026 poz. 252)
PL scope_extension Entity catalogue expanded from a few hundred operators under the 2018 KSC Act to tens of thousands of key (kluczowe) and important (wazne) entities across NIS2 Annex I/II sectors (incl. ICT service management, electronic communications, space, postal, manufacturing, chemicals, food, waste/wastewater, public administration). Official guidance does not document sector additions beyond the directive minimum. No Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczenstwa oraz niektorych innych ustaw (Dz.U. 2026 poz. 252)
PL transposition_date Entry into force 3 April 2026 (act signed 19 February 2026, published in Dziennik Ustaw as poz. 252). Yes Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczenstwa oraz niektorych innych ustaw (Dz.U. 2026 poz. 252)
PL transposition_status Adopted and in force. Amendment to the National Cybersecurity System Act signed 19 February 2026, in force 3 April 2026. Poland missed the 17 October 2024 deadline (Commission reasoned opinion 7 May 2025). Yes Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczenstwa oraz niektorych innych ustaw (Dz.U. 2026 poz. 252)
PT audit_requirement Essential entities: full ex-ante/ex-post supervision (on-site inspections, remote audits, security checks, information requests); important and relevant public entities: ex-post supervision. Beyond the baseline, entities must appoint a cybersecurity officer (responsável de segurança) - by 4 May 2026 - who ensures preparation of an annual (cyber)security report. Yes Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)
PT competent_authority Centro Nacional de Cibersegurança (CNCS) is the national cybersecurity authority and single point of contact, coordinating with sectoral authorities; CERT.PT (within CNCS) acts as national CSIRT. Notifications run through the CNCS MyCiber platform. No Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)
PT incident_definition Significant incident: one that causes or may cause serious operational disruption of services or financial loss to the entity, or affects/is likely to affect other natural or legal persons causing considerable material or immaterial damage - mirroring Art. 23(3) NIS2. No Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)
PT management_liability Management/administration bodies must approve cybersecurity risk-management measures, supervise their implementation and ensure regular cybersecurity training; members may be held personally liable for acts or omissions with intent or gross negligence, and these duties are generally non-delegable (except to another board member). Yes Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)
PT national_act Decreto-Lei n.º 125/2025, de 4 de dezembro - Regime Jurídico da Cibersegurança (transposition of Directive (EU) 2022/2555) - Diário da República n.º 4 dez. 2025, 1.ª série; implemented by CNCS Regulamento n.º 756/2026 of 22 June 2026. No Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)
PT penalties Fines up to EUR 10,000,000 or 2% of annual worldwide turnover (whichever is higher), plus ancillary sanctions and compulsory pecuniary penalties (sanções pecuniárias compulsórias); important-entity caps follow the directive tiering. No Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)
PT registration_requirement Mandatory self-identification/registration on the CNCS electronic platform (MyCiber): within 30 days of starting activity for new entities, or within 60 days of the platform becoming available for existing entities; entities must keep the information up to date. Yes Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)
PT reporting_timeline Initial notification without undue delay and within 24 hours of concluding that a significant incident exists or may occur; notification within 24 hours after the significant impact ends; final report within 30 working days of the end-of-impact notification - via the CNCS MyCiber platform. Yes Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)
PT scope_extension Scope extends beyond the directive minimum: "relevant public entities" are covered in two groups (A: 250+ employees; B: 50-249), pulling in a significant part of the Public Administration, and higher education institutions are included. Yes Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)
PT transposition_date Published 4 December 2025; entered into force 3 April 2026 (120 days after publication), with some obligations phased in up to 24 months after supplementary CNCS regulations. Yes Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)
PT transposition_status Adopted (late). Decreto-Lei n.º 125/2025 of 4 December 2025 approves the new Regime Jurídico da Cibersegurança and transposes NIS2; published in Diário da República 4 December 2025, in force from 3 April 2026 after a 120-day vacatio legis. Portugal missed the 17 October 2024 directive deadline. Yes Decreto-Lei n.º 125/2025, de 4 de dezembro (Diário da República, 1.ª série, 04-12-2025)
RO audit_requirement Entities must conduct security audits at regular intervals and communicate the results to the DNSC; DNSC supervises via document-based and on-site inspections, and essential entities must submit a remediation plan within 30 days after adverse maturity assessments. Yes OUG nr. 155/2024
RO competent_authority The National Cyber Security Directorate (Directoratul National de Securitate Cibernetica, DNSC - successor of CERT-RO) is the competent authority, national CSIRT and single point of contact, handling registration, incident reports and supervision. No OUG nr. 155/2024
RO incident_definition Essential and important entities must report significant security incidents to the DNSC; significance criteria and procedures are set by OUG 155/2024 and DNSC implementing orders (published from August 2025). No OUG nr. 155/2024
RO management_liability Management bears personal accountability: the management body must designate a person responsible for cybersecurity within 30 days of DNSC qualification; that person must be independent from the operational head of IT; management must complete accredited cybersecurity training. Yes OUG nr. 155/2024
RO national_act Government Emergency Ordinance no. 155/2024 establishing a framework for the cybersecurity of networks and information systems in the national civil cyberspace (OUG nr. 155 din 30 decembrie 2024, published in Monitorul Oficial Partea I nr. 1332 of 31 December 2024); replaces Law no. 362/2018 (NIS1). No OUG nr. 155/2024 (M.Of. Partea I nr. 1332/31.12.2024)
RO penalties Maximum fines up to EUR 10,000,000 or 2% of total worldwide annual turnover (essential entities) and EUR 7,000,000 or 1.4% (important entities); statutory minimum fines of RON 10,000 (~EUR 2,000) for essential and RON 5,000 (~EUR 1,000) for important entities; repeat offences allow a 50% increase over the applicable fine cap. Yes OUG nr. 155/2024
RO registration_requirement Mandatory registration with the DNSC: implementing legislation published 11 August 2025, registration process opened 20 August 2025, final deadline 22 September 2025 (approx. 30 days). The ordinance's original 30-day registration window from entry into force (to 30 January 2025) was superseded pending DNSC procedures. Yes OUG nr. 155/2024 and DNSC implementing orders (August 2025)
RO reporting_timeline Early warning within 24 hours, follow-up notification within 72 hours, final incident report within 1 month, submitted to the DNSC. No OUG nr. 155/2024
RO scope_extension Additional entity categories beyond the NIS2 annexes: offshore wind turbine operators, aircraft maintenance operators and civil aviation agents as defined by Romanian legislation. Yes OUG nr. 155/2024
RO transposition_date Adopted as OUG no. 155 of 30 December 2024, published in Monitorul Oficial Partea I nr. 1332 of 31 December 2024. Main body entered into force on publication (31 December 2024; OUGs take effect on publication per Constitution Art. 115(5)); Arts. 60-61 are deferred, entering into force 30 days after publication (~30 January 2025). Yes OUG nr. 155/2024 (M.Of. Partea I nr. 1332/31.12.2024)
RO transposition_status Adopted and in force ('Transposed' per European Commission). Government Emergency Ordinance no. 155/2024 adopted 30 December 2024; implementing DNSC orders (registration, security measures) followed in August 2025. Yes Ordonanta de urgenta a Guvernului nr. 155/2024 privind cadrul de securitate cibernetica a retelelor si sistemelor informatice din spatiul cibernetic civil national (Monitorul Oficial, Partea I, nr. 1332 din 31 decembrie 2024)
SE audit_requirement No standing mandatory audit beyond the directive minimum; supervisory authorities may conduct/order security audits and inspections as supervision measures (3 kap.). No Cybersäkerhetslag (2025:1506)
SE competent_authority Sectoral model: one or more supervisory authorities (tillsynsmyndigheter) per sector, designated in Cybersäkerhetsförordningen (2025:1507); the National Cybersecurity Centre (NCSC, within the civil defence authority) holds national coordination responsibility toward supervisory authorities and operators. Yes Cybersäkerhetslag (2025:1506); Cybersäkerhetsförordning (2025:1507)
SE incident_definition A significant incident (betydande incident) is one that causes or is capable of causing serious operational disruption or material economic loss, or affects other persons by causing considerable material or non-material damage (2 kap. 5 § andra stycket). Mirrors Art. 23(3) NIS2. No Cybersäkerhetslag (2025:1506)
SE management_liability Management must undergo cybersecurity training (2 kap. 4 §). For serious unremedied violations by essential entities, an administrative court may prohibit an executive from holding a management function (förbud att inneha ledningsfunktion) for 1-3 years (4 kap. 6-8 §§). Yes Cybersäkerhetslag (2025:1506)
SE national_act Cybersäkerhetslag (2025:1506), Svensk författningssamling, complemented by Cybersäkerhetsförordning (2025:1507) which designates the sector supervisory authorities. No Cybersäkerhetslag (2025:1506); Cybersäkerhetsförordning (2025:1507)
SE penalties Administrative sanction fees (sanktionsavgift): essential private entities up to EUR 10M or 2% of global annual turnover (whichever is higher); important private entities up to EUR 7M or 1.4%; public entities capped at SEK 10 million (4 kap. 10 §). Yes Cybersäkerhetslag (2025:1506)
SE registration_requirement Entities must self-identify and register (anmäla sig) with the designated authority "as soon as practicable" after being covered; changes to registered information must be notified within 14 days (2 kap. 2 §). No fixed calendar deadline in the act itself. Yes Cybersäkerhetslag (2025:1506)
SE reporting_timeline Early warning as soon as possible, at latest 24h; incident report within 72h (trust service providers 24h); final report within 1 month or status report if the incident is ongoing (2 kap. 5-8 §§). Reports go to the authority designated by the government. No Cybersäkerhetslag (2025:1506)
SE scope_extension Scope follows the directive annexes (18 sectors with subsectors) as implemented in 1 kap. 4-7 §§; security-sensitive state activities and law enforcement excluded (1 kap. 12 §). No significant national extension of entity scope beyond the directive minimum identified in the act. No Cybersäkerhetslag (2025:1506)
SE transposition_date Cybersäkerhetslagen (2025:1506) entered into force 15 January 2026; accompanied by Cybersäkerhetsförordningen (2025:1507). Repeals lagen (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster. Yes Cybersäkerhetslag (2025:1506)
SE transposition_status Adopted and in force. Riksdag adopted the new Cybersecurity Act 10 December 2025 (prop. 2025/26:28); in force 15 January 2026 — roughly 15 months after the directive deadline. Yes Cybersäkerhetslag (2025:1506)
SI audit_requirement Beyond the directive: essential (bistveni) entities must undergo compliance audits every two years (or after a significant incident) by certified information systems auditors; important (pomembni) entities must perform documented self-assessments every two years (or after a significant incident) with compliance statements. Yes Zakon o informacijski varnosti (ZInfV-1), Uradni list RS, št. 40/2025 (obj. 1571)
SI competent_authority Urad Vlade RS za informacijsko varnost (URSIV - Government Office for Information Security) is the national competent authority and single point of contact; CSIRT groups (incl. SI-CERT as national CSIRT) are designated by government decision. No Zakon o informacijski varnosti (ZInfV-1), Uradni list RS, št. 40/2025 (obj. 1571)
SI management_liability Responsible persons/management must approve risk-management measures, oversee implementation and documentation, and ensure regular (quarterly) cybersecurity training and staff competency development; a dedicated government decree regulates training of responsible persons (Uredba o usposabljanju odgovornih oseb). Yes Zakon o informacijski varnosti (ZInfV-1), Uradni list RS, št. 40/2025 (obj. 1571)
SI national_act Zakon o informacijski varnosti (ZInfV-1) - Uradni list RS, št. 40/2025, objava 1571, 4 June 2025. No Zakon o informacijski varnosti (ZInfV-1), Uradni list RS, št. 40/2025 (obj. 1571)
SI registration_requirement Self-registration with the competent authority (URSIV) within 30 days of meeting the threshold criteria or receiving a designation order, submitting entity data (sector, size, revenue, security contacts, IP ranges, AS numbers, domains); first self-registration cycle deadline reported as 19 December 2025. Yes Zakon o informacijski varnosti (ZInfV-1), Uradni list RS, št. 40/2025 (obj. 1571)
SI reporting_timeline Early notification of significant incidents no later than 24 hours after identification (further notification stages in Arts. 29-30 ZInfV-1); reporting obligations phase in with the general compliance deadlines (risk-management measures within 18 months of entry into force; 1 year for essential-service providers). No Zakon o informacijski varnosti (ZInfV-1), Uradni list RS, št. 40/2025 (obj. 1571)
SI scope_extension Scope extends beyond the directive minimum: state administration bodies (with exclusions for courts, Constitutional Court, parliament), municipalities and city municipalities, critical-infrastructure-designated entities, entities in protection/rescue plans ("state purpose services"), and entities of special state/local significance designated by government decree. Yes Zakon o informacijski varnosti (ZInfV-1), Uradni list RS, št. 40/2025 (obj. 1571)
SI transposition_date Published in Uradni list RS 40/2025 on 4 June 2025; entered into force 19 June 2025 (15 days after publication). Phase-in: essential/important entities must implement risk-management measures within 18 months of entry into force (essential-service providers within 1 year). Yes Zakon o informacijski varnosti (ZInfV-1), Uradni list RS, št. 40/2025 (obj. 1571)
SI transposition_status Adopted (late). Slovenia transposed NIS2 by the new Information Security Act ZInfV-1, adopted by the National Assembly on 23 May 2025, published in Uradni list RS No. 40/2025 (item 1571) on 4 June 2025, in force 19 June 2025 - about 8 months after the directive deadline. Yes Zakon o informacijski varnosti (ZInfV-1), Uradni list RS, št. 40/2025 (obj. 1571)
SK audit_requirement Mandatory cybersecurity audit by a certified cybersecurity auditor: first audit within 2 years of entry in the PZS register, then at intervals set by decree. A PZS not providing a critical service may substitute self-assessment (performed by its cybersecurity manager) but must still undergo a certified audit within 5 years. Yes Zakon c. 69/2018 Z. z. as amended by zakon c. 366/2024 Z. z.
SK competent_authority Narodny bezpecnostny urad (NBU, National Security Authority) is the central competent authority and maintains the PZS register; the national CSIRT unit (SK-CERT, operated by NBU) handles incident response, with sectoral CSIRT units for their constituencies. No Zakon c. 69/2018 Z. z. as amended by zakon c. 366/2024 Z. z.
SK incident_definition Reporting trigger is a 'zavazny kyberneticky bezpecnostny incident' (serious cybersecurity incident) reported via the unified cybersecurity information system. Beyond incidents, PZS must also report: significant cyber threats they learn of, near-miss events that could have caused a serious incident, and vulnerabilities exploitable for a serious incident that the PZS cannot effectively remediate. Other events may be reported voluntarily. Yes Zakon c. 69/2018 Z. z. as amended by zakon c. 366/2024 Z. z.
SK management_liability Members of the governing body (predstavenstvo/konatelia) must approve cybersecurity risk-management measures and oversee their implementation; personal liability applies for gross negligence or intentional breach; NBU may impose a ban on exercising a managerial function on statutory bodies or other responsible persons for at least 6 months. No Zakon c. 69/2018 Z. z. as amended by zakon c. 366/2024 Z. z.
SK national_act Act No. 366/2024 Z. z. amending Act No. 69/2018 Z. z. on Cybersecurity - amendment of the existing cybersecurity statute rather than a new law. No Zakon c. 366/2024 Z. z. (novela zakona c. 69/2018 Z. z. o kybernetickej bezpecnosti)
SK penalties Administrative fines up to EUR 10,000,000 or 2% of worldwide net annual turnover (whichever is higher) for the most serious breaches; statutory fine floor of EUR 500. Important-entity-level breaches capped at EUR 7,000,000 or 1.4% of turnover. No Zakon c. 69/2018 Z. z. as amended by zakon c. 366/2024 Z. z.
SK registration_requirement Self-registration: application for entry in the PZS register within 60 days of starting the regulated activity (Annexes 1 and 2 of the act); the act applies to a newly registered PZS 30 days after registration; security measures must be implemented within 12 months of registration. Register kept by NBU. Yes Zakon c. 69/2018 Z. z. as amended by zakon c. 366/2024 Z. z.
SK reporting_timeline Serious incident: early warning (vcasne varovanie) within 24 hours of detection, incident notification within 72 hours, final report (zaverecna sprava) within 1 month, all via the unified cybersecurity information system to NBU. No Zakon c. 69/2018 Z. z. as amended by zakon c. 366/2024 Z. z.
SK scope_extension Single 'operator of essential service' (prevadzkovatel zakladnej sluzby, PZS) category applied across NIS2 Annex I/II sectors (~3,500 entities expected). Supply-chain extension: a third-party supplier with significant influence on cybersecurity contracting with an operator of a critical essential service acquires PZS status itself - it is entered in the PZS register, must implement statutory security measures and is supervised by NBU. Yes Zakon c. 69/2018 Z. z. as amended by zakon c. 366/2024 Z. z.
SK transposition_date Entry into force 1 January 2025. Yes Zakon c. 366/2024 Z. z.
SK transposition_status Adopted and in force. Amendment Act No. 366/2024 Z. z. approved by the National Council on 28 November 2024, published 19 December 2024, effective 1 January 2025. Yes Zakon c. 366/2024 Z. z., ktorym sa meni a doplna zakon c. 69/2018 Z. z. o kybernetickej bezpecnosti (Zbierka zakonov 19.12.2024)
§ Frequently asked

Questions about Article 15

Who must comply with Article 15 of the NIS2 Directive? +
CSIRTs network.
What does Article 15 of the NIS2 Directive require? +
exchange facilitate ensure
What is the compliance deadline for NIS2 Directive Article 15? +
17 January 2025, and every two years thereafter
Need a cross-border briefing on NIS2 Directive Article 15?
Search Fontvera ↵
All EU obligation pages  ·  All NIS2 Directive articles