NIS 25 min readUpdated Feb 2026

NIS 2 National Transposition: How Member States Implement the Directive

NIS 2 is an EU directive, meaning it sets minimum requirements that each member state must transpose into national law. Unlike an EU regulation (such as GDPR), which applies directly, a directive gives member states flexibility in how they implement the requirements. This creates variations across the EU that organizations must navigate, particularly those operating in multiple countries.

Robin Coste

•

Co-founder

Robin is a co-founder of Bastion, bringing extensive experience in compliance automation and security strategy. Previously, he led compliance as a tech lead at Palantir. He helps startups navigate the complexities of SOC 2 and ISO 27001 certification.

SOC 2ISO 27001Compliance AutomationSecurity Strategy

Key Takeaways

Point	Summary
Transposition deadline	October 17, 2024
Member state flexibility	States can adopt stricter requirements than the directive minimum
Scope variations	Some states may include additional entities or sectors
Authority structure	Each state designates its own competent authority and CSIRT
Registration requirements	Entities must register with their national authority

Quick Answer: Each EU member state transposes NIS 2 into national law, potentially adding stricter requirements or broader scope. Organizations must identify their national authority, understand local implementation details, and register where required. Multi-country organizations must comply with each relevant national transposition.

How Transposition Works

The Process

The EU adopts the NIS 2 Directive (January 16, 2023)
Member states transpose the directive into national legislation (deadline: October 17, 2024)
National laws take effect, incorporating NIS 2 requirements with potential local additions
National authorities begin supervision and enforcement

What States Must Include

Every national transposition must, at minimum:

Implement all cybersecurity risk-management measures from Article 21
Establish the multi-stage incident reporting framework
Define competent authorities and CSIRTs
Create a supervision and enforcement framework
Implement the penalty structure (at least the directive's minimums)
Establish entity registration requirements

Where States Have Flexibility

Member states can go beyond the directive's minimum requirements:

Area	Flexibility
Scope	Include additional sectors or lower size thresholds
Requirements	Add security measures beyond Article 21
Penalties	Set higher maximum fines than the directive floor
Supervision	Implement more proactive supervision for important entities
Registration	Add registration requirements or information obligations
Sector-specific	Create sector-specific guidance or requirements

Key Variations Across Member States

Authority Structure

Each member state designates:

Authority	Role
Competent authority	Responsible for supervision and enforcement (may be sector-specific)
Single point of contact	National coordination point for cross-border NIS 2 matters
CSIRT	Computer Security Incident Response Team for incident handling

Some states designate a single national authority, while others may have multiple sector-specific authorities (e.g., one for energy, another for healthcare).

Registration Requirements

NIS 2 requires entities to register with their national authority. The registration typically includes:

Entity name and address
Sector and sub-sector classification
Contact information for the entity
IP ranges and domain names
List of EU member states where the entity provides services

Multi-country entities generally register in the member state where they have their main establishment or, for specific entity types (DNS providers, cloud services, etc.), where their representative is located.

Multi-Country Compliance

Organizations operating across multiple EU member states face additional complexity:

Jurisdiction Rules

Entity Type	Jurisdiction
General entities	Member state where the entity is established
DNS, TLD, cloud, data centers, CDNs	Member state of main establishment in the EU
Non-EU entities	Member state where their representative is located
Entities in multiple states	May be subject to supervision in each state where they operate

Practical Considerations

Monitor transposition progress in all relevant member states
Identify the competent authority in each jurisdiction
Establish reporting channels with each national CSIRT
Ensure compliance with the most stringent national requirements
Coordinate internal processes across jurisdictions

The Role of ENISA and Cooperation Group

While transposition is national, EU-level coordination ensures consistency:

Body	Role
ENISA	EU Agency for Cybersecurity, provides guidance, peer reviews, and vulnerability database
Cooperation Group	Strategic coordination between member states on NIS 2 implementation
CSIRTs Network	Operational cooperation between national CSIRTs for cross-border incidents
EU-CyCLONe	EU Cyber Crisis Liaison Organisation Network for large-scale cross-border crisis management

What Organizations Should Do

Before Transposition

Monitor the transposition status in your member state(s)
Begin implementing Article 21 requirements (these will not change)
Identify your likely competent authority and CSIRT
Start the internal readiness process based on the directive text

During Transposition

Review national legislation as it is published
Identify any requirements beyond the directive minimum
Engage with industry associations that may provide guidance
Update internal compliance plans to reflect national specifics

After Transposition

Register with national authorities as required
Ensure full compliance with national law (not just the directive)
Establish ongoing communication with competent authorities
Monitor any sector-specific implementing acts or guidance

Common Questions

What if our member state has not transposed NIS 2 by the deadline?

Late transposition has occurred with previous EU directives and may occur with NIS 2. While the directive is not directly enforceable against private entities before transposition (unlike a regulation), organizations should still prepare for compliance. Late transposition does not eliminate the obligation; it only delays the enforcement mechanism. When national law is eventually enacted, compliance may be expected immediately or with a short grace period.

Do we need to comply with other countries' transpositions?

If you provide services in multiple EU member states, you may be subject to supervision in each state where you operate. While NIS 2 establishes a primary jurisdiction rule, cooperation mechanisms ensure that authorities can request information and take action across borders. Compliance with the most stringent national transposition is the safest approach.

How do we find out about our national transposition?

Check your national government's official legislative databases, cybersecurity authority websites, and ENISA's tracking of NIS 2 transposition across member states. Industry associations in your sector often provide practical guidance on national implementation. Bastion can also help identify and interpret the requirements specific to your jurisdiction.

← PreviousNIS 2 Cyber Hygiene and Training Requirements Next →NIS 2 Sectors Covered: Complete Guide to the 18 Sectors

Back to NIS 2 guides

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company