Jacar mascot — reading along A laptop whose eyes follow your cursor while you read.
Tecnología

NIS2: Transposition Status Across Member States

9 min read 106 reads
NIS2: Transposition Status Across Member States
Table of contents
  1. Key takeaways
  2. What NIS2 is
  3. Who is obligated
  4. Key obligations
  5. Risk management
  6. Incident reporting
  7. Management responsibility
  8. State by country
  9. Spain
  10. Germany
  11. France
  12. Netherlands
  13. Italy, Ireland, Poland
  14. If your state has not transposed
  15. How to prepare: a pragmatic roadmap
  16. Phase 1: Assessment
  17. Phase 2: Remediation
  18. Phase 3: Continuous operation
  19. Compliance framework
  20. The supply chain: the most complex point
  21. Conclusion

Actualizado: 2026-05-03

The NIS2 directive (Network and Information Security 2, EU Directive 2022/2555) entered force on October 17, 2024. Member states reached that date at various transposition stages. This article covers the state in main countries, what concrete obligations it introduces, and how companies should prepare without panic.

Key takeaways

  • NIS2 expands NIS1’s scope to more sectors and companies, including mid-size firms with more than 50 employees in important sectors.
  • The most demanding obligations are 24/72-hour incident reporting and personal executive liability.
  • The supply chain is the most complex compliance point: NIS2 makes you responsible for your suppliers with system access.
  • A framework like ISO 27001 + NIST CSF covers most technical requirements, but NIS2 goes beyond the annual checkbox.
  • First significant penalties are expected from 2025–2026.

What NIS2 is

NIS2 is the major NIS1 (2016) update:

  • Scope expansion: more sectors, more obligated companies.
  • Categories: Essential Entities (EE) + Important Entities (IE).
  • Obligations: risk management, 24 h/72 h/30-day incident reporting, supply-chain security.
  • Penalties: up to €10 M or 2 % of turnover (EE), €7 M or 1.4 % (IE).
  • Improved cross-border cooperation between member states.

Obligated sectors: energy, transport, banking, health, drinking water, digital infrastructure, ICT management, public administration, space, waste, manufacturing, food, digital providers, research and chemistry.

Who is obligated

The simplified rule:

  • Essential Entity (EE): critical sectors and companies with more than 250 employees or more than €50 M turnover.
  • Important Entity (IE): important sectors and mid-size firms (50–250 employees).
  • Exemption: micro-enterprises (<10 employees, <€2 M) generally excluded.

If your company is in listed sectors and exceeds size thresholds, NIS2 applies. The frequent grey area in consulting is mid-size firms in “important” sectors (manufacturing, food, digital management): they are in.

Key obligations

Risk management

Technical and organisational measures explicitly required by NIS2:

  • Documented security policies.
  • Incident management with active procedures.
  • Business continuity, backup and crisis management.
  • Supply-chain security: evaluate suppliers with system access.
  • Network segmentation and encryption.
  • Access control, MFA and least privilege.
  • Vulnerability disclosure.
  • Cyber hygiene practices (updates, patches).

Incident reporting

Timelines are strict:

  • 24 hours: brief early warning to the competent authority.
  • 72 hours: initial notification with impact assessment.
  • 30 days: detailed final report.

This timeline is significantly more demanding than NIS1. The operational implication is direct: without a mature incident response process, compliance is impossible. See blameless incident response as a foundation.

Management responsibility

Executives are personally liable:

  • Obligation to train in cybersecurity.
  • Approve security measures.
  • Legal liability for non-compliance, including possible disqualification.

This makes cybersecurity a board-level topic, not just an IT concern.

State by country

Spain

  • NIS2 draft bill approved in May 2024.
  • Parliamentary process in progress.
  • INCIBE and CCN-CERT as competent authorities.
  • Late transposition relative to the October 2024 deadline.

Germany

  • NIS2UmsuCG approved by cabinet in July 2024.
  • BSI (Bundesamt für Sicherheit in der Informationstechnik) as authority.
  • Specific requirements stricter than the directive minimum.

France

  • Transposition in progress via Projet de Loi.
  • ANSSI as competent authority.

Netherlands

  • Cyberbeveiligingswet in progress.
  • NCSC-NL as authority.

Italy, Ireland, Poland

Transpositions in progress at varying stages.

If your state has not transposed

The directive does not directly apply to companies, only to states. If on October 17, 2024 your state had not transposed:

  • The European Commission can start an infringement procedure.
  • Transposition will come sooner or later, sometimes with requirements stricter than the minimum.
  • Preparing before transposition is cheaper than doing so under time pressure with a deadline.

How to prepare: a pragmatic roadmap

Phase 1: Assessment

  • Determine whether NIS2 applies to your organisation (sector + size).
  • Current-state audit against requirements.
  • Identify gaps.
  • Executive buy-in: present to the board.

Phase 2: Remediation

  • Implement missing technical controls.
  • Establish incident response procedures matching NIS2 timelines.
  • Supply-chain audit: evaluate critical suppliers.
  • Personnel training, including executives.
  • Document everything.

Phase 3: Continuous operation

  • Incident response exercises (quarterly tabletop exercises).
  • Periodic audits.
  • Reporting to authorities when applicable.

Compliance framework

ISO 27001 is a solid base but not sufficient on its own:

  • ISO 27001 + 27005: complete ISMS.
  • NIST CSF: pragmatic framework aligned with NIS2.
  • CIS Controls: control prioritisation.
  • ENISA guides: European perspective, more NIS2-specific.

There is no “NIS2 checkbox”. It is continuous operational compliance.

The supply chain: the most complex point

NIS2 makes you responsible for your suppliers:

  • Evaluate all suppliers with access to your systems.
  • Include security clauses in contracts.
  • Monitor continuously.
  • Be responsible for incidents caused by a supplier.

For companies with hundreds of suppliers, this is a months-long project. NIS2 also overlaps with DORA in the financial sector and the AI Act for AI systems.

Conclusion

NIS2 is not an annual checkbox: it is operational compliance that requires real changes to how cyber risk is managed. Companies waiting for the national transposition to be published with an imminent deadline will face concentrated costs, friction and urgency. Starting with assessment and gap remediation now is the prudent strategy. The investment is real, but the cost of non-compliance — financial penalty, personal executive liability, reputational damage — is greater.

Was this useful?
[Total: 0 · Average: 0]
Post Views: 106

Written by

CEO - Jacar Systems

Passionate about technology, cloud infrastructure and artificial intelligence. Writes about DevOps, AI, platforms and software from Madrid.

440 Articles 35K Reads Rating

Related posts

Industria 4.0

Collaborative robotics on the factory floor: 2026 balance sheet

Los cobots llevan casi quince años prometiendo la fábrica donde humanos y robots comparten espacio sin vallas. En 2026, con un mercado camino de los once mil millones y el 70% de los pedidos llegando desde fuera del automóvil, conviene revisar qué ha cumplido y qué sigue pendiente.

82 12 min 4.4