What changed
Directive (EU) 2022/2555 (NIS2) required Member States to transpose its rules into national law by 17 October 2024. NIS2 broadens cybersecurity obligations to more 'essential' and 'important' entities and strengthens incident reporting, supply-chain security and management accountability. Transposition remains uneven across Member States, so the obligations that actually apply depend on the relevant national law.
Why it matters
For entities in scope, NIS2 is not one EU deadline but a per-country patchwork: what applies to you today is set by each national transposition, not by the directive alone.
Who is affected
Essential and important entities across energy, transport, health, digital infrastructure, ICT service management, public administration and other covered sectors — and the key suppliers in their supply chains.
What to check next
Identify the national transposition law in each Member State where you operate and map your entity classification (essential vs important) under that law. Where transposition is still pending, track the national bill and prepare against the directive text rather than waiting.
Key dates
- 2024-10-17Transposition deadline for Member States
Source. EUR-Lex — Directive (EU) 2022/2555 (NIS2) ↗
Document: Directive (EU) 2022/2555 — CELEX 32022L2555
Verified by Trusq against this source on 4 Jul 2026. Trusq publishes only what it can trace to an official source; the source text prevails. Not legal advice.
Document: Directive (EU) 2022/2555 — CELEX 32022L2555
Verified by Trusq against this source on 4 Jul 2026. Trusq publishes only what it can trace to an official source; the source text prevails. Not legal advice.