Deadline

NIS2 Directive: national transposition was due by 17 October 2024

Deadline17 Oct 2024✓ verified 4 Jul 2026

What changed

Directive (EU) 2022/2555 (NIS2) required Member States to transpose its rules into national law by 17 October 2024. NIS2 broadens cybersecurity obligations to more 'essential' and 'important' entities and strengthens incident reporting, supply-chain security and management accountability. Transposition remains uneven across Member States, so the obligations that actually apply depend on the relevant national law.

Why it matters

For entities in scope, NIS2 is not one EU deadline but a per-country patchwork: what applies to you today is set by each national transposition, not by the directive alone.

Who is affected

Essential and important entities across energy, transport, health, digital infrastructure, ICT service management, public administration and other covered sectors — and the key suppliers in their supply chains.

What to check next

Identify the national transposition law in each Member State where you operate and map your entity classification (essential vs important) under that law. Where transposition is still pending, track the national bill and prepare against the directive text rather than waiting.

Key dates

  • 2024-10-17Transposition deadline for Member States
Source. EUR-Lex — Directive (EU) 2022/2555 (NIS2) ↗
Document: Directive (EU) 2022/2555 — CELEX 32022L2555
Verified by Trusq against this source on 4 Jul 2026. Trusq publishes only what it can trace to an official source; the source text prevails. Not legal advice.
Relates to NIS2
← All updates