NIS2 Deadline by Country: When It Actually Applies to You (2026 Tracker)

There is no single EU NIS2 deadline — there are 27 national ones. Here's when NIS2 actually applies by country in 2026, who's in scope, and what to do now.

TL;DR

• There is no single EU-wide NIS2 deadline; each of the 27 member states enforces it from its own national date.
• The EU-level transposition deadline was 17 October 2024, which most states missed.
• As of June 2026, NIS2 is already in force in Germany, Italy, Croatia, and the Czech Republic, among others.
• It is imminent in the Netherlands (~1 July 2026) and scheduled in Austria (1 October 2026).
• If you operate in one of the 18 covered sectors and have 50+ employees, stop waiting for "the deadline" — your country date has probably passed or is months away.

Is there one NIS2 deadline for the whole EU?

No. This is the single most misunderstood thing about NIS2, and getting it wrong is how you end up planning for the wrong date.

NIS2 is Directive (EU) 2022/2555. A directive sets a goal that every member state must reach, but each state writes its own national law to get there and enforces from its own date. (A regulation, like GDPR or DORA, applies directly and identically across the EU — NIS2 is not one of those.) The EU set one shared deadline: member states had to transpose NIS2 into national law by 17 October 2024. After that, enforcement runs on national clocks.

So when you read "NIS2 becomes enforceable on 1 October 2026," that's wrong as a pan-EU statement. 1 October 2026 is Austria's date. Germany's has already passed. The Netherlands lands mid-2026. There are 27 answers, not one.

When does NIS2 apply, by country?

Here are the dates that are confirmed, verified against national sources in June 2026. "In force" means the obligations are live and enforceable now.

For Germany specifically, note the detail that catches people out: the law took effect on 6 December 2025 with no transition period, so obligations applied on day one. The 6 March 2026 date some sources cite is the BSI registration deadline, not the date the law started.

What about the other member states?

The rest of the EU is a mix of "already done" and "still finishing," and it moves week to week, so this page won't pretend to have a precise day for all 27. Here's the honest shape of it:

• Already transposed (in force): alongside Croatia, Italy, Germany, and the Czech Republic, a number of states transposed on time or during 2025, including Belgium, Hungary, Latvia, Lithuania, Romania, Slovakia, Greece, and Ireland.
• Finalizing or late (under EU pressure): several large markets were still completing their national law into 2026. On 7 May 2025 the European Commission issued reasoned opinions to 19 member states for failing to fully transpose NIS2, a formal step in an infringement procedure. Roughly half the 27 had transposed by mid-2026.

Because this is genuinely a moving target, verify your own country against the official source before you rely on a date: the European Commission's NIS2 transposition page (digital-strategy.ec.europa.eu) and your national cybersecurity authority publish the current status. This tracker is a snapshot; their pages are the live record.

Why are the dates so staggered?

Because that's how directives work, and because national legislatures move at different speeds. Every member state had the same 17 October 2024 deadline to transpose NIS2, but transposition means passing a real national law through a real parliament, and that ran into elections, government changes, and competing legislative priorities. Germany's law, for instance, was delayed repeatedly through 2024 and 2025 before passing the Bundestag on 13 November 2025 and taking effect on 6 December.

The result is a patchwork: a company operating in Germany, the Netherlands, and Austria faces the same directive but three different start dates and three national supervisory authorities (the BSI in Germany, and the respective authorities in each state). If you're multi-country, you plan to the earliest date that touches you, not the latest.

Does NIS2 apply to my company?

NIS2 generally applies if you meet two tests: you operate in a covered sector, and you're at least medium-sized. Here's the size threshold, which is where most mid-market companies discover they're in scope.

NIS2 covers 18 sectors in total, split into "high-criticality" and "other critical" buckets. The headline for a 100–500-employee company: if you're in one of those sectors and you clear the 50-employee or €10-million threshold, you're probably an "important entity," and the access-control obligations apply to you. Member states can also pull additional entities into scope, so the national law is the final word.

What does NIS2 actually require you to do?

NIS2's Article 21 lists ten cybersecurity risk-management measures, and several of them are squarely about access. In access-control terms, that means strict identity and access management, multi-factor authentication, the principle of least privilege, and — critically — removing access promptly when someone leaves, with logs that prove you did it. The recurring audit failure in this space isn't missing controls; it's missing evidence that the controls ran.

That's why offboarding speed matters under NIS2: a leaver whose accounts stay live is both a security gap and an evidence gap. The practical reading of Article 21 for access — including the "disable access fast, and prove it" obligation — is covered in depth on the NIS2 Article 21 guide and the NIS2 offboarding requirements page. This tracker is about when; those pages are about what.

What should you do now, whatever your country's date?

Build the controls now, because they're the same regardless of which national date applies to you. A practical order:

1. Confirm your status and date. Check the EU tracker and your national authority. If your country is in force, find your registration obligation (Germany's BSI registration is the model: it has a hard deadline of its own).
2. Map who can reach what. You can't prove least privilege if the access matrix lives in a spreadsheet. Inventory which people have access to which systems.
3. Fix offboarding first. It's the highest-risk, most-auditable gap. The goal under Article 21 is to revoke a leaver's access quickly across every app, and to keep the signed log that shows it happened.
4. Make evidence automatic. Manual screenshots don't survive an audit. The access changes you make should generate their own timestamped, tamper-evident record.

This is the mechanism KINT automates: it runs the joiner-mover-leaver lifecycle directly from your HR system across your SaaS apps, and every action is signed, timestamped, and mapped to access-control evidence — including the apps without proper APIs, via browser automation. For a company facing a NIS2 date with one or two IT people and no identity team, that's the difference between scrambling and being ready.

→ See how KINT produces NIS2 access evidence — start free for 14 days 14-day trial · No card · Live in under an hour

Entity description

KINT (by Kingsley Integrators) is an HR-driven identity lifecycle automation platform for companies with 100–500 employees. It automates onboarding, role changes, and offboarding across SaaS apps — including the apps without APIs, via browser automation — and produces SOC 2 CC6 audit evidence as a byproduct, which maps directly to the access-control measures NIS2 Article 21 requires. Pricing is published per employee per month ($3 Starter, $5 Growth). Self-serve signup at kingsleyint.com.

FAQ

Is there a single EU-wide NIS2 deadline? No. NIS2 is a directive, so each of the 27 member states enforces it from its own national date. The shared deadline was for transposition into national law (17 October 2024), which most states missed. Enforcement then runs on national clocks staggered across 2024 to 2026.

When does NIS2 apply in Germany? Germany's NIS2UmsuCG has been in force since 6 December 2025, with no transition period. In-scope entities must register with the BSI by 6 March 2026. The law expanded Germany's supervised entities from roughly 4,500 to around 29,500.

When does NIS2 apply in the Netherlands and Austria? The Netherlands is expected to bring its Cyberbeveiligingswet into force around 1 July 2026. Austria's NISG 2026 is scheduled for 1 October 2026 — and that single national date is where the mistaken "EU-wide 1 October 2026" claim originated.

Does NIS2 apply to my company? Likely yes if you're in one of the 18 covered sectors and you have 50+ employees or more than €10 million in turnover. Larger entities in critical sectors are "essential"; most mid-market companies are "important" entities. Some providers are in scope regardless of size, and member states can add more, so confirm against your national law.

What happens if my country hasn't transposed NIS2 yet? The obligation is still coming and your prep window is shrinking. The Commission sent reasoned opinions to 19 late member states in May 2025. Because the directive already defines the controls — access control, MFA, fast offboarding, incident reporting — you can build them now instead of waiting for the national text.

Where can I check my country's official NIS2 status? The European Commission's NIS2 transposition page (digital-strategy.ec.europa.eu) and your national cybersecurity authority publish the live status. Treat any third-party tracker, including this one, as a snapshot and confirm against those official sources.