Last updated on October 2, 2025
No; EU Member States were required to transpose the NIS2 Directive into national law by the October 17, 2024 deadline. NIS2 expands the scope of entities subject to mandatory cyber risk management and incident reporting, and it harmonises tougher rules across critical sectors. After the deadline, national competent authorities must enforce the directive’s provisions and organisations that fall under NIS2 face strict incident notification deadlines and potential penalties for non‑compliance. Firms operating cross‑border in the EU should have prepared governance, incident response, third‑party risk management, and reporting channels in line with NIS2 requirements by the transposition date. For implementation specifics, businesses must consult their national transposing legislation and the EU Agency for Cybersecurity guidance.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L0382
2023-12-16 (Directive adopted); transposition deadline 2024-10-17