Navigating NIS2 Compliance

This whitepaper provides an analysis as of March 2026 of the current regulatory landscape of countries that have transposed NIS2, touching upon key aspects such as sector definition, identification of entities, registration requirements, and security measures, as well as management accountability and government oversight.

Across the EU and the EEA, countries display varied transpositions of the NIS2 Directive, with the following notable highlights:

• Austria, Belgium, Croatia, Cyprus, Czech Republic, Denmark, Finland, Germany, Greece, Hungary, Italy, Latvia, Lithuania, Malta, Liechtenstein, Portugal, Romania, Slovakia, Slovenia and Sweden have transposed NIS2. Often this includes additional decrees, amendments or acts.
• Registration deadlines already passed for a significant number of countries that have transposed NIS2. Organisations that did not register yet, should do so as soon as possible.
• Security measures of the transpositions can be categorized in three main approaches: either a maturity based national cybersecurity control frameworks, a compliance based control framework or more principle based approach. Most countries define their list of required security controls.
• Countries such as Croatia, Hungary, Italy and Slovakia extend beyond the sectors mentioned in the Directive and add sectors such as education, defence or culture.
• Most countries align with the reporting schedule of the Directive, however Cyprus imposes a 6-hour early warning for significant incidents instead of the standard 24 hours. Lithuania requires an ‘automated’ incident reporting.

The Directive’s emphasis on management accountability is clear, with executive boards and managing directors mandated to ensure compliance with risk management measures.

Government oversight and audit mechanisms vary. In most countries essential entities require audits by a government accredited auditor. Frequency varies between yearly and every 5 years In essence, the transpositions studied showcase important specifics which can have significant impact for organisations operating in these countries. For these organisations, it means closely following up on the transpositions and trying to define a common ground to reach a workable level of compliance. The remaining NIS2 laws are expected throughout 2026. Having a strategic cybersecurity control framework to navigate this evolving regulatory landscape will be important moving forward.

The European commision proposed in November 2025 and January 2026 amendments that aim to streamline NIS2. The aim is to clarify sectors in scope, harmonize requirements, align incident reporting and introduce ways to demonstrate compliance with EU based certification (under the revised Cybersecurity Act (CSA2).

It is important to note that next to the EU and the EEA, the United Kingdom and Switzerland are also working on legislation that is heavily inspired by NIS2.