NIS2 transposition status: where the four markets stand in 2026

Eighteen months past the deadline, the NIS2 transposition status across the four markets this site covers — France, Germany, Spain, Italy — is uneven enough that boards in those countries face fundamentally different operating realities. The directive itself entered into force on 16 January 2023, with a national-execution deadline of 17 October 2024 set by Article 41 of Directive (EU) 2022/2555. One of the four has fully transposed. The other three operate, today, on draft texts, holding actions, or NIS-1 era statutes.

This article skips the tour-of-laws and offers a decision framework instead. For each market, three coordinates: the verifiable transposition instrument (or lack of one), the competent authority, and the operational question that follows this month for an essential or important entity headquartered there. The United Kingdom is included as a reference market — outside the EU, no longer subject to NIS2, but tracked here because British boards with EU-facing subsidiaries face the same calendar.

1. Italy — transposed, ACN at the helm

Italy is the only one of the four markets whose national execution layer is locked in. Decreto Legislativo 4 settembre 2024, n. 138 — Recepimento della direttiva (UE) 2022/2555 — was published in the Gazzetta Ufficiale on 1 October 2024 and entered into force shortly thereafter. The competent authority is the Agenzia per la Cybersicurezza Nazionale (ACN), which inherits the supervisory powers and the registration mechanism foreseen by Article 3 of the Directive.

The decree imposes a self-registration window — entities had until 28 February 2025 to register with ACN through the national portal — and a graduated implementation calendar that staggers governance, risk-management and incident-reporting obligations through 2025 and 2026. ACN has published sectoral guidance and is already running supervisory engagement, though no public NIS2-branded fine has yet been notified.

The open operational question for Italian boards in May 2026 is no longer whether the obligations apply but whether the registro NIS entry is current and whether the entity's incident-classification matrix maps to the IR 2024/2690 thresholds where applicable. ACN has stated publicly that supervisory inspections will sample entities whose registration appears stale or whose first reporting cycle was incomplete.

2. Germany — not yet adopted, BMI in the lead

Germany has not adopted its NIS2 transposition law. The page maintained by the Bundesamt für Sicherheit in der Informationstechnik (BSI) states explicitly: "Ein nationales Gesetz zur Umsetzung der NIS-2-Richtlinie ist noch nicht verabschiedet." The lead ministry for the legislative file is the Bundesministerium des Innern und für Heimat (BMI); the working title of the draft remains the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG).

For German entities, the directive's substantive obligations apply via direct effect for several provisions — the Court of Justice has consistently held this for clear, unconditional articles where the deadline has lapsed — but the supervisory architecture, fine schedule and registration mechanism remain unsettled until the federal law is voted. The BSI is the de facto competent authority for cybersecurity matters, but its Article 32 enforcement powers are not yet codified at NIS2's level.

The operational question for the German board in May 2026 is what to commit to in writing now. The defensible posture is to mirror the directive's requirements directly — Article 20 governance duties, Article 21 measures, Article 23 reporting cadence — under a working assumption that the NIS2UmsuCG, when passed, will not lower them. This is not a comfortable position for the legal department, but it is the YMYL-safe one.

Boards in Germany and Spain operate on the directive's text alone — the national supervisor exists, the national fine schedule does not.

3. France — projet de loi Résilience, ANSSI's ReCyF as the bridge

France has not yet promulgated its transposition law. According to the Agence nationale de la sécurité des systèmes d'information (ANSSI), the vehicle is the projet de loi Résilience, with the operational anchor in its article 14. As of the date of this publication, the draft has not completed parliamentary passage; ANSSI's site refers to it as a projet, not a loi.

To bridge the interval, ANSSI published in 2026 the Référentiel Cyber France (ReCyF) — a non-mandatory reference framework that lists the security measures ANSSI will accept as evidence of compliance with NIS2's substantive requirements once the law passes. Entities that adopt ReCyF can claim its application as a gage de conformité in the event of a future inspection. ANSSI is the designated competent authority, with sectoral CSIRTs in support.

The operational question for French boards in May 2026 is whether to begin alignment with ReCyF now, accepting that some details may shift when the loi Résilience is finalised, or to wait. Most large entities have started — ANSSI's role as both rule-writer and supervisor means that early alignment is, in practice, the lowest-risk path.

4. Spain — pending transposition, INCIBE-CERT as operational anchor

Spain has not yet transposed NIS2. The Instituto Nacional de Ciberseguridad (INCIBE) is explicit on its public FAQ: when asked which entity will be the Spanish competent authority maintaining the lists of essential and important entities, the answer is "Para responder a esta pregunta es necesario esperar a la trasposición de la directiva." The existing national framework is Real Decreto-ley 12/2018 and its development regulation Real Decreto 43/2021 — the NIS-1 transposition, not NIS-2.

INCIBE-CERT continues to function as the operational CSIRT for the private sector and remains the practical single point of contact for incident notifications today. The Centro Criptológico Nacional (CCN-CERT) covers the public sector. The architectural choice between a single competent authority or a sectoral split — and whether the Departamento de Seguridad Nacional retains a coordination role — will be settled by the transposition text whenever it is published in the Boletín Oficial del Estado.

The operational question for Spanish boards in May 2026 mirrors Germany's. Apply the directive's substantive obligations as if transposition were already in force, including the 24h–72h–1 month reporting cadence to INCIBE-CERT, and accept that the formal sanction regime will land later. Sub-threshold non-compliance today is invisible to the regulator; it is not invisible to a future supervisor reading a 2026 risk register backwards.

5. United Kingdom — outside scope, but the calendar still applies

The UK is not subject to NIS2. The British framework remains the Network and Information Systems Regulations 2018 (NIS Regulations), with the National Cyber Security Centre (NCSC) as the technical authority and sector-specific competent authorities (Ofcom, ICO, Ofgem and others) handling supervision. In September 2024 the UK government announced the Cyber Security and Resilience Bill, which proposes to broaden the NIS Regs in a direction that loosely tracks NIS2 — more sectors, stronger reporting, sharper enforcement.

For boards of UK-headquartered groups with EU subsidiaries or services consumed in the EU, NIS2 obligations apply through those EU establishments under Article 26 of the Directive — which is to say, through the Italian, German, French or Spanish entities of the group, on whichever schedule those four jurisdictions converge. The reverse is also true: an EU-headquartered group with a UK subsidiary tracks the NIS Regs 2018 and, soon, the Cyber Security and Resilience Bill.

The operational question for the UK reference market is procurement and group reporting. A single incident-reporting playbook that satisfies NIS2's 24/72-hour cadence will, in most cases, also satisfy NIS Regs 2018's 72-hour requirement — but the threshold definitions differ, and the board's incident matrix should explicitly reconcile the two.

What good looks like

Three artefacts come up consistently in the supervisory engagement playbooks of ACN, ANSSI, BSI, INCIBE and NCSC. None requires waiting for the missing national text:

1. A jurisdiction map signed by the board — a one-page document, dated within the last twelve months, that lists each in-scope establishment, its competent authority of reference, the registration status with that authority (in Italy: registered; in DE/ES: pending; in FR: pre-registration through ANSSI's portal where applicable), and the legal basis the board is treating as binding today.
2. A direct-effect memo from legal — a short memorandum on the Article 21 risk-management measures and the Article 23 reporting cadence the board is implementing now, on the assumption that the German and Spanish transposition acts will not lower them. The memo cross-references the five non-delegable Article 20 board duties and is reviewed when each national law is published.
3. A regulator change-log — a single shared file that records, by date, every public statement from ACN, ANSSI, BSI and INCIBE that affects scope, reporting or sanctions. Reviewed by the audit committee at every quarterly meeting. Static compliance posture decays fast in jurisdictions that are still drafting.

The work for the next six months, for entities that operate across these four markets, is to keep the framework consistent at group level while adapting the local supervisor relationship to where each national law actually is. The directive is the floor; the national law, when it lands, is the operational ceiling.

Sources

1. Directive (EU) 2022/2555, Article 41 (transposition deadline 17 October 2024) and Article 26 (jurisdiction).
2. Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024.
3. Italy — Decreto Legislativo 4 settembre 2024, n. 138, Recepimento della direttiva (UE) 2022/2555, Gazzetta Ufficiale. Competent authority page: Agenzia per la Cybersicurezza Nazionale (ACN).
4. Germany — BSI, NIS-2-Richtlinie: national NIS-2 transposition law not yet adopted as of consultation. Lead ministry: BMI.
5. France — ANSSI, Directive NIS 2: transposition vehicle is the projet de loi Résilience, article 14; not yet promulgated. Référentiel Cyber France (ReCyF) published in 2026 as a bridging framework.
6. Spain — INCIBE, FAQ NIS2: NIS2 transposition pending; existing framework is Real Decreto-ley 12/2018 and Real Decreto 43/2021.
7. United Kingdom — GOV.UK, Cyber Security and Resilience Bill: proposed legislation announced September 2024; current statute is the Network and Information Systems Regulations 2018.