Five member states have not yet transposed the NIS2 directive, which aims to establish a high common level of cybersecurity across the EU.
The deadline for member states to adopt national legislation transposing the directive was 17 October 2024.
Of the five EU countries, four (France, Ireland, Luxembourg and Netherlands) have already submitted legislation to parliament. Spain is the only country which has not yet submitted a draft transposition law to parliament.
Scope
Region: Europe
Countries covered: 27 EU member states
Policy area: Cybersecurity, digital economy
Last updated: March 2026
For more information on the benchmark and Cullen International's complete NIS2 coverage, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.
more news
05 March 26
CSRD: Austria and Malta finalise national transposition
Cullen International’s latest benchmark tracks the progress made by the 27 EU member states in transposing the Corporate Sustainability Reporting Directive (CSRD) and the related “stop-the-clock” directive.
04 March 26
The DNA explained: voluntary cooperation on IP interconnection, no network fees
Cullen International is issuing a series of analyses on different aspects of the Digital Networks Act (DNA) proposal. This report covers network contribution.
25 February 26
Protection of minors: overview of national initiatives on banning access to social media
Our latest benchmark shows that an increasing number of European countries are discussing a potential social media ban on children.