Five member states have not yet transposed the NIS2 directive, which aims to establish a high common level of cybersecurity across the EU.
The deadline for member states to adopt national legislation transposing the directive was 17 October 2024.
Of the five EU countries, four (France, Ireland, Luxembourg and Netherlands) have already submitted legislation to parliament. Spain is the only country which has not yet submitted a draft transposition law to parliament.
Scope
Region: Europe
Countries covered: 27 EU member states
Policy area: Cybersecurity, digital economy
Last updated: March 2026
For more information on the benchmark and Cullen International's complete NIS2 coverage, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.
more news
18 June 26
[INFOGRAPHIC] Cullen Cheat Sheet: M&A wave in Latin America’s telecoms sector
This Cullen International infographic highlights the key M&A transactions in the LATAM telecoms market in the last few years.
15 June 26
Global trends in regulating cross-border personal data transfers
Our latest Global Trends benchmark compares key aspects of the regulation of cross-border personal data transfers across 14 jurisdictions worldwide.
12 June 26
Status of national AI laws across Europe
Our new benchmark tracks national laws implementing the AI Act, looking into the procedure for adoption and the core provisions.