Five member states have not yet transposed the NIS2 directive, which aims to establish a high common level of cybersecurity across the EU.
The deadline for member states to adopt national legislation transposing the directive was 17 October 2024.
Of the five EU countries, four (France, Ireland, Luxembourg and Netherlands) have already submitted legislation to parliament. Spain is the only country which has not yet submitted a draft transposition law to parliament.
Scope
Region: Europe
Countries covered: 27 EU member states
Policy area: Cybersecurity, digital economy
Last updated: March 2026
For more information on the benchmark and Cullen International's complete NIS2 coverage, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.
more news
29 May 26
How are EU member states transposing NIS2?
Our latest benchmark tracks the progress of the Directive on measures for a high common level of cybersecurity across the EU (NIS2) transposition in the 27 EU member states.
28 May 26
Open RAN adoption remains limited to select markets
Our latest global trends benchmark on the adoption of open radio access network (open RAN) architecture covers commercial deployments, policy support and the emerging AI-RAN trend.
27 May 26
Inconsistent reporting hampers assessment of postal sector’s environmental performance
Our new report, from Cullen International’s recently launched Transport & Delivery Sustainability service, details how postal service providers currently report on their environmental performance.