The NIS2 Directive (EU) 2022/2555 entered into force on 16 January 2023, with a transposition deadline of 17 October 2024. The intervening period was widely used by organisations to prepare. That period is now over. 2026 is the year enforcement actions begin, and the first formal compliance deadline under the Directive falls on 30 June 2026 - four days from today.
The June 30 audit deadline
NIS2 requires essential and important entities to conduct a first internal or third-party audit verifying compliance with the security measures specified in Article 21 of the Directive. The deadline for completing this audit was initially set for December 31, 2025, then moved to 30 June 2026. That deadline arrives at the end of this week.
The audit covers the minimum security measures that Article 21 requires: risk management procedures, incident handling, business continuity, supply chain security, network and information systems security, access control, cryptography, personnel security, authentication, and secure communications.
For organisations that have implemented these measures, the audit is a verification exercise that produces a documented record for the national competent authority. For organisations that have not yet implemented the measures, the audit will identify gaps that regulators may ask about directly.
Where Member State transposition stands
21 out of 27 EU Member States have transposed NIS2 into national law as of June 2026. This matters because the competent authority and the specific enforcement regime are determined by national transposition, not by the Directive directly.
Key national implementation dates include: Germany’s NIS2 implementation law entering into force in December 2025, Sweden’s Cyber Security Act and Ordinance effective from January 2026, Portugal’s transposition entering into force in April 2026, and Austria’s NISG 2026 Act coming into force in October 2026.
The six Member States that had not yet completed transposition as of this date have been referred to the Court of Justice of the EU by the European Commission. These enforcement proceedings create additional uncertainty for entities based in those jurisdictions, where the national competent authority structure and registration requirements may still be provisional.
What first enforcement looks like
NIS2 enforcement is conducted by national competent authorities rather than by a European-level body. The enforcement mechanisms vary by country but generally include supervisory powers to conduct audits and inspections, binding remediation orders, and administrative fines.
The maximum fine for essential entities under NIS2 is 10 million euros or 2 percent of global annual turnover. For important entities, the maximum is 7 million euros or 1.4 percent of global annual turnover. These are ceiling figures. National authorities have discretion on penalty amounts and are expected to use graduated responses rather than starting at the maximum.
Early enforcement actions in Europe are focusing on entities that have not registered with their competent authority, have not completed risk assessments, or have experienced incidents that exposed a failure to meet the Article 21 requirements. Incident reporting obligations under NIS2 require a significant incident to be notified within 24 hours as an early warning, with a fuller report within 72 hours.
The compliance fragmentation problem
One of the most practically difficult aspects of NIS2 for organisations operating across multiple EU Member States is that the transposition process has produced meaningful variation in national implementation. Reporting templates, scope definitions, sector assignments, and registration processes differ across jurisdictions.
On 26 May 2026, the NIS2 Cooperation Group adopted common templates for incident reporting, a step toward harmonisation. However, these templates do not resolve all national variation. An organisation with offices or operations in multiple Member States faces the administrative burden of understanding and complying with multiple national NIS2 regimes.
The European Commission announced in March 2026 that it is examining potential NIS2 reform to address fragmentation. Any reform process will take time, and organisations cannot wait for reform to address their current compliance obligations.
Which entities are in scope
NIS2 applies to medium and large organisations in sectors deemed essential or important. The essential sectors are energy (electricity, oil, gas, hydrogen, district heating and cooling), transport (air, rail, water, road), banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (IXPs, DNS providers, TLD registries, cloud computing, data centres, content delivery networks, trust services, electronic communications), ICT service management, public administration, and space.
Important entity sectors include postal and courier services, waste management, manufacture and distribution of chemicals, food production, manufacturing of medical devices and other regulated goods, digital providers (search engines, online marketplaces, social networks), and research organisations.
Critically for cloud and digital service providers: cloud computing service providers, data centre service providers, and content delivery networks are listed as essential entity categories under NIS2 Annex I. ICT service managers, meaning managed service providers and managed security service providers, are listed as important entities under Annex II. If your organisation provides infrastructure or managed services to European businesses, you may be in scope regardless of where you are headquartered.
Supply chain security obligations
One of the NIS2 requirements with the broadest operational implications is Article 21’s requirement to address security in supply chains. Essential and important entities must assess the security practices of their suppliers and service providers, particularly those that provide directly network and information systems to the entity.
This requirement creates a cascading obligation: in-scope organisations must vet their suppliers, which means suppliers serving in-scope organisations will face security questionnaires, audit requests, and contractual requirements flowing from their customers’ NIS2 obligations even if the supplier is not itself directly in scope.
For cloud providers, software vendors, and managed service providers serving European organisations, NIS2 supply chain requirements are arriving through customer contracts regardless of whether the provider has independently assessed its own NIS2 status.
The incident reporting obligation starts now
NIS2’s incident reporting requirements are not waiting for audit deadlines. Essential and important entities that experience a significant incident are already obligated to submit early warnings within 24 hours and fuller reports within 72 hours to their national competent authority, and in some cases to affected users.
A significant incident is defined as one that causes or has the potential to cause severe operational disruption or financial losses, or that affects other natural or legal persons by causing considerable material or non-material damage. This is a broad definition that captures many incidents that were previously managed without regulatory notification.
Organisations that do not have an incident classification and reporting process in place are not only failing a compliance requirement but are also at risk of discovering that obligation at the worst possible time: during an active incident.
If your organisation is assessing whether it is in scope under NIS2, needs to complete a compliance gap analysis before the June 30 audit deadline, or wants to build the incident handling and supply chain security processes the Directive requires, contact Excello Digital. We help European organisations and internationally-operating businesses navigate NIS2 compliance across jurisdictions, from scope determination through to the technical and organisational measures the Directive mandates.