All resources
Scope·18 May 2026·5 min read

NIS2 by country: how to check your national transposition

NIS2 is a directive, not a regulation, which means your real obligations live in national law. Here's how to find them.

Why country matters

NIS2 is a directive. Unlike a regulation (such as DORA), a directive sets the goals but leaves each Member State to write the detailed rules into national law. So while the core obligations are harmonised, the exact authority you register with, the portal you report incidents to, and some thresholds and specifics vary by country.

The transposition reality

The transposition deadline was 17 October 2024, but Member States moved at different speeds; several were late. That means the precise text, timelines and registration mechanics depend on where, and when, your country implemented NIS2.

How to find your specifics

  • Identify your national NIS2 transposition law (the act that implements the directive).
  • Find your national competent authority and CSIRT; they publish guidance and the incident-reporting channel.
  • Confirm registration requirements and deadlines for your entity type.
  • Check any sector-specific rules layered on top by your national regulator.

Build once, report anywhere

If you operate across borders, the variation is a real burden. Alexus keeps one operational-evidence layer and generates incident reports aligned to each national CSIRT's format, so the underlying work is done once. This article is general guidance, not legal advice; always confirm against your national transposition.

Make NIS2 evidence a query, not a project

Alexus turns the IT operations you already run into continuous Article 21 readiness, ready-to-file Article 23 reports and a hash-chained audit trail.