Updated juli 1, 2026
Summary: As of May 2026, 19 EU Member States face formal infringement proceedings for failing to transpose NIS-2 Directive 2022/2555, leaving essential and important entities in legal limbo across multiple jurisdictions. Sovereign infrastructure aligned with Commission Implementing Regulation (EU) 2024/2690 offers the most defensible path through the resulting compliance uncertainty.

The NIS-2 transposition infringement enforcement risk refers to the legal and operational exposure that arises when EU Member States fail to incorporate NIS-2 Directive 2022/2555 into national law on time, leaving essential and important entities in a compliance vacuum that national supervisory authorities cannot fill. For organisations operating across multiple EU jurisdictions, this is not an abstract regulatory curiosity: it determines whether cybersecurity obligations are enforceable, who has supervisory authority, and what evidence will satisfy an auditor.

The May 2026 Reasoned Opinions: What Happened and Why It Matters

The European Commission’s formal infringement action against 19 Member States in May 2026 marks the first time the NIS-2 non-transposition problem has moved from political pressure to legal proceedings with concrete consequences.

Article 41 of NIS-2 Directive 2022/2555 required all Member States to adopt and publish transposing legislation by 17 October 2024. By May 2026, at least 19 states had not notified complete transposition to the Commission. The reasoned opinion, the second stage of EU infringement proceedings under Article 258 TFEU, gives each state a final deadline to comply before the Commission refers the matter to the Court of Justice of the EU. At that point, daily financial penalties become available.

The Commission stated in its infringement communications: “The objective of NIS-2 is to achieve a high common level of cybersecurity across the Union. Fragmented implementation directly undermines that objective and leaves critical sectors exposed.”

For essential and important entities, the immediate practical consequence is this: in the 19 non-transposing jurisdictions, no national competent authority has a fully operational legal mandate to register, supervise, or sanction entities under NIS-2. The supervisory architecture that Directive 2022/2555 requires, including designated CSIRTs, single points of contact, and sector-specific supervision, does not yet exist in legally enforceable form in those states.

Let op: The NIS-2 transposition deadline passed on 17 October 2024. By May 2026, 19 Member States were more than 18 months overdue, meaning any essential entity registered or operating in those jurisdictions has been operating without a clear national supervisory counterpart for well over a year.

How Uneven Transposition Creates Conflicting Article 21 Obligations

Article 21 of NIS-2 Directive 2022/2555 requires entities to take “appropriate and proportionate technical, operational and organisational measures” across ten control domains, ranging from risk analysis and access control to supply chain security and cryptography. The Directive allows Member States to impose stricter national requirements, which means a fully transposing jurisdiction can legislate above the EU floor.

The result for a multi-jurisdictional regulated organisation, say a pan-European bank subject to both NIS-2 and DORA, is a table of divergent obligations:

Scenario NIS-2 transposition status Article 21 obligations enforceable? Supervisory authority active?
Operating in a fully transposing Member State (e.g., Croatia, which transposed early) Complete Yes, plus any stricter national additions Yes
Operating in a non-transposing Member State subject to reasoned opinion Incomplete or absent Directive has no direct effect for individuals under criminal/admin law; gap exists Partial or none
Operating in a state that transposed with stricter national rules Complete, above EU floor Yes, stricter standard applies Yes, with wider mandate

A CISO managing infrastructure across all three scenarios simultaneously cannot apply a single control framework and call it done. They must either implement to the highest applicable standard everywhere, document the jurisdictional basis for every control choice, or accept the audit risk that arises from operating below the standard of the strictest applicable national law.

The Legal Risk to an Essential Entity in a Non-Transposing Jurisdiction

A common misconception is that operating in a non-transposing Member State reduces compliance burden. The opposite risk is more significant. When that state eventually transposes, possibly under political pressure following infringement proceedings, it may do so with retroactive supervisory scrutiny of the gap period. Entities that cannot demonstrate continuous alignment with the EU-level standard during the gap period face the same audit exposure as those who deliberately avoided compliance.

Beyond the retroactive risk, an essential entity that has fully implemented NIS-2 controls in one Member State but runs systems, data centres, or supply chains in a non-transposing jurisdiction faces a specific liability gap: if a security incident originates in the non-transposing jurisdiction and propagates to the transposing one, the incident reporting chain under Article 23 of NIS-2 is broken. The CSIRT in the transposing state cannot coordinate with a counterpart that does not legally exist yet.

The NIS Cooperation Group, which coordinates between national authorities across Member States, has no mechanism to fill this gap unilaterally. Its guidance documents, while valuable, cannot substitute for enacted national law.

Commission Implementing Regulation (EU) 2024/2690 as a De Facto Common Baseline

Commission Implementing Regulation (EU) 2024/2690 is the single most practically useful instrument available to organisations navigating transposition uncertainty, because it has direct effect in all 27 Member States without requiring national transposition.

The Regulation specifies the technical and methodological requirements for the Article 21 measures, including requirements for vulnerability handling, network segmentation, cryptographic controls, multi-factor authentication, and supply chain security assessments. Because it is a Regulation and not a Directive, it is operative in every Member State from its entry into force, including those that have not transposed NIS-2 itself.

ENISA stated in the context of its supervision guidance: “ENISA’s supervision handbooks are designed to support national authorities and entities in applying consistent standards regardless of where national law currently stands.”

A sovereign infrastructure operator that contractually commits to the specific technical controls in (EU) 2024/2690 provides its customers with a compliance baseline that cannot be undermined by national transposition failures. This is a material advantage over hyperscale cloud providers whose terms of service do not map explicitly to the Regulation’s control catalogue. The operator can present a control matrix that references each Article of (EU) 2024/2690 and documents how the infrastructure satisfies it, giving a compliance officer a defensible audit trail regardless of which Member State’s supervisory authority reviews it.

Let op: Commission Implementing Regulations have direct effect under Article 288 TFEU. Organisations that structure their control evidence around (EU) 2024/2690 rather than any single national transposition are building compliance documentation that survives jurisdictional variation.

Using ENISA’s Sector Supervision Handbooks as Interim Audit Evidence

The ENISA NIS-2 Sector Supervision Handbook series provides sector-by-sector control domains and assessment criteria calibrated to what national competent authorities are expected to examine during audits. ENISA developed these handbooks in close coordination with the NIS Cooperation Group precisely because the uneven transposition landscape was foreseeable.

NIS-2 Directive 2022/2555 covers 18 sectors under Annexes I and II, ranging from energy, transport, and banking to public administration and space. Each sector handbook translates the Article 21 obligations into sector-specific audit criteria. For a CISO in financial services or healthcare, the handbook provides a structured basis for internal gap analysis that mirrors what a competent authority inspector will eventually use.

The practical approach for a CISO is threefold. First, map existing controls against the relevant sector handbook’s criteria and document the mapping with evidence references. Second, cross-reference that mapping against the specific technical requirements in (EU) 2024/2690 to confirm the EU-level floor is met. Third, where a national competent authority exists and has published additional guidance, layer that on top as a jurisdiction-specific annex to the control documentation. In jurisdictions where national transposition is incomplete, the handbook mapping and (EU) 2024/2690 alignment together constitute the strongest available evidence of good-faith compliance.

This approach also prepares organisations for the period immediately following eventual transposition in currently non-compliant states: when a national authority begins supervising for the first time, entities with pre-existing ENISA handbook documentation will be substantially better positioned than those who waited for national law to crystallise before beginning compliance work.

Sovereign Infrastructure as a Structural Response to Jurisdictional Fragmentation

The NIS-2 transposition infringement enforcement risk is ultimately a data governance risk. When sensitive data processed by an essential entity sits on infrastructure governed by a jurisdiction whose supervisory framework is incomplete or contested, the chain of accountability required by both NIS-2 and GDPR becomes difficult to demonstrate.

Sovereign infrastructure, hosted under a stable legal framework such as Swiss law under the revised Federal Act on Data Protection (revFADP), addresses this structurally. The Swiss jurisdiction is not subject to EU infringement proceedings, is not exposed to US CLOUD Act or FISA 702 access demands, and operates under a data protection framework the European Commission has recognised as adequate. An infrastructure operator based in Switzerland can commit contractually to (EU) 2024/2690 technical controls and ENISA handbook criteria, creating a compliance layer that is independent of which Member States have or have not transposed NIS-2.

For essential entities in finance, healthcare, and public administration evaluating infrastructure choices, the question is not simply whether a provider claims NIS-2 compliance. The question is whether the provider can produce a control-by-control evidence package aligned to (EU) 2024/2690, referenced against the relevant ENISA sector handbook, and hosted under a jurisdiction that does not introduce additional legal exposure. That combination is what makes compliance both provable and durable across the current period of transposition fragmentation.

FAQ

Which Member States received the European Commission’s reasoned opinion in May 2026 for failing to transpose NIS-2?

The Commission confirmed infringement proceedings against 19 Member States in May 2026. The specific list published in official communications should be consulted directly via the Commission’s infringement database at ec.europa.eu. The proceedings target states that had not adopted or notified transposing national legislation more than 18 months after the October 2024 deadline set by Article 41 of NIS-2 Directive 2022/2555.

What does the NIS-2 transposition gap mean in practice for an essential entity operating in multiple Member States?

An essential entity faces asymmetric audit risk: the national supervisory authority in one jurisdiction can enforce Article 21 obligations with full legal backing, while the equivalent authority in a non-transposing Member State has no enforceable national framework. This creates inconsistent incident reporting timelines and potential liability gaps when a security incident crosses borders.

Does Commission Implementing Regulation (EU) 2024/2690 apply directly to organisations even where NIS-2 has not been transposed?

Yes. Implementing Regulations have direct effect in all Member States under Article 288 TFEU without requiring national transposition. The technical and methodological requirements in (EU) 2024/2690 are legally operative even in jurisdictions where Directive 2022/2555 has not yet been incorporated into national law, making it the most reliable common baseline available today.

How should a CISO use ENISA’s NIS-2 Sector Supervision Handbook as audit evidence?

The ENISA NIS-2 Sector Supervision Handbook sets out control domains and assessment criteria that national competent authorities are expected to use when auditing entities. A CISO can map internal controls against the handbook’s criteria and document that mapping as evidence of good-faith compliance. In jurisdictions where national transposition is incomplete, this documentation demonstrates alignment with the EU-level standard rather than a specific national variant.

How does sovereign infrastructure specifically reduce NIS-2 enforcement risk compared to hyperscale cloud?

Sovereign infrastructure hosted under a stable legal framework removes exposure to extraterritorial access requests (US CLOUD Act, FISA 702) that can conflict with NIS-2’s confidentiality and integrity obligations. It also allows the operator to contractually commit to the technical controls in Commission Implementing Regulation (EU) 2024/2690, making compliance obligations explicit and auditable rather than embedded in opaque hyperscale terms of service.

Frequently asked questions

Which Member States received the European Commission's reasoned opinion in May 2026 for failing to transpose NIS-2?
The Commission confirmed infringement proceedings against 19 Member States in May 2026, though the specific list published in official communications should be consulted directly via the Commission's infringement database. The proceedings target states that had not adopted or notified transposing national legislation more than 18 months after the October 2024 deadline set by Article 41 of NIS-2 Directive 2022/2555.
What does the NIS-2 transposition gap mean in practice for an essential entity operating in multiple Member States?
An essential entity faces a situation where the national supervisory authority in one jurisdiction can enforce specific Article 21 obligations with full legal backing, while the equivalent authority in a non-transposing Member State has no enforceable national framework. This creates asymmetric audit risk, inconsistent incident reporting timelines, and potential liability gaps when a security incident crosses borders.
Does Commission Implementing Regulation (EU) 2024/2690 apply directly to organisations even where NIS-2 has not been transposed?
Implementing Regulations have direct effect in all Member States without requiring national transposition. This means the technical and methodological requirements in (EU) 2024/2690 are legally operative even in jurisdictions where the parent Directive 2022/2555 has not yet been incorporated into national law, making it the most reliable common baseline available today.
How should a CISO use ENISA's NIS-2 Sector Supervision Handbook as audit evidence?
The ENISA NIS-2 Sector Supervision Handbook sets out the control domains and assessment criteria that national competent authorities are expected to use when auditing entities. A CISO can map internal controls against the handbook's criteria and document that mapping as evidence of good-faith compliance. In jurisdictions where national transposition is incomplete, this documentation demonstrates alignment with the EU-level standard rather than a specific national variant.
How does sovereign infrastructure specifically reduce NIS-2 enforcement risk compared to hyperscale cloud?
Sovereign infrastructure hosted under a stable legal framework, such as Swiss law under the revised Federal Act on Data Protection, removes exposure to extraterritorial access requests (US CLOUD Act, FISA 702) that can conflict with NIS-2's confidentiality and integrity obligations. It also allows the operator to contractually commit to the technical controls in Commission Implementing Regulation (EU) 2024/2690, making compliance obligations explicit and auditable rather than embedded in opaque hyperscale terms of service.