Skip to content

NIS2 Implementation Deadline Ends 31 July: Reporting Obligations and Million-Euro Fines

At a glance: NIS2 must be implemented by 31 July; violations of reporting obligations result in million-euro fines.

The EU NIS2 Directive must be transposed into national law by 31 July. Those who ignore the new reporting obligations for cybersecurity incidents risk substantial penalties.

The national implementation deadline for the NIS2 Directive (Network and Information Security Directive 2) expires on 31 July. Member States must integrate EU requirements into their national legal frameworks by then. Germany and other DACH countries are obligated to fully transpose the Directive.

The Directive introduces stricter reporting obligations for cybersecurity incidents. Affected companies must report incidents to national authorities – for critical infrastructure, sometimes within just a few hours. Requirements apply to energy supply, telecommunications, transport, water, health, financial sector, as well as space and digital services.

Violations of reporting obligations can be penalised with substantial fines. The amount depends on the severity of the breach and can reach the double-digit millions of euros for large enterprises. Inadequate cybersecurity measures themselves can also be sanctioned.

Compliance managers should verify whether their company falls under NIS2 and establish processes for incident reporting. Documentation of security measures is increasingly being used as evidence of compliance.


Source: news.google.com · Published 6 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: