NIS2 Final Provisions: Transposition Timeline, Repeal of NIS1, and the Developer Compliance Deadline Map for 2024–2027
The final articles of NIS2 (Arts 45–49) are the least discussed and the most misunderstood. Developers who have read through the security measures, incident reporting, and enforcement chapters often stop before reaching the provisions that tell them when everything applies and which rules were replaced.
This post covers the complete NIS2 legal timeline — from its publication in the Official Journal through the first wave of enforcement actions and into the 2027 review cycle. It also explains what the repeal of NIS1 means in practice and identifies the compliance checkpoints that security teams should have mapped in their planning calendars.
1. NIS2 Legislative Timeline: The Key Dates
NIS2 (Directive 2022/2555) — Official Timeline
2022-12-27 Published in Official Journal of the EU (OJ L 333/80)
↓
2023-01-16 Entry into force (20 days after OJ publication, Art.49)
↓
2024-10-17 Transposition deadline (Art.46) — member states must enact national law
↓
2024-10-18 Application date — NIS2 national laws apply to entities
NIS1 (Directive 2016/1148) formally repealed (Art.45)
↓
2025-04-17 ENISA peer review methodology deadline (Art.39)
↓
2025-10-17 First wave of national supervisory reports due
↓
2026-01-17 ENISA cybersecurity scheme recommendations deadline
↓
2027-10-17 European Commission review (Art.47) — NIS2 scope and effectiveness
↓
2027-12-31 Potential NIS3 proposal if review identifies material gaps
For developers, the operative date is 2024-10-18. From that date, NIS2 national implementations have legal force. Every obligation covered in this blog series — Art.21 security measures, Art.23 incident reporting, Art.32-35 supervision — applies to your organisation if you fall within NIS2's scope.
2. Article 45 — Repeal of NIS1
Article 45 repeals Directive 2016/1148 (NIS1) with effect from 18 October 2024. References to NIS1 in other EU law are to be read as references to the equivalent NIS2 provisions.
What this means practically:
If your organisation's security policies, privacy notices, or contracts reference "compliance with Directive 2016/1148" or "NIS Directive", those references became legally stale on 18 October 2024. You should have updated them to reference NIS2 (2022/2555).
NIS1 provisions that were transposed into national law (e.g., the German BSI-Gesetz pre-2024 version, the French LPM cybersecurity provisions) were superseded by national NIS2 implementation laws. The names changed, the obligations expanded significantly.
NIS1 vs NIS2: scope changes that matter for developers
| Dimension | NIS1 (2016/1148) | NIS2 (2022/2555) |
|---|---|---|
| Sectors covered | 7 sectors, OES only | 18 sectors, essential + important entities |
| SME threshold | Generally excluded | Included if in-scope sector, >50 employees or >€10M revenue |
| Incident reporting | National framework only | Harmonised 24h/72h/1mo timeline (Art.23) |
| Management liability | Not specified | Personal liability, training, sign-off (Art.32(6)) |
| Supply chain | Advisory | Binding (Art.21(2)(d)) |
| Sanctions | Member state discretion | Minimum €10M/2% essential, €7M/1.4% important (Art.35-36) |
| Cooperation | Voluntary | Mandatory (ISACs, CSIRT coordination, CyCLONe) |
If your organisation was "NIS1 compliant" in 2023, you are not automatically NIS2 compliant. The scope expansion alone — particularly supply chain requirements and management liability — likely requires substantive new controls.
3. Article 46 — Transposition: What National Laws Look Like
Article 46 required member states to adopt and publish national implementing measures by 17 October 2024. By mid-2026, most EU member states have transposed NIS2, though implementation quality varies.
Key national implementations (status as of 2026):
| Member State | NIS2 Implementation Law | Entry Into Force |
|---|---|---|
| Germany | BSIG-E (BSI-Gesetz Erweiterung) + KRITIS-Dachgesetz | 2024-10 (BSIG) + 2025-01 (KRITIS) |
| France | Loi n° 2024-xxx NIS2 transposition + ANSSI guidance | 2024-10 |
| Netherlands | Cyberbeveiligingswet (NIS2 wet) | 2024-10 |
| Austria | NISG 2024 (Netz- und Informationssicherheitsgesetz) | 2024-10 |
| Poland | KSC ustawa amendment | 2024-11 (late) |
| Spain | ENS 2.0 + NIS2 reglamento | 2025-01 (late) |
| Italy | Decreto NIS 2 (D.Lgs. 138/2024) | 2024-10 |
For multi-jurisdiction operators:
If your service is available in multiple EU member states, you are subject to your lead NCA's supervision (the "main establishment" principle, similar to GDPR Art.56 one-stop-shop, but NIS2 has a different lead authority mechanism). However, each member state's national law still applies in their territory for entities without a clear primary EU establishment.
# NIS2 Lead NCA Determination Logic
class NIS2Jurisdiction:
def __init__(self, entity_name: str):
self.entity_name = entity_name
self.establishment_countries = []
self.service_countries = []
def determine_lead_nca(self) -> str:
"""
NIS2 Art.26: Lead NCA = NCA of main EU establishment
Main establishment = place of central administration in EU
If no central admin: where entity's cybersecurity operations are managed
"""
# DNS registry operators, TLD registries: jurisdiction where registered
# Cloud service providers: where management decisions made
# Other entities: country of central administration
if len(self.establishment_countries) == 1:
return f"NCA of {self.establishment_countries[0]} (sole establishment)"
elif "DE" in self.establishment_countries:
# Germany as example HQ
return "BSI (Germany) as lead NCA — applies German BSIG"
else:
return f"NCA of primary establishment — check Art.26(1)"
def get_applicable_sanctions(self, entity_type: str) -> dict:
"""NIS2 Art.35-36 minimum sanctions — national law may exceed minimums"""
if entity_type == "essential":
return {
"max_fine_eur": max(10_000_000, 0.02), # €10M or 2% global turnover
"management_liability": True, # Art.32(6)
"supervision_type": "proactive", # Art.32
}
elif entity_type == "important":
return {
"max_fine_eur": max(7_000_000, 0.014), # €7M or 1.4% global turnover
"management_liability": False, # Not specified for important
"supervision_type": "reactive", # Art.33
}
4. Article 47 — Review: The 2027 Checkpoint
Article 47 requires the European Commission to review NIS2's implementation and effectiveness by 17 October 2027 and report to the European Parliament and Council. The review must assess:
- Whether the security measures in Art.21 are proportionate and sufficient
- Whether the incident reporting thresholds in Art.23 should be adjusted
- Whether the scope (Annexes I and II) should be extended to additional sectors
- Whether penalties are effective, proportionate, and dissuasive
What the 2027 review likely means for developers:
Based on early enforcement patterns (Q4 2025–Q2 2026), the review is expected to examine:
- AI system oversight: NIS2 Art.21 may be extended to cover AI-decision systems in critical sectors, aligning with AI Act risk management requirements
- SME scope: Whether the 50-employee/€10M revenue threshold should be lowered for specific high-risk sectors (cloud, health IT)
- Supply chain: Whether supply chain provisions should be strengthened beyond Art.21(2)(d) in light of XZ-utils and similar incidents
- Penalties: Whether €10M ceilings are sufficient given actual enforcement costs in cross-border incidents
Planning implication: If you are building compliance infrastructure now, design for NIS2 extensibility. The 2027 review will almost certainly expand scope or tighten obligations. Compliance systems built as minimum-viable frameworks will need rework. Build for the trajectory, not the floor.
5. Article 48 — Entry into Force + Article 49 — Addressees
Article 48 confirms entry into force: NIS2 entered into force on the twentieth day after its publication in the Official Journal (27 December 2022 + 20 days = 16 January 2023).
Article 49 confirms the directive is addressed to member states — the standard formulation for EU directives. The directive does not directly bind companies; it binds member states to transpose it into national law, which then binds companies.
This means: NIS2 itself cannot be enforced against you. What can be enforced is your member state's national implementation law. If your NCA brings enforcement action, they cite the national law (BSIG, ANSSI rules, etc.), not "NIS2 Article 35".
Practical implication for legal documentation:
When drafting compliance documentation, reference both:
- The national implementation law (primary binding authority)
- NIS2 (as the EU framework the national law implements)
Example: "In accordance with §XX of the BSI-Gesetz 2024, implementing Article 21 of Directive 2022/2555 (NIS2), the organisation maintains..."
6. The Complete NIS2 Developer Compliance Calendar
NIS2 Developer Compliance Timeline
2024-10-18 ▶ APPLICATION DATE: All NIS2 obligations active
□ Entity classification complete (essential/important/out-of-scope)
□ NCA registration complete (Art.3)
□ Art.21 security measures implemented
□ Art.23 incident reporting procedure established
□ Management briefed + signed off (Art.32(6))
2025-Q1 ▶ FIRST SUPERVISION CYCLE begins in most member states
□ NCA registration confirmed
□ Security policy documentation audit-ready
□ Art.21(2)(d) supply chain security assessed
2025-Q4 ▶ FIRST NCA AUDITS expected (proactive supervision, essential entities)
□ Penetration test records available
□ Incident log for 12 months maintained
□ SBOM or equivalent supply chain documentation prepared
2026-H1 ▶ FIRST ENFORCEMENT ACTIONS expected (NCAs post-investigations)
□ Legal review: national law penalty exposure
□ Management liability insurance reviewed
2026-H2 ▶ ENISA peer review cycle begins (Art.39)
□ NCA supervisory capacity may improve/change post-peer-review
2027-10-17 ▶ EU COMMISSION REVIEW deadline
□ Monitor Commission review findings (scope/penalty changes incoming)
□ Assess AI Act Art.9-11 overlap with any expanded NIS2 Art.21
2028 ▶ POTENTIAL NIS2 AMENDMENT or NIS3 proposal
□ Compliance infrastructure must be extensible
7. NIS2 Is Complete: What the Full Series Taught Us
With this post, the NIS2 series covering Articles 21–49 is complete. The 30+ posts in this series have mapped every enforcement mechanism, security obligation, supervisory procedure, and cooperation structure in the directive.
The consistent lesson across all 44 articles: NIS2 is a liability framework masquerading as a security framework. Its teeth are in management accountability (Art.32(6)), its reach is in supply chain provisions (Art.21(2)(d)), and its long-term impact will be driven by NCA enforcement capacity and the 2027 review.
For developers: the technical controls in Art.21 are achievable by any team with a mature security practice. The paperwork — documented policies, incident logs, risk assessments — is where most teams will fail their first NCA audit.
Build the documentation as you build the controls. The NCA auditor will ask for both.
See Also
- NIS2 Chapter VII: International Cooperation and ENISA Support — the voluntary notification, ISAC, and international cooperation articles preceding the final provisions
- NIS2 Art.35–36: Essential and Important Entity Sanctions — the penalty framework activated once transposition was complete
- NIS2 Art.32(6) Management Liability — the personal liability provisions developers must explain to management
- NIS2 Art.21 Risk Management Measures — the core technical obligations that apply from October 2024