NIS2 in 2026: what every organisation should know

The EU’s NIS2 Directive has entered a new—and far more urgent—phase. In late 2024, most EU Member States missed the original transposition deadline of 17 October 2024, creating uncertainty about when the regulation would truly begin to bite.  

Fast forward to 2026, and the picture looks dramatically different: more countries have now transposed NIS2 into national law, the European Commission has escalated enforcement actions, and it’s increasingly clear that NIS2 penalties for noncompliance will become a reality across the EU. 

For organisations operating within the Union—or serving EU-based customers—the message is simple: NIS2 enforcement is here, and the window for preparation is closing quickly. 

To dive deeper into the specifics, controls, and checklists, we strongly recommend downloading our full NIS2 Primer. 

NIS2 transposition accelerates across the EU 

Back in 2024, many Member States were still drafting legislation and conducting consultations. But by early 2026, transposition efforts had significantly accelerated.  

According to the latest update from the European Cyber Security Organisation (ECSO)*, 21 out of 27 EU Member States have now transposed NIS2 into national law as of March 2026. Some recent developments include:   

• Germany, which completed its NIS2 implementation law in December 2025  
• Austria published its NISG 2026 Act, which comes into force in October 2026  
• Portugal’s final draft enters into force in April 2026  
• Sweden adopted its Cyber Security Act and Ordinance effective January 2026  

Meanwhile, other countries—including France, Ireland, Luxembourg, Poland, and Spain—are in the final stages of adoption.  

The result? If your country passed NIS2 late, it will likely enforce it early. Organisations should anticipate compliance scrutiny sooner rather than later. 

EU enforcement pressure is increasing—fast 

The EU has made it abundantly clear that delayed transposition of NS2 into national law in member states will not be tolerated. Enforcement news from late 2024 through 2025 illustrates rising pressure: 

• In November 2024, the European Commission issued letters of formal notice to 23 Member States – the first step in following up non-compliance. 
• In May 2025, the Commission escalated proceedings by issuing ‘reasoned opinions’ to 19 countries still failing to notify full transposition. 

A reasoned opinion is not symbolic. It is the last step before the Commission refers a Member State to the Court of Justice of the European Union (CJEU), where financial penalties can be imposed.

What this means for companies: expect more local enforcement and audits 

As more Member States finalise national laws, authorities will begin:  

• Requiring entity registration  

• Issuing sector-specific guidance  

• Performing audits  

• Demanding evidence of compliance  

• Levying fines for serious failures  

NIS2 fines are significantly higher than those imposed by the original NIS regulation:  

• Essential Entities – Up to €10 million or 2% of global annual revenue.   

• Important Entities – Up to €7 million or 1.4% of global annual revenue.   

Now that national laws are in place, NIS2 penalties for non-compliance will be applied through each Member State’s regulatory authority.  

In other words, the most important NIS2 enforcement news in 2026 is that NIS2 enforcement is shifting from Brussels to your country’s regulator. If your organisation is classified as essential or important, your compliance obligations are no longer optional. 

NIS2 requirements: a quick refresher 

We have plenty of resources that explain the details of the NIS2 regulation, including our previous blog, our NIS2 Primer, and a 7-step compliance checklist. But here is a concise update on what matters most in 2026.  

NIS2 requires organisations to implement 10 mandatory cybersecurity risk management measures, including:  

• Security policies and risk analysis  

• Incident handling  

• Business continuity and backup management  

• Encryption and cryptography  

• Access control and identity management  

• Supply chain security  

• Secure system development and vulnerability management  

• Multifactor authentication   

Beyond technical measures, NIS2 places heavy emphasis on:  

• Management accountability: Executives and board members can be held liable for gross negligence.   

• Mandatory incident reporting: Including a 24-hour early warning requirement.   

• Demonstrable resilience: Organisations must prove they can restore operations quickly after an attack.  

This last requirement is where backup strategy—and particularly immutable backup storage—becomes critical.

Why backup strategy is central to NIS2 compliance 

NIS2 does not explicitly use the word immutability, but its requirements around business continuity, recovery capability, secure data handling, and incident response make immutable backups a practical necessity. 

Backup systems are usually one of the first targets in modern cyberattacks—particularly ransomware—because if attackers can destroy backups, organisations have little choice but to pay. 

NIS2’s expectations around recovery include: 

• Having clear backup and restore policies 

• Ensuring backups are protected from compromise 

• Testing recovery scenarios 

• Ensuring continuity even during large‑scale incidents 

If you cannot guarantee the recoverability of your data under attack conditions, you cannot meet NIS2’s requirements for resilience. Immutable backups are a sure way to ensure recoverability.  

Absolute Immutability 

Care should be taken in considering backup solutions with vendor claims of ‘immutability’. In many cases, hidden exceptions and loopholes can compromise data security and, therefore, recoverability. In seeking to meet in-house and regulatory recovery goals, organisations should ensure that their backup solution protects data with Absolute Immutability.  

This means that even the most privileged admin or attacker with access to backup storage cannot modify or delete data. This can only be achieved using a backup storage system that is “secure-by-design” with Zero Access to destructive actions, and this Zero Access must be verifiable with third-party testing. 

Preparing for NIS2 enforcement 

Here is a practical, high-level checklist for organisations operating in the EU or serving EU customers:  

• Determine whether your organisation is “essential” or “important”: This classification dictates your compliance obligations and potential fines.  
• Review your Member State’s national NIS2 law: Requirements may vary slightly by country—especially reporting timelines and sector-specific rules.  
• Assess your cybersecurity program against the 10 NIS2 controls: Pay particular attention to incident handling, continuity, and supply chain risks.  
• Evaluate your backup and recovery systems: If backups are mutable, network-connected, or allow access to destructive actions, you may already be noncompliant in practice.  
• Implement absolutely immutable backup storage: This is one of the most impactful ways to strengthen NIS2 resilience quickly.  
• Conduct recovery testing: Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) will be critical in audits.   
• Document everything: Auditors will expect proof of policies, procedures, and testing.  
• Download the NIS2 Primer for deeper guidance: Our guide covers requirements, entity classification, and practical steps in detail.  

The most urgent and impactful step organisations can take to ensure compliance―and their ability to recover from a cyber attack―is to ensure that their backup infrastructure is resilient through Absolute Immutability, and ready for recovery at any moment. 

How Object First supports NIS2 compliance  

Object First backup target appliances are designed specifically to give Veeam customers a secure, simple, and powerful way to ransomware-proof their backups.  

By deploying Veeam with Object First, organisations can meet—and exceed—the data resilience expectations of regulations such as NIS2.  

• Absolutely immutable backup storage: Even privileged users cannot delete or alter data.  

• Zero Trust architecture: Backup software is isolated from backup storage by design.  

• Ransomware-proof storage: Built-in segmentation and S3 Object Lock in compliance mode.  

• No security expertise required: Easy deployment without complex configuration.  

• Support for rapid recovery (Instant Recovery at scale): Critical for meeting NIS2’s recovery expectations.  

• Third-party tested and verified: Independent validation of immutability and security design.  

Book a demo and learn how to make your back-ups ransomware-proof―and make NIS2 compliance more easily achievable.