NIS2 latest news: May 2026 enforcement and implementation update

Bulgaria's NIS2 grace period ended on 1 June 2026 — board members now face full personal fines, not the discounted 50% rate that applied through May. Luxembourg's NIS2 Directive transposition law entered into force on 10 May 2026, leaving four member states still without implementing legislation. The EU's NIS Cooperation Group adopted common incident-reporting templates that the Commission intends to make mandatory through an implementing act.

This article covers every material NIS2 update from May 2026: what changed, which deadlines are live, and what your team needs to act on now.

Key takeaways

These NIS2 updates from May 2026 carry concrete compliance triggers: specific dates and specific obligations. Here is what changed.

• Bulgaria's full sanctions regime is active. From 1 June 2026, personal fines for management body members apply at 100% of statutory amounts — up to €5,000 per individual, separate from entity-level fines of up to €10 million. The 50% transitional discount is gone.
• Luxembourg's NIS2 law entered into force on 10 May 2026. In-scope entities have until 10 July 2026 to self-register with the ILR. Non-registration is itself a sanctionable breach.
• Four EU member states have still not transposed NIS2 — more than 19 months after the October 2024 deadline, according to Cullen International's May 2026 tracker.
• Common incident-reporting templates were adopted EU-wide. The NIS Cooperation Group agreed on standardised formats at its 39th plenary in Cyprus on 26 May 2026. A Commission implementing act will make them mandatory.
• ENISA's NIS360 2026 report identifies eight risk-zone sectors. Health, railway, maritime, ICT service management, space, public administration, drinking water, and wastewater show the lowest cybersecurity maturity relative to their criticality.
• The Netherlands advanced its delayed Cyberbeveiligingswet. The Dutch House of Representatives approved the bill on 15 April 2026; Senate approval remains pending.
• Ireland confirmed the National Cyber Security Bill as its NIS2 vehicle. The Department of Justice is drafting the legislation and placing the NCSC on a statutory footing.
• DigitalEurope called for deeper NIS2 harmonisation. The industry body published a formal position identifying scope, size thresholds, incident reporting, and conformity assessment as the areas most in need of standardisation across member states.

Bulgaria's full enforcement phase began 1 June 2026

Bulgaria's NIS2 enforcement entered its final phase on 1 June 2026. Fines and sanctions for all infringements now apply at their full statutory amounts — the 50% reduction that applied to violations committed before that date is gone.

The underlying legislation is the Law Amending and Supplementing the Cybersecurity Act, adopted by the 51st National Assembly on 5 February 2026 and promulgated in the State Gazette (issue 17) on 13 February 2026, entering into force on the same date.

Who is in scope

The Cybersecurity Act covers public and private entities in Annex I and Annex II sectors that meet or exceed medium-enterprise thresholds. Certain providers are in scope regardless of size: public electronic communications networks, trust service providers, top-level domain registries, DNS service providers, entities that are the sole provider of a critical service in Bulgaria, or whose disruption would significantly affect public order, public safety or health, or the economy.

Administrative bodies (including municipalities) are classified as essential entities under Article 4a(1)(4), regardless of size.

Full enforcement without a complete rulebook

One practical complication remains. The law explicitly delegates the definition of minimum cybersecurity measures for certain entity categories to a secondary ordinance of the Council of Ministers, to be proposed jointly by the Communications Regulation Commission and the Minister of e-Governance. That ordinance has not yet been published. Organizations entered the full enforcement phase without the complete operational rulebook the law itself anticipated.

That does not suspend the obligations. The primary law is in force, sanctions are real. Gap analysis against the existing NIS2 framework is both possible and advisable now, before supervisory pressure builds. ISO/IEC 27001 and ISO 22301 provide a workable baseline alongside the Cybersecurity Act's requirements.

What management bodies must now demonstrate

Bulgaria's Cybersecurity Act places explicit personal accountability on individual members of management bodies, not just on the organization as a legal entity. Management bodies must:

• Formally approve the cybersecurity risk-management measures required under Article 21
• Oversee implementation of those measures
• Complete cybersecurity training at least every two years
• Organize equivalent training for employees on a regular basis

The measures that boards must approve cover risk analysis and information security policies, incident handling, business continuity and crisis management, supply chain security, cyber hygiene practices, and multi-factor authentication where appropriate.

The personal fine structure

Where a management body member of an essential or important entity breaches these governance obligations, a personal fine of €500 to €5,000 may be imposed. This is separate from entity-level sanctions and stacks on top of them: up to €10 million or 2% of global turnover for essential entities, and up to €7 million or 1.4% for important entities.

The competent national authority can also request a court to impose a temporary prohibition on a natural person from exercising management functions in an essential entity.

The practical implication: a board member cannot delegate their way out of liability. Whether a fine is imposed, and how severe, will depend on the individual's ability to show tangible actions — board resolutions, adopted policies, audit protocols, assigned responsibilities, completed training, and documented corrective measures.

EU-wide: Common incident-reporting templates adopted

On 26 May 2026, the NIS Cooperation Group adopted common templates for NIS2 incident reporting at its 39th plenary meeting in Cyprus. The Group brings together EU member states, the European Commission, and ENISA.

The templates provide a standardised format for reporting cyber incidents across the EU. Until now, the absence of a common format meant that organizations operating in multiple member states had to navigate different national reporting forms, field sets, and submission portals — a significant administrative burden for any cross-border operation.

The Commission has stated it plans to adopt these templates through an implementing act, which would make them mandatory for all member states. Once that act is in force, the templates will establish a unified incident-reporting framework across the EU.

This development also connects to the broader Digital Omnibus proposal, which includes a single-entry point for incident reporting. The common templates are designed to align with that future architecture.

What this means for your incident response process: If your team has built notification workflows around a specific member state's current form, expect those workflows to be updated once the implementing act is published. The core NIS2 compliance timeline obligations under Article 23 (24-hour early warning, 72-hour incident notification, one-month final report) do not change. The format for submitting them does.

ENISA NIS360 2026: Eight sectors still in the risk zone

ENISA published the third edition of its NIS360 report on 28 May 2026. The report assesses cybersecurity maturity and criticality across all sectors of high criticality listed under Annex I of NIS2.

The 2026 assessment covers the full ecosystem of each sector (national authorities, regulated entities, and applicable EU legislation) rather than individual organizations. It identifies sectors where maturity has improved and sectors where the gap between criticality and actual security posture remains wide.

Eight sectors are identified as risk zones: health, railway, maritime, ICT service management, space, public administration, drinking water, and wastewater. These are sectors where the consequences of a successful attack are severe, but where the security baseline across the sector remains below what the threat level demands.

For IT and security leaders in these sectors, the NIS360 assessment is a useful benchmark. If your sector appears in the risk-zone list, expect heightened supervisory attention from national competent authorities — not because the report triggers enforcement directly, but because regulators use sector-level maturity data to prioritize their audit and inspection calendars.

Luxembourg: NIS2 law in force, registration deadline is 10 July 2026

Luxembourg published its NIS2 transposition law on 6 May 2026 in the Journal officiel du Grand-Duché de Luxembourg. The law entered into force on 10 May 2026, replacing the NIS1 law of 28 May 2019.

Who is in scope

NIS2 applies in Luxembourg to organizations with 50 or more employees or annual turnover exceeding €10 million, operating in one of 18 critical sectors. Size thresholds are assessed at consolidated group level: a subsidiary with 40 employees may still be in scope if the parent group exceeds the thresholds.

The two-tier structure

Essential entities — large organizations in Annex I sectors with more than 250 employees and either €50 million in turnover or €43 million in balance sheet — face proactive supervision and sanctions of up to €10 million or 2% of global turnover. Important entities — medium-sized Annex I organizations and all qualifying Annex II entities — face reactive supervision and sanctions of up to €7 million or 1.4% of global turnover.

Both tiers must implement the same ten categories of measures under Article 12: risk analysis, incident handling, business continuity, supply chain security, secure development, effectiveness assessment, cyber hygiene, cryptography, access control, and multi-factor authentication.

Incident reporting timelines

Luxembourg follows the NIS2 Article 23 structure exactly: 24-hour early warning, 72-hour formal notification, one-month final report. Missing any deadline is itself a sanctionable breach.

The 10 July 2026 self-registration deadline

Entities have until 10 July 2026 to self-register with their competent authority. The ILR (Institut Luxembourgeois de Régulation) acts as the competent authority for most sectors; the CSSF oversees banking and financial market infrastructure. Non-registration is a sanctionable breach under Article 11.

Management bodies must formally approve cybersecurity measures, supervise their implementation, and undergo regular training. For essential entities, senior managers can face a temporary ban from exercising management functions for serious failures.

Netherlands: Cyberbeveiligingswet reaches Senate plenary stage

The Dutch House of Representatives approved the Cyberbeveiligingswet (the Netherlands' NIS2 transposition law) on 15 April 2026 by 140 votes to 10. The bill has now advanced to the Senate plenary stage.

Where the bill stands

The Tweede Kamer passed the bill with broad cross-party support; only two parties voted against. The Senate committees responsible for digitalisation and justice completed their written review on 19 May 2026. The bill has since moved to the Senate plenary stage, where it awaits a final vote.

The bill is being processed in parallel with separate legislation transposing the EU's CER Directive on the resilience of critical entities.

Background

The Netherlands submitted the bill to parliament on 2 June 2025, missing the EU transposition deadline of 17 October 2024 by over a year. The bill spent nearly ten months in lower house procedure before passing.

Key provisions

Rather than creating a single national cybersecurity authority, the law assigns enforcement to existing sector-specific regulators — the energy regulator for energy companies, the healthcare regulator for hospitals, and so on. The exact date the law enters into force will be set by government decree after Senate approval, and different provisions may take effect on different dates.

What comes next

Senate approval is the last legislative step. Once the vote passes and the government sets an entry-into-force date, organizations in scope will face immediate compliance obligations — risk management measures, incident reporting, and management accountability requirements.

Ireland: National Cyber Security Bill confirmed as NIS2 vehicle

In a written parliamentary answer to Dáil Éireann (the lower house of the Irish parliament) on 13 May 2026, Ireland's Minister for Justice, Home Affairs and Migration confirmed that the Department of Justice is drafting the National Cyber Security Bill as the legislative vehicle for NIS2 transposition.

The Bill is listed as a priority for publication in the Summer 2026 legislation programme. It will appoint the National Cyber Security Centre (NCSC) as the national competent authority and as Ireland's Computer Security Incident Response Team (CSIRT). It will also place the NCSC on a statutory footing for the first time — the centre currently operates without a dedicated legislative basis.

Ireland missed the EU transposition deadline of 17 October 2024. A Cabinet decision in July 2024 directed priority drafting of the legislation, and work has been progressing since. The draft Bill has not yet been published, but the government released the General Scheme of the National Cyber Security Bill in September 2024, setting out its intended structure.

Management liability

Under NIS2 Article 20, as reflected in Head 28 of the General Scheme, management boards will be required to approve and oversee cybersecurity risk management measures, attend regular cybersecurity training, and may face personal liability for compliance failures — including temporary bans and administrative fines. The General Scheme defines "management board" as "a body or group of individuals vested with the authority and responsibility for the oversight, direction and control of an entity."

Sectoral regulators already active

Sectoral regulators have already been designated as National Competent Authorities and are preparing to take on supervision and enforcement functions. The NIS2 registration and incident reporting portals are not yet live — they will open once the legislation is enacted — but the NCSC has published draft Risk Management Measures guidance and the Cyber Fundamentals (CyFun) framework to help organizations prepare in the interim.

The Bill is also being developed alongside Ireland's third National Cyber Security Strategy, coordinated through an Inter-Departmental Committee chaired by the Department of Justice.

For organizations with Irish operations, the absence of enacted legislation does not remove the obligation to prepare. Sectoral NCAs are already active, and the Bill's enactment is described as a government priority.

DigitalEurope: NIS2 still needs deeper harmonisation

On 13 May 2026, DigitalEurope published a formal policy position on the EU cybersecurity package, covering the proposed Cybersecurity Act 2 (CSA2), the ICT supply chain security framework, and targeted NIS2 amendments.

On NIS2 specifically, DigitalEurope's position is direct: the targeted amendments proposed in the current package respond "minimally" to the concerns industry has raised over several years. The areas requiring more rigorous harmonisation are:

• Scope: NIS2 should focus on core business activities only, excluding ancillary operations that create disproportionate obligations.
• Size thresholds: National divergence in how thresholds are applied creates inconsistent coverage across member states.
• Incident reporting: Reporting fields, timelines, and submission processes still vary at national level — a problem the common templates (see above) partially address.
• Main establishment rules: Organizations operating across multiple member states face uncertainty about which national authority has primary jurisdiction.
• Conformity assessment: Requirements differ by member state, creating compliance complexity for cross-border operations.

DigitalEurope also called for ENISA to conduct impact assessments for all relevant EU cybersecurity legislation and to coordinate implementation more actively — positioning the agency as a coordination hub rather than a purely advisory body.

For compliance officers tracking the regulatory trajectory: the harmonisation gaps DigitalEurope identifies are real operational friction points. The common incident-reporting templates adopted on 26 May are a step toward closing one of them. The others will require either the implementing acts or the NIS2 amendment process to resolve.

What this means for your team right now

The May 2026 developments follow a pattern that has been consistent since enforcement began: the directive's text is stable, but the national implementation layer keeps moving. Bulgaria's full sanctions phase, Luxembourg's live registration deadline, and the pending Senate vote in the Netherlands all represent concrete compliance triggers, each with a specific date now attached.

The common incident-reporting templates are the most operationally significant EU-wide development of the period. Once the Commission implementing act is published, every organization's incident notification workflow will need to be updated to match the standardised format. Build that update into your incident response planning now, before an actual incident forces you to do it under pressure.

The ENISA NIS360 risk-zone list is worth taking seriously if your organization operates in health, public administration, or any of the other flagged sectors. Supervisory attention follows maturity gaps — and ENISA's assessment feeds directly into how national competent authorities prioritize their audit calendars.

Frequently asked questions

What happened with NIS2 in May 2026?

May 2026 saw four significant NIS2 developments: Luxembourg's transposition law entered into force on 10 May; the NIS Cooperation Group adopted common incident-reporting templates on 26 May; ENISA published the NIS360 2026 sector maturity assessment on 28 May; and the Netherlands advanced its Cyberbeveiligingswet through the House of Representatives. Bulgaria's full sanctions phase began on 1 June 2026, directly following the May period.

What is the Luxembourg NIS2 self-registration deadline?

Luxembourg's NIS2 transposition law, which entered into force on 10 May 2026, requires all in-scope entities to self-register with their competent authority by 10 July 2026. The ILR (Institut Luxembourgeois de Régulation) is the primary competent authority. Non-registration is a sanctionable breach under Article 11 of the transposition law.

What are the new NIS2 incident-reporting templates?

On 26 May 2026, the NIS Cooperation Group adopted common templates for NIS2 incident reporting at its 39th plenary meeting in Cyprus. The templates provide a standardised format for reporting cyber incidents across all EU member states. The European Commission plans to make them mandatory through an implementing act. The underlying NIS2 Article 23 timelines — 24-hour early warning, 72-hour notification, one-month final report — remain unchanged.

Which sectors does ENISA's NIS360 2026 identify as highest risk?

ENISA's NIS360 2026 report, published 28 May 2026, identifies eight sectors as risk zones where cybersecurity maturity remains low relative to criticality: health, railway, maritime, ICT service management, space, public administration, drinking water, and wastewater. These are all Annex I sectors under NIS2 and are subject to proactive supervision as essential entities.

What are the personal liability rules for managers under Bulgaria's NIS2?

Under Bulgaria's amended Cybersecurity Act, members of the management body of essential and important entities face personal fines of €500 to €5,000 for breaching their governance obligations — separate from entity-level fines. From 1 June 2026, these fines apply at full statutory amounts; the 50% transitional discount that applied to pre-June violations no longer exists. The competent authority can also seek a court-ordered temporary ban on a manager from exercising management functions.

How many EU member states have transposed NIS2?

As of late May 2026, 23 of 27 EU member states have transposed NIS2 into national law, according to Cullen International's May 2026 tracker. Luxembourg's transposition entered into force on 10 May 2026, bringing the total to 23. Four member states remain in the legislative process, more than 19 months after the October 2024 transposition deadline.

What is the Netherlands' Cyberbeveiligingswet?

The Cyberbeveiligingswet is the Netherlands' national legislation implementing NIS2. The Dutch House of Representatives approved the bill in 2026 after the Netherlands missed the original EU transposition deadline of October 2024. The bill still requires Senate approval before it can enter into force. The Netherlands' model uses a decentralised supervisory structure, with sector-specific regulators handling enforcement.

NIS2 compliance guide: The access management roadmap for 2026

Stolen credentials dominate breaches in 2026. NIS2 Article 21 mandates 10 security measures to eliminate credential-based attack vectors. This guide covers technical requirements, the 24-hour incident reporting obligation, ENISA’s MFA tiers, and a 5-phase roadmap to audit-ready compliance.

Passwork BlogAlex Muntyan

Passwork wins Top Performer Spring 2026 on SourceForge

Passwork has been named a Top Performer Spring 2026 by SourceForge, ranking in the top 10% of 100,000+ solutions. The badge is based entirely on verified reviews — 4.8 stars overall, with a perfect 5.0 for support.

Passwork BlogAlex Muntyan

Brute force attacks in 2026: Types, examples & how to prevent them

GPU clusters, AI-assisted wordlists, botnets of 2.8M devices. Brute force has scaled. This guide covers six attack variants, real-world cases from 2025, and a layered defense strategy your team can implement today.

Passwork BlogAlex Muntyan